Run Your Own Server For Fun (and Zero Profit)

It seems there’s a service for everything, but sometimes you simply learn more by doing it yourself. If you haven’t enjoyed the somewhat anachronistic pleasures of running your own server and hosting your own darn website, well, today you’re in luck!

Yes, we’re going to take an old computer of some sort and turn it into a web server for hosting all of your projects at home. You could just as easily use a Raspberry Pi –even a Zero W would work — or really anything that’ll run Linux, but be aware that not all computing platforms are created equally as we’ll discuss shortly.

Yes, we’re going to roll our own in this article series. There are a lot of moving parts, so we’re going to have to cover a lot of material. Don’t worry- it’s not incredibly complicated. And you don’t have to do things the way we say. There’s flexibility at every turn, and you’re encouraged to forge your own path. That’s part of the fun!

Note: For the sake of space we’re going to skip over some of the most basic details such as installing Linux and focus on those that have the greatest impact on the project. This article gives a high level overview of what it takes to host your project website at home. It intentionally glosses over the deeper details and makes some necessary assumptions.

Self Hosting 101

We all know what a website is. You’re looking at one. How do you build a website? You likely have an idea. Some HTML is presented to the world by some kind of web server software. But how does the web server know which HTML files to display? And how do people get from a name that they can type in their browser to your web server? How are IP’s involved, and is this something that can be done using your home Internet connection?

First, let’s talk about a web server. It’s just a computer that has software for serving websites. The most common server software is called Apache, and it’s compatible with just about any kind of website you may want to run. It handles the task of associating website requests with the collection of files that make up a website.

A typical rack mount web server courtesy Wikipedia CC BY 2.5

To run Apache we need a computer and an OS. We’re going to grab an old laptop and install Linux Mint on it. Linux Mint is a descendant of Ubuntu, so most Ubuntu tutorials will work fine with it.

For hardware we’re using a Vista-era laptop with a 64 bit dual core AMD Turion processor, 2GB memory and an old 120GB hard disk. Yes, we really should spend a few bucks and switch it to SSD. But this is just a thrown together project for the fun of it, and there’s no need to spend money on a simple experiment. Of course you don’t have to use an old laptop. A desktop computer would work fine, or a small form factor- anything really.

If you’re like me and want the server squirreled away on a shelf, keep in mind that you will need a monitor and keyboard to diagnose it when there are problems. A laptop has the benefit of having monitor and keyboard built in! This can come in very handy when it’s offline and you can’t figure out why.

An important note about the computer you choose: It needs to have a supported OS. In the x86 world, this means a 64 bit processor. Most modern Linux distributions don’t support 32 bit processors well or even at all. Without a supported OS, your project will lack current software. This will limit features, but also security. You wouldn’t run Windows XP on the Internet, so don’t settle on ancient versions of Linux.

First Step: Connect To Internet

A server deserves a wired connection when possible, but wireless is fine too as long as it’s reliable. Our ancient laptop doesn’t have a Wi-Fi adapter, so it is hard wired to our ISP provided modem/router/phone thingy. We also recommend that you configure the laptop for a static IP address so that its IP on your network never changes. You can do this in the router, or you can do it in the Ethernet configuration in Linux.

Configuring The Server

Vents are on the left, and so it sits open on the right side next to the ISP supplied router

Next on our list is installing some basic tools for Linux such as the nano text editor for the command line and the SSH (Secure Shell) server software. SSH will allow you to connect to the server from another computer, and once SSH is installed, you can stuff the laptop on the shelf next to your router and forget about it. Don’t leave the laptop closed though- it needs ventilation, so at least leave the screen partially open. To save space, sit the laptop on its side with the vents facing up.

To log into the server you’ll need a terminal program. Most operating systems come with an SSH Terminal program such as Windows Terminal or the Terminal in Mac OS. I have been using MobaXterm on Windows for many years and I find it much more convenient. Some people prefer bare-bones SSH terminal programs such as PuTTY. Use what works for you, and get connected to your server by SSH’ing to its IP address.

Next, you’re going to need to install the Apache web server software. There are numerous tutorials online for doing this, but watch out: Many of them will have you do the basic install of Apache, MariaDB, and PHP, and then have you host your files in /var/www/html as the root user. Do not do this! You need to create what’s called an Apache Virtual Host and a new system user to associate it with.

Master Of Your Domain

Lastly, you need a domain name and a way to associate it with your Linux server. There are a large number of domain registrars to choose from, and you can get a .com domain name for under $10 USD/year. Common geek-approved registrars are Cloudflare or Namecheap. These are not endorsements, just a nudge in the right direction if you’ve never done this before. (Feel free to drop your reviews in the comments.)

