The Reasonably Secure Web Server Guide – Introduction

This is a guide to setting up and running an open-source web server based on free tools. Don’t let the lack of cost fool you, though: The tools used in this guide are used in server solutions of all sizes, from home servers on residential DSL connections all the way up to giant providers like Netflix and Facebook. In fact they drive much of the world wide web as we know it.

The aim of this guide is to serve as a starting point for presenting servers and web content in a such a way that we may feel confident about our infrastructure despite opening up parts of it to the Internet. It will allow us to take back control of our data and re-decentralize the web, and it doesn’t have to cost us more than some time. If we want to do it elegantly, the yearly cost will be about the same as a single lunch.

The finished reasonably secure web server will have the following features:

Remote control using Secure Shell with public key authentication

We will be able to access our server remotely in a way that is extremely unlikely to be cracked using brute force methods.

Additional brute force protection with Fail2Ban and the pf firewall

We will severely limit the ability of attackers to even reach our server, by blocking the origins of bad logon attempts.

Dynamic DNS using ddclient

This allows us to present web services on a regular domain without paying our Internet service provider for a static IP address.

In a professional environment, we could use the same principle to fail over between a primary and a secondary production site with different ISPs.

TLS secured web services with server certificates from Let’s Encrypt

Encrypting web traffic means that others are a lot less likely to be able to snoop on traffic running to and from our web site. This may not seem like a big deal if you’re just running a blog or a wiki for fun, until you think about the fact that you’re logging on to your services when you want to administer them, and unless your site provides a way to encrypt traffic, your logon credentials and everything else that goes across the line is sent as plaintext, readable for anyone interested.

We’ll use the free certificate authority (“CA”) Let’s Encrypt and set up a solution that will show a nice padlock next to our address in the browser’s address field, and which automatically renews our certificates before they expire without requiring any downtime to our services.

Reverse proxy using HAProxy

We will be using HAProxy which allows us to present multiple web services on the same network address and -port combination. This makes it intuitive for others to reach our services using a regular web browser.

In a high traffic and/or high availability scenario, we could easily extend this functionality to also load balance traffic across multiple web servers, with the addition of CARP in FreeBSD, or KeepAlived in Linux, still without needing to add any additional public IP addresses.

WordPress blog platform on Nginx web server and MariaDB database

The web service we will be presenting in this case will be a regular WordPress blog, but the same principles applies to any web service – professional CMS systems, forum software, Wikis, you name it.

WordPress brute force protection through sandboxing of attackers

We will disguise the real capability of our web server, and make brute force cracking attempts on our WordPress admin interface pretty much futile.