Home Web Server Security Part 1
IntroductionMy other articles have mainly focused on effectively securing your computer. This article is for folks who've gone a step further and want to safely and securely set up a web server on their home PC. If you are planning on doing so, or you already have done so, you should ensure that, in the least, you have a few precautions in place.
Not more than 8 years ago, the thought of a home user hosting a web server was something that would have been laughable. But with the popularity of BSD and Linux on the rise, and free server software such as Apache becoming more commonly used, it's no longer as unlikely as it would have seemed then. Even Microsoft has a personal Web server available for home use.
As with every new technology that is given to the masses, security problems are sure to pop up. It's so easy to set up a web server and host your own web site these days that there is little, if any, incentive not to do so on your own computer. Most users think it's fun, and also a quick way to share files and documents with family and friends.
Where the problems beginThe problem with all of this is that when an individual sets up their home-based web server, many of them have no idea how to properly secure it, and many may not even have the latest updates for their particular software installed, setting them up with a very high risk of intrusion into their computers (and hence their personal lives) by hackers.
The main issue is that when you run a Web server on your home PC, you're opening a port on your computer that allows entry from the outside world. Web servers may not be the easiest way to gain access to a computer, but they are a well known method of intrusion, meaning that you raise your risk of having your computer attacked, your website defaced, and maybe even having your computer taken over completely by unscrupulous individuals.
Many people are under a false sense of security, thinking that "if I set up a web server on my computer at home, no one will be connect to it except those friends that I tell about it". This is of course completely untrue unless they've taken the proper security measures for their web server, such as specifying that only users with specific IP (internet protocol) addresses can access it. Very few home users know how to do this however, and it can be problematic even for those that do since most users connect to the internet using dynamic IPs. This means that each time they connect to the internet, their IP address changes, hence the problem.
The internet is, like the rest of the world, a dangerous place where anyone, including criminals, can connect and do as they please. Even normally law abiding people often commit crimes on the internet because of their perceived anonymity.
Website DefacementWeb defacement (the defacement of a web site by hackers) is a common method of attack on a web server. You may have visited a web page and saw something that you didn't expect. This could be anything from a "Hacked by so and so" message to a political message. This is a fairly common thing on the internet. This link can provide you with a few stats on web defacement and some facts that you may not already know. For example, if you're going to run a web server on a Microsoft Windows PC, chances are it's going to be Internet Information Server (referred to as IIS). Stats from the site listed above state that "75% of all web servers running Microsoft IIS 5.0 are vulnerable to exploitation." This article brings up the fact that website defacements are on the rise.
Obviously, folks have been hacking web servers for as long as web servers have been around. It's been happening for years, but the difference now is that home users are opening themselves up to such exploitation. H3>Exploitation of Software Bugs Another method that hackers use is to exploit a bug or security flaw in their particular operating system (OS) or the web server software they're using. An example of this problem occurred in 2003:
"Microsoft issued a security alert on March 17 2003 regarding a buffer overflow vulnerability which allows attackers to execute arbitrary code on Windows 2000 machines. [A recent Net craft survey] found 767,721 IPs running IIS 5.0 and offering WebDAV and 273,496 IPs running IIS 5.0 with the protocol turned off."
Some folks may wonder what it means to "run arbitrary code" on an OS. An attacker can run code that they have written or found on the internet through your web server, and if they are talented enough, they could even "own" the box, meaning that they have obtained administrator access to it, which would then allow them to make accounts for themselves, install a back door, or use your machine to attack higher targets such as government machines. The problem is that you would be the one showing up in the government log files instead of the true attacker.
Hackers could also find personal information about you on your machine and sell it or give it away over the internet. By obtaining your credit card information, they could steal your identity and ruin your credit.
What about Worms?You've probably heard of "worms" in the news and wondered just what sort of damage a "web worm" could do. Let's say that a new worm has started to spread, and you are running a web server. Even if a patch for that particular worm has been released, you may not have had time to install it before the worm gets to you. The worm would infect your machine, and then whatever it was programmed to do would occur. Its assigned task could be to scan for more hosts, which would use up your internet bandwidth fairly quickly, or it could have been assigned to even steal personal information from you, or attack other hosts through the use of your computer.
In October of 2001 such an attack occurred, as can be read in this paragraph from a report at Incidents.org. "86,000+ Internet hosts are thought to have been compromised and used to propagate the NIMDA worm, on September 18th. 37,318 (42.97%) of those hosts resided in the US." That was only one worm. There are MANY of them on the internet. Even the My Doom worm, which was released years ago, is still infecting hosts because many folks just don't install the patches that would stop this from occurring.
How fast can a Worm spread?From CAIDA, 25 July 2001:
"After significant analysis, the Cooperative Association for Internet Data Analysis (CAIDA) found that the "Code Red" worm affected more than 359,000 servers in less than 14 hours."
They also determined:
"At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute."
"43% of all infected hosts were in the United States"
"11% originated in Korea"
"5% of [the infected hosts] were in China, and 4% in Taiwan"
2,000 web hosts were infected every minute--that's fast. You wouldn't even have time to install the patch. And if there wasn't one available, what would you do then? There are also attacks known as Zero-Day exploits. These exploits allow a hacker to attack a machine while no patch is available, because the company who made your software doesn't even know the problem exists yet. Zero-Day exploits are easy for hackers to download off the internet if they know where to look (and they do), so this just adds to the security issues related to running a home web server.
"By exploiting vulnerability in Microsoft's IIS web server product, over 250,000 web sites are thought to have been compromised by the "Code Red" worm, in the course of a 9 hour period." That's one quarter million web sites in just 9 hours.
From Attrition, 11 May 2001:
"8,836 servers are thought to have fallen prey to the " sadmind/IIS Worm ", between May 1st and May 8th, according to a list of IP addresses obtained by Attrition staff. The worm compromises Sun Solaris systems and then instructs those systems to deface 2000 Microsoft IIS systems using the IIS Unicode exploit. The defacement message used by the worm contains an inflammatory statement about the US Government, as well as a "calling card" in China." This attack targeted Solaris, which is a form of UNIX, and then once it was inside, it attacked IIS servers.