To associate that domain to your server, you need the services of a Domain Name System (DNS) provider. DNS is what maps your domain name to an IP address through what’s called an address (A) record.

That’s one Dynamic IP you’ve got there, Mister

Many domain registrars provide free DNS services, but they aren’t optimized for hosting at home. Why not? If your server were sitting in a data center somewhere, it would be assigned a permanent IP address. But because you’re hosting it at home, the public IP of your network connection will change from time to time and your website will go offline until the IP is updated worldwide. You need a DNS provider that can detect the change and then update the A record of your domain accordingly.

There are many providers of such services and it’s even possible to make your own. But for simplicity, we are going to recommend running DNS at Cloudflare. Cloudflare provides a Content Delivery Network (CDN) for free that adds a layer between The World and your server. This is convenient because Cloudflare’s IP’s never change. When your server gets a new IP, it can communicate this to Cloudflare and they will route all traffic accordingly without having to update DNS around the world. This is a huge advantage. They also cache your website in their CDN so that when your website hits the front page of Hackaday, it can survive the onslaught of traffic!

Hiding your public IP from the world is another reason to use Cloudflare. The only IPs exposed to the world will be owned by Cloudflare, and they will forward web requests to your server while at the same time keeping the bad guys out. This gives another layer of protection to your home server and your home network in general. And the best part is that it’s completely free.

Their excellent documentation describes how to set up dynamic DNS with their service.

From Web Browser to Web Server And Back

Once you’ve got DNS and your web server configured, you need to tell your router at home to accept traffic on ports 80 and 443 (the ports for http and https traffic) and route them to your Linux Laptop. Some routers will let you set up a DMZ that will directly expose the entire server to the Internet, but this is not recommended or required. You’ll also want to configure the firewall on your server to accept traffic on port 80 and 443. And since we have 443 open, Let’s Encrypt our HTTP traffic, shall we?

Whether there is a technical advantage or not is debatable, but your website is going to need an SSL certificate.  If nothing else, this will make your website more palatable to modern browsers who show warnings if there is no SSL certificate present. In the past, you’d need a static IP and to spend a good amount of money on the SSL Certificate. Neither of these things are the case now. The SSL Certificate can be provided by Let’s Encrypt, a free SSL/TLS certificate provider that uses software called Certbot to get the certificate and even configure Apache for you. Slick!

What else can you do?

What else can you do with your new home server? The possibilities are almost endless! Even if you have fast internet, you can put your new server to work to speed things up even more. Running your own resolving DNS server locally means that you can cache DNS lookups on your own network, which speeds up DNS resolution. This can give a snappier feel to your web browsing experience. You can also use the Pi-Hole software to block all advertisers so that your devices do not need a separate ad blocker.

A home server also makes an excellent data collection point for your IOT projects and gives you a playground for experimentation. There are many hackers running home built servers, and some of them have even gone so far as to make their server run solely on solar, such as


We’ve outlined all of the moving pieces that you need. You should know though that just as there are countless ways to build any other project, there are a huge number of alternate routes you could take.

Instead of the Apache web server, you could use NGINX (pronounced ‘engine ex’). Instead of dynamic DNS, you could order a business class Internet connection with static IP’s. Instead of Linux, you could use BSD, Windows, MacOS, or any other number of Operating Systems. Instead of a laptop, you could use an old desktop, a Raspberry Pi of any flavor, a surplus rack mount server from your local Internet garage sale, or even an ESP8266 with a simple web server script on it.

Is that it?

Whatever you do, make sure to have fun with the project, and if you’ve never done such a thing, we recommend starting down the easiest road and working your way up to the more esoteric methods.

There remain many, many, many questions to be answered: What software should I use to create my project site? How deep down the rabbit hole should I go when it comes to documenting the project? What toppings do I want on my something-to-eat-while-hacking pizza? Stay tuned for the next installment, coming soon to a Hackaday near you!

126 thoughts on “Run Your Own Server For Fun (and Zero Profit)

    1. Because it runs the website as the root user, which is Bad. Never run websites as root. I could go into the “why” of that as well, but then scope creep sets in. It’s why I didn’t bring it up in the article :)

      1. That’s not what “Apache Virtual Host”s are for. That allows for running multiple websites on the same IP:port combination. It has nothing to do with the root user.

        The new user thing, definitely isn’t needed either. For the last several decades when installing a web server from the package manager it will automatically create a user “www” and configure it to run as such.
        You’d be hard pressed finding any tutorials that actually cover installing a web server manually.

        “then have you host your files in /var/www/html as the root user. Do not do this!”
        This is just flat our wrong. There is absolutely no problem editing your files as root or keeping them owned (user) as root. By default the /var folder is group readable and /var/www is already owned (group) by www.
        Depending on your distro defaults it’s either root:www or www:www.

          1. I stand corrected- it runs it as Apache. Still, best practice is to create a different user for every site. But hey, there’s a million ways to do it. To each their own.

        1. Actually. Servers should also have its data under the /srv/ catalog, and not under /var/www
          That is just settings to get started and test the settings, before you do your actual configuration.

          And yes, it could also be good to not run the server under the default user, but you can run your machine as you like.

          And don’t forget to read “The Debian Administrators Handbook”, as both Ubuntu and Mint is based on Debian, with some small differences.
          Also check out package documentation in /usr/share/doc/package_name/ to see if there are some useful information there.
          And of course, are a good source too.

    2. “For the sake of space we’re going to skip over some of the most basic details…
      This article … intentionally glosses over the deeper details and makes some necessary assumptions…”

      It looks like you found a “deeper detail”! YAY!!! :-)

      1. What metric are you using to measure the popularity of each? Just curious, because the Google Trends results for “apache server” and “nginx server” seem pretty telling

      2. Well that set off some curiosity for me so I went to have a look. I see a lot of NGINX fanfare and a lot of benchmarks that have deliberately preselected parameters.

        So to me the answer is – it has strong points so maybe it is, but more importantly what is better in the context of this article.

        Well choose either really but I would be inclined to recommend Apache for the: support resources, out of the box configuration, and forward path to normal old synchronous dynamic (PHP driven) websites as this is probably a gentler learning curve.

        On the other hand, If your just serving static content or you have already decided on a way to create dynamic content perhaps with a language more common the the people here then go with NGINX.

        NGINX is less resource hungry (faster) for static pages and scales well to asynchronous pages (AJAX).

        On the other hand, PHP is a bit slower, is much more capable out of the box for PHP (Dynamic pages) and thee are many pre assembled packages for WAMP – Apache MYsql (database), PHP for dynamic pages fo4r a windows OS or LAMP – the same thing for Linux.

        As an end note not related to this article. It seems that the most efficient high volume web server configuration is to have a NGINX reverse proxy front end for the caching capacity and behind that one server NGIX for static content and another Apache/PHP/CGI for dynamic content.

        1. I agree with you.
          Use whatever you want, be it Apache or NGINX, desn’t really matter for a project like this.

          And it is MySQL, after oldest of Michael “Monty” Widenius daughters.
          But now most distributions uses MariaDB, which also is written by Monty and actually is the younger sister of My. As a good parent, he gave each kid a OSS database, MySQL, MaxDB and MariaDB. I guess you get what his kids are named.

          Like Linus Torvalds he is a drop out of Helsinki University of Technology. And yes, both mother tong is Swedish.

      1. I have tried some of those alternatives, and I would almost say I rather have no one then not a Raspberry Pi.

        Have some bad experience with them. Might be better now, but the lack of support in the Linux source tree by the chip manufacturers is the major complaints, and then the lack of community.

        1. Have some sense of realism. Wasting still capable hardware is a waste of resources. It’s not like you can just magically jump to the end of all development. Otherwise we’d be there already.

          1. Still capable but inefficient hardware is wasteful to dispose of OR run.

            The question is which one is more wasteful.

            I choose money as a metric, because it’s simple and unbullshitable. Use CO2 if you like, beware liars selling emission allowances.

            Old hardware should be used where it has a low duty cycle or disposed of. Don’t replace your server with rooms of 486s, all powered up, idling and being kept cold with an AC.

      1. “Never” ‘killing’ your NPPs and thus never actually creating the economic need/drive to switch to renewables is great too (/s in case that wasn’t obvious).

        Did Germany decide to go without nuclear power too fast? maybe.
        Are they importing too much fossil fuels (and the rest of Europe … from the RF)? probably to most likely.
        Was it a good idea anyway? Yes.
        Is the execution of that idea running perfectly? debatable to no.

        1. The error was to stick with Nuclear soooo long and develop/spend money in such broken technologies like Hochtemperaturreaktor aka Kugelhaufenreaktor.

          If we had dumped all that money into wind turbines, solar panels, power lines, practical (!) research (batteries & fuel cells in the field) and sustainable concepts we would be in a very different state.

          But “hätte hätte fahrradkette”, we now have to deal with the mistakes made for 20 years…

          Anyone want to calculate what could be build with the 29,1 Mrd. Euro Hinkley Point C1/C2 will cost? I only found some numbers for the Sofia at Dogger Bank. It is 100 turbines with 14 MW for about 3,5 Mrd Euros. So we have 11640 MW. That is three (3. t-h-r-e-e!) times the amount HP C1+C2 will deliver.

          The state of mankind makes me sad.

          1. I’m not acquainted with the various abbreviations and acronyms in the above comment, but since it is not mentioned, I will assume the wind turbine alternative does *not* include batteries for storage. That’s the beauty of conventional electric plants — they can deliver at night and when the wind is not blowing. Be sure to include storage in the equations for any electric plant that can only produce power on a part-time basis

          2. Well, there are some Nuclear Plants that are safe, compared to boiling water with uranium, which is only good if you want to make A-bombs. You could use melted salt instead of water. Give you much higher temperatures without ridiculous high water pressure. And that higher temperature gives us more efficiency.

            And where the fuel is in the media (mixed into the salt) and which quite easy auto stop without the need for electricity, which are the main source of failure in the big nuclear accidents we have had. Just use a “fuse” with salt, that melts when the temperature get our of control and evacuate in a safe way the boiler and stop the process.

            And that will also be able to use other nuclear fuels then Uranium, which also is an advantage. As Uranium is sparse in nature.

            But this is WAY of topic.

        2. “Did Germany decide to go without nuclear power too fast?”

          The direction of the decision shows the error. One can not just decide to go without nuclear power.

          The right decision would have been to build an alternative and when nuclear power is not needed anymore to switch it off.

          But to switch off power plants and then to buy the missing energy abroad is just pricey political bullshit.

          1. Problem is that without economical/political pressure, there will be stagnation and no development to better. That is how economics and commercialism work, it only change as much it need to, not on it’s own. And need to is by competition by other companies.
            If we wan the market to bring us somewhere, we must build a incentive for the market to go there. Which usually means making it costly to not or forbid something we don’t want. Depending on how fast we want to go there, the pressure has to be large enough. Fast, more pressure. And the politics is making that pressure by laws, but they are also under some pressure to not change. But yes, for the survival of our children and humanity, we really need to move fast not. If you had done this 30 years ago, then we wouldn’t be in such a hurry now.

            So yes, this would have been a great idea, would it not be for the large neighbour to the east that is fighting in its own Vietnam right now. Something many people didn’t thought, or just ignored. And many still ignores it.

          2. By the way, we are paying for that decision in Norway and Sweden too, as you are so dependent on out electricity. And thus increases the cost for electricity for us too.

      1. Sure but if you need that power this article probably wasn’t for you!

        I read this is more just getting your foot in the door with junk you already own and don’t need to go pay for.

        1. Exactly, and then you can later buy a ARM or RISC V based computer so you don’t spend that much on the electricity bill. You could even use batteries that are solar charged to lower the cost. :-)

    1. Wow. Your electricity is expensive! I was going to suggest using a Pi or something similar instead of an old PC for environmental reasons, not cost savings.

      Someone else said they are out of stock everywhere. I wouldn’t know, I haven’t shopped for one since before the chip shortage. But I do know that a lot of people bought Pis either just because they could or for projects they never got around to. So no doubt several people reading this article could use the Pi they already have collecting dust. I’d suggest skipping the PC and doing that. If you find yourself needing something more powerful you can upgrade to a PC later but I bet most of us would be just fine with the Pi.

      Or.. if all you want is a web server or something comon like that how about an old Android device?

      1. >Or.. if all you want is a web server or something comon like that how about an old Android device?

        This. I’ve started revisiting hosting things on old android devices by running linux in a chroot. Once you stop the media, zygote, and surfaceflinger activities you’re left with a very slim and battery efficient handheld device.

        1. Could you point me where to start? I have some old phone and think how to reuse it – was thinking of installing a lineageos or similar but this model had some issues with that.

          1. If you want it to just work, and by just work I mean not having to find a leaked version of OEM tools and start whacking on a questionable firmware, you’re stuck with the available supported devices.

            Phones and Android devices are a waste juggernaut.

          2. Sure thing! If you just want something that works, you can try Linux Deploy but I found it to be kind of buggy honestly. What I ended up doing was first of gaining root on the phone. I know you can do things like proot nowadays with modern phones but I am using old android 4.0 and 4.1 devices. Once you’re rooted its a simple matter of making a linux rootfs thats compatible with your phones cpu. Then just bind mounting the appropriate the appropriate directories to the linux rootfs, and you’re golden. A more thorough procedure is provide on the Debian wiki:


    2. A virtual server costs 4,15 Euro per month at Hetzner = 0,58 cent per hour.

      As electricity in average lies around 20 cent / kWh the total power consumption have to be less than ~ 25W!

      Besides that, I can recommend Lighttpd – much smaller footprint, easier configuration, and way faster than Apache.

      1. Step 1: Short Hetzner/Buy out of money puts.
        Step 2: Rent many virtual servers from them.
        Step 3: Mine cryptocoins (in Javascript!) using much more than 25W average.
        Step 4: Profit.

        I doubt it would work. Bet there are contract terms lurking in there.

      2. The cost is based on where you live, and also what you have at hand.
        Buy new stuff just to test isn’t the best idea, I would think.
        Later buy some ARM or RISC V based board would be next step.

        And if you can add that energy from the computer to help heat up the house, that wouldn’t be that expensive. :-)

        1. Ah the days of the first generation Core2 CPUs. It was almost like you had to shovel coal into the back of the PC. I had a 3.8GHz Quad CPU Core2 and I had to learn so much about thermal management to get it to sound like anything less than an aircraft taking off.

  1. another benefit of cloudflare is that they can handle the HTTPS upgrade before pinging your server. Particularly useful if your ISP blocks port 80 traffic, but not 443.

    1. With cloudflared you don’t even need to rely on incoming ports, since it connects from your server out to cloudflare.
      This has the added bonus of further limiting your exposure to threats.

    2. You really should not use HTTP, you should use HTTPS. So the problem with blocking port 80 isn’t that huge, actually.

      Bigger problems if they bock 22, 25, 53, 993 or 5222 and 5269. Blocking ports is not nice. But not providing IPv6 /56 blocks to customers are evil though.

  2. My suggestion: If you have a server at home install wireguard (vpn software) and have access to your local network from anywhere in the world.
    It’s the most useful server I ever installed at home. A lot of things you normally would rely on “the cloud” are now “local”.

    1. Or just run the VPN that’s built into your router. My Asus has support for OpenVPN. When you set it up it creates a file that you copy to your phone. I use ‘OpenVPN Connect’ on my Android phone. Use that file to setup your connection and you are good to go. It very cool to access your files from anywhere. And if you are using public WiFi you should connect to your VPN first before you do anything that requires a password.

        1. If you take that thought in that way, why do you trust your ISP, the Router firmware, the Network Stack in your OS, the list is nearly endless…

          Having your own VPN server so roaming you can more safely access the rest of the world or your own internal home network on dodgy wifi hotspots is a good safety precaution compared to not… Even if there are flaws in the VPN the most basic nature of it adds a layer of challenge to any man in the middle nastiness, and something like OpenVPN that is the base of so many other products, has heaps of contributors and eyes on its code, while being an obvious security target, and thus getting more security audits than most code – it is probably safer than the driver for your graphics card and the microcode in your CPU…

          At some point you have to ‘trust’ or get out the tinfoil hat and read only dead trees…

    1. About 1997 I went over to someone giving away a Sun 3/50, and he seemed to have an ISP in his basement. A collection of computers, including a NeXt. He was a sys admin at work.

      The first local ISP was some computers in a closet. And I remember about 1995, a brief bit about a tutorial about doing this, from the guy who started Fidonet.

  3. For learning, experimenting, and/or just running something for your personal use, running it at home makes sense. If you plan to run something that intended to be accessed/used by the public at large, it’s often cheaper just to rent a VPS (or even shared hosting) even if you have decent hardware to run what you want on.

    Reason being is that getting something like a symmetrical 1Gbps connection at home will likely cost you a lot more (if you can even get a connection without having to shell out thousands of $ just for installation.)

        1. Good spot I’d glossed over the time frame, thinking hmm $55 bit higher than I’d expect as those pesky folks over the pond tend to get stuff much cheaper than us here in Europe… Yeah something more like 12x cheaper if it really is per year..

          1. I’m suspecting that it’s a typo and is supposed to be $55/month. I live in a major U.S. metro area and CenturyLink offers 1Gbps symmetrical (technically 940 Mbps) for $65/month, which seems in line with $55/month, not $55/year.

      1. hmm yea prolly 55/mo is more like it. Its $90 for gig symetrical in the NW US.

        People here largely forgetting that there is a middle ground between running a server for personal use and opening it up ‘to the public at large’. There are plenty of people running small servers to a limited userbase for cost or even small profit.

    1. I think part of the point is that the laptop and the VPS are essentially the same, bar a couple super minor details.

      One you have to root around in your closet, the other you have to give up a credit card number and type some stuff into a web form.

      The end result is a network-connected box that you’ve got root on.

      I’ve got Pis doing that job at home, and a couple persistent VPSs in the wild, and I’ll not hesitate to spin another up just to play around either.

      Start where you’re most comfortable?

  4. A lot of this just seems to be about installing linux. A distribution without a text editor , and likely SSH, is not much of a distribution.

    Apache is the one thing I’ve not bothered installing to disk in 20 years. But I suspect these easy to use distributions default to some bad practices.

      1. Eye “quality” is far more important than eye “quantity”. Maybe a thousand monkeys may eventually bang out Shakespeare but in the mean time a lot of drek will be produced.

        1. But when most server style distros are backed by big and small business alike, who pay for hundreds probably even into the hundreds of thousands of technical experts to review, maintain, configure and use this stuff the quality for the default setup of most of the bigger distros for this is probably very sane for most uses…

          As its many pretty damn good eyes, maybe not as good you are on average (though I’d hope I’m near that average its not my specialty, so I’m probably over estimating my skills), but still good and by shear volume vastly more likely to see the mistakes you would otherwise have missed…

  5. Been running my own servers for over a decade now with things like SSH (remote management, programming), Wireguard (VPN), OpenVPN (VPN), Calibre-Web (ebooks), pyload-ng (download-manager), Gotify (push-notification system), Mumble/Murmur (voice-chat), Nextcloud (cloud-storage, collaboration services, contacts-list, RSS-feed reader, calendar, todo), Shinobi (security camera-monitoring software), Grafana (pretty graphs and such from database-entries), MariaDB (database), Plex (music and video management, playback), Tvheadend (4 DVB-C channels), Mosquitto (MQTT-server for my custom IoT-devices and OpenHAB), OpenHAB (home-automation), Gitea (Git-server), Transmission-daemon (Bittorrent-downloader), Samba (network file-sharing/NAS), printer-/scanner-server — quite a lot of stuff and I find myself constantly adding new features or improving old ones.

      1. Treasures? There’s nothing of any financial value there, only of personal value. You wouldn’t find it nearly as interesting as you may think — no nudes or other titillating content, no banking-details, nothing to blackmail anyone over with.

        The only thing worth anything to an outsider would be my bandwidth and one can’t steal that, only hijack it temporarily and even that wouldn’t last long — some hours at best.

  6. Running your own server is PITA wrt proper security configuration. If hacked your home network is exposed.
    Google cloud still has some “free” tier and most images come properly secured out of the box + the risk is limited to that server alone.

  7. I’ve been doing this for over ten years, first with a Beagleboard (because Raspberry Pi hadn’t been introduced when I started), then Raspberry Pi, and now I’m using a fanless industrial computer.

    I’ll point out that, if you open a port to the broader Internet, expect hacking attempts. Watch your logs. Consider scanning them automatically and using IPtables to deny access to any computer showing a pattern of snooping. Make sure your web server doesn’t serve up editor backups, .git or .svn files, or anything else that might be remotely sensitive. If you open an SSH port, use a non-standard port number, but expect that to be found fairly quickly. Disable password login or use VERY strong passwords. Make sure all the standard userids (root, mail, backup, www-data, etc) cannot log in over ssh, regardless of the password attempted.

    Finally, don’t use the same computer as both a web server and a container for especially sensitive data. And don’t set up ssh keys to enable anyone who breaks into the web server to gain access to the other computers on your network.

    Perhaps I’m overly paranoid, but I have a very low-traffic, low-visibility web site, and I see plenty of attempts at mischief in my logs. No successes yet.

    1. I would recommend also installing Fail2Ban and DDOSdeflate as well. I have had a low traffic web server/VPN running for many years, and these two tools help automate a lot of the log scanning and iptables updates needed to thwart most attempts at mischief. Keep an eye on your network traffic also, as you can detect a lot of mischief just by keeping tabs on the communication volume to respective machines over time.

      As a rule, NEVER trust that your image or distro is properly secured without personally verifying your firewall and other configs! Additionally, I always make sure that all remote management/access tools (SSH, ETC) are only accessible from the local net unless absolutely necessary! If you need special remote access, use a strong VPN authentication method to get on the local net, then go from there. No unnecessary holes in the firewall that way!

    2. Non standard ssh ports pretty much zero out brute force attempts. As a comparison. I have machines on port 22 that get attempts 24/7 (fail2ban & denyhosts are quite useful there). Other machines I all run on the same < 1024 port. I've never seen any attempts on those, with the exception of 'probing' services that don't launch a bunch of login attempts.

      Which is easier: scan a subnet for port 22 then launch an attempt on IPs with port 22 open, or increase you scan space by 65535 looking for ssh on an alternative port?

      1. I had hundreds of attempts per day on port 22, and moved to a non-standard port number and they dropped to zero for a year or more. But eventually they found my non-standard port, and I started getting dozens of attempts per day. I have a home-grown version of fail2ban, which generally blocks IP addresses after just a few attempts. So moving to a non-standard port was certainly helpful, but not sufficient.

        It’s been a few years since I switched to the non-standard port, and SSH attempts have slowly dropped off. I now get many more attempts to break into WordPress than I get on SSH.

        I’ve only had three attempts at SSH access this calendar year. Each IP address that tried to login was blocked after a single attempt. Considering there’s only one ID authorized to login, it’s a non-standard name, and it can only login using an SSH key (no password login allowed), I don’t think they’re going to guess the credentials any time soon.

    1. I think that I subscribe to this line of thinking…
      I barely want some of the things in my house to connect to the internet, let alone have a bunch of holes and services running publicly accessible.

      The way I am trying to run everything is to simply have everything run over a wireguard vpn; nothing externally visible.

      I am possibly paranoid, but at the same time watching access logs is almost enough to make me unplug everything and sit in the corner.

    2. There are plenty of perfectly good reasons to do both. You can’t host most any service on the internet without a “hole” punched through the firewall to allow clients to connect to the server. I also enjoy indoor plumbing and sewage, the vent stack on my sewage runs though a hole in my roof. Also attic ventilation uses holes in the roof (thinking of typical roof vents or even ridge vent, a very long skinny hole in the roof).

      I consider UPnP to be evil and unnecessary, I’ll most likely never implement it in my firewall, but I’m sure there is more than one person out there with a completely valid reason to use it.

      Something something only a sith deals in absolutes../

    3. You wouldn’t survive long in a house with an open fire and no holes in your roof. Holes in rooves & firewalls are fine when done right. Sure you wouldn’t just punch a hole in your roof, instead you’d build a chimney. Just like you wouldn’t open up a port to a telnet prompt with no login needed, but you might open up a port for SSH.

    4. @X – Can you please stop with all your overly cautious + paranoid comments?!
      Put your thoughts in one comment and elaborate more but don’t spam ‘all’ other commenters with pretty much useless one-liners.

      @HaD – Is there an easy way to block comments from a specific user eg. X?

  8. One comment on –> it is suggested above to have a keyboard/monitor/mouse available. Seems like that would be a ‘last resort’ need … as SSH and if needed VNC/RDP should handle everything else. Then you can tuck the server away on a shelf somewhere with only power and ethernet connectivity . That is how I run my internal home servers (file/website). I don’t have an external website server. Not needed nor do I want the headache.

  9. I started to read this because it sounded interesting, Got to the part where he suggested using Linux mint LOL no thanks if you want to run a server do not install a desktop just learn how to traverse directories in terminal or SSH keep your machine lean and mean

    1. It might seem like an odd choice, but it’s lightweight and offers easy installation. For this purpose, it’s a good introduction to the subject. I also did not suggest configuring a server through the GUI.

      1. I would agree with Mint being easy install. Same with Ubuntu. Same with probably a few other distros. Good place to start for a newbie. Website isn’t going to care if carrying a little extra baggage along!

        1. I like Turnkey Linux for this kind of task. It’s significantly streamlined relative to the baseline Debian installer, but you can dig in underneath when called for at a later time.

    2. I used to subscribe to this thinking, but last time I built my server (zoneminder/Apache/nextcloud) I decided to just install mint. Its headless and I only access it via SSH so absolutely no need for a desktop. I guess it was just convenient,I know it works with modern hardware, and let’s be honest if in a pickle a desktop is handy and distros like mint are well documented with a novice in mind.thats helpful. Being able to do things like SSH -X and run gparted is quite a bit nicer than a terminal.

    3. And the problem with a desktop is? It’s not like they’re forcing you to use it… You can uninstall the desktop if you so wish.

      As a beginner you’re far more likely to have success with Mint than you would with say Arch or Gentoo where you choose if you want a desktop or not as part of the setup.

  10. Ryan, thanks for the pointer to Cloudfare’s dynamic DNS service. I hope your next article is on how to run your own mail server at home while avoiding residential IP blocking and spam blocklists. :)

    1. Thanks for the comment. I could never in good conscience recommend running your own mail server at home. Avoiding residential IP blocking, blacklists, etc, is nigh impossible. Plus, your SPF record would constantly be changing, your reverse DNS would never be able to be correct, and …. just no. Sorry tho! Running email *reliably* and *correctly* is one of the more difficult things to DIY.

    2. Running an SMTP server (to send email) will always be a problem to set up and the TXT files rules to keep it running keep evolving. So it’s best to use your ISP’s SMTP server.

      On the other hand running a POP or IMAP server (to receive email) or POPs IMAPs shouldn’t be to much of a problem. Email from some servers may be slow to get through tough. Problems with DDNS or keeping DNS cache too long (when it’s expired).

  11. “Some routers will let you set up a DMZ that will directly expose the entire server to the Internet, but this is not recommended or required.” That feels like a mis-representation of DMZs’ usage…. Sure you can do that, but you can also run telnet exposed to the internet as well… but why…

    For those new to the term DMZ, this is basically a network containing the machines running services you wish to expose to the internet. This way when a internet facing service/machine is compromised, the attacker is sandboxed/isolated from your main network greatly limiting damage/access for the attacker, and also it greatly reducing recovery costs. This network doesn’t “directly expose the entire server”, just the ports that you configure (like any other well set up network).

    If you are serious about security, and you’re exposing services to the internet, then you should be using a DMZ.
    Of course, that is extra work so feel free to just cowboy it, skip the DMZ, and hope for the best.

  12. I would prefer to run around the freeway on foot in peak hour than open aa (any!) incoming port on my firewall..

    It’s definitely worth the cost to host it somewhere else – and leave your internal server, well, internal…

  13. Up until very recently, I’ve been running my own server for about 40 years.

    My first was a Sun SPARKstation, and an on-demand ADSL line. I was billed by the connected minute, which was just dandy when the only thing bringing the line up were friends I had sent the URL to! This was before search engines and hackers and robots were pummelling ports all the time.

    I see a lot of people saying, “Why bother, when service XYZ provider can do it much cheaper and more efficiently and more securely?”

    One can make that argument for lots of things, from growing your own food to making an Arduino display all the digit of pi. But where’s the adventure in that? I thought this website had “hack” in its name!

    Anyway, I get a kick out of it, just as I do growing food and fixing consumer electronics that have stopped working. It’s an interesting challenge.

  14. I have a long history of managing LANs, WANs, online severs, web development, zone management etc.

    In the context of this post which is like “Use some old junk PC/laptop to put some sort of server online from home”.

    Don’t start with a HDD with your bitcion wallet. Use a blanked drive and start over or use a up and running system that has absolutely nothing important on it.

    It’s easier than this article suggests, to set up a system. You can get purpose built software packages for home servers like WAMP (Apache MySQL PHP for a Windows system) or LAMP (Apache MySQL PHP for a Linux system). These are good for just for the sake of playing. I use them for offline development but they are equally capable online. You can make them reasonably secure but your not going to have that skill at the start so you will have to read some forums and do some research before you can have a professional and secure setup , but that’s really not the point of this article, it’s more about getting your foot in the door.

    Dynamic DNS has some issues not mentioned. It not just about updating your new DNS (IP, A record). It’s also about getting this update around the planet (as DNS is cached in a sort of distributed structure) and how long that takes. There are settings for this TTL, REFRESH in the DNS file so a DNS provider that specifically caters for the home server is the better starting point until you know how to manage these things to.

    There is also a large number of other services you can provide with this setup. Incoming mail, a backup server. IoT server. lots. It’s good to play (learn) with these things offline where you have much more freedom and control.

    Hacking, It’s the norm to have many many hacking attempts with an online server in a data-centre. All the time every day. So your server will see some attempts and that’s why you start with a PC that has nothing important. It will take time to understand how to make your server secure.

    All in all, give it a go, even if it’s a minecraft server. There are a lot of useful things to be learned that are seriously invaluable for internet connected embedded products, Iot ,

    I see a lot of projects here and think – if only you (the designer) knew (some simple thing about how the net works) you could have saved a lot of development time and prevented a lot of dependence on external resources (generally internet resources that they don’t really need or could provide themselves some other way).

    Thanks to [Ryan Flowers], this article really has made some way into a “missing link” for a number or developers or hackers.

  15. Richard > I’ll point out that, if you open a port to the broader Internet, expect hacking attempts.

    There’s standard advice for locking down a new Pi before plugging it into the internet, else the time until it’s found & compromised is given as a few seconds. Don’t know if that’s true. Not going to test that.

  16. As an alternative to administration with SSH you could use Webmin. You can configure practically any distribution and any service with it. Also you can create profiles with only the modules you want that person to have access to.

  17. I’m fond of no-ip for my domain needs, it was trivial to set up on my Pi and only requires me to log in once a month. I also changed most of my ports to other numbers; I’m aware port scanners don’t care about this but it’s still advisable. Highly recommend installing VSCode then setting up the Remote SSH extension.
    Learning how to configure smb.conf manually is worth the effort but there’s at least one configurator for Linux that’s passable. A wired connection is good if you want to leverage WakeOnLan (and if your platform’s HW supports it). For beginners comfortable with GUI, setting up VNC might be a good idea for troubleshooting.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.