1

I am not even sure if this is the right place to ask this but here goes: I am thinking of running my own small website from a home server. I have been using Ubuntu 12.04 with xampp as my server machine but from what I hear Xampp isn't secure enough to be used in production. Is this correct? if not what should I be aiming for? if so how do I secure it as much as possible anything I need to check? I need PHP and MySQL on the server. Thanks in advance,

Suavelizard
  • 11
  • 1
  • 3
  • 1
    Probably a better question for serverfault... – rook Jul 18 '12 at 06:11
  • 1
    The usual questions we ask are: How secure do you need it to be? What information will be on the server? The controls you put in place need to be appropriate. – Rory Alsop Jul 18 '12 at 14:42
  • I'm not talking credit card numbers or anything, but user passwords, phone numbers, email addresses, locations/ip addresses, typical social network type information. – Suavelizard Jul 19 '12 at 23:21

2 Answers2

4

You are using an Ubuntu machine and there for it comes with it's own LAMP stack. Just type in sudo tasksel and then select lamp and hit enter. Done!

(Also yes, Apache Fiends XAMPP is insecure, usually outdated, and doesn't update as nicely as apt)

rook
  • 46,916
  • 10
  • 92
  • 181
  • You are spreading FUD IMO. Being a systems administrator myself for a big company I would be embarrased to say something like you did. I understand this is Windows but what you said is embarrassing none-the-less. XAMPP is designed for developers so of course it is considered insecure in production, it's not designed for production... Way to label it right? Also, all Linux distros are out-of-sync with Upstream too including the uhm, the latest Ubuntu 12.04... miss the memo on the wish-list bug for Apache to get updated and it being ignored... Also, outdated != Insecure 100% of the time. – Jordon Bedwell Jul 18 '12 at 20:48
  • 3
    @Jordon Bedwell I have written an exploit for Apache Firends XAMPP and it took them **MONTHS** to fix the issue. Their "php examples" contained flagrant sqli and xss for **YEARS**. This is not FUD, running XAMPP is a serious liability. Keep your system up to date, exploit code is published daily. – rook Jul 18 '12 at 21:54
  • The default lamp stack being considerably more secure than xampp? – Suavelizard Jul 19 '12 at 23:32
  • @Suavelizard yes, in ____ **MANY WAYS** ____. AppArmor and Regular Updates to name a few – rook Jul 20 '12 at 02:21
1

Your concern is the security of your XAMPP or LAMP server. Probably the best option for you is to rent a VPS instead of hosting it yourself.

Why use a VPS

24/7 onsite staff

Technical support

The VPS has already set in security measures

Cheaper than hosting it at home

A nice internet connection

Will not effect your home network

Why not to use a VPS

You need more space and ram than is affordable in a VPS

You need a faster connection

Fill in the rest...

ponsfonze
  • 1,332
  • 11
  • 13
  • 1
    On point 1.) On-Site is subjective. Who says they are on-site for you? 2.) Technical support can hurt at some companies. 3.) This is lie, a VPS has no more security then a personal install of Linux by default, actually some VPS maybe less. Hypervisor protection does not benefit you, and most do not employ an IDS, it's cheaper to just null route. 4.) Subjective, I have 100Mbps at home, that's good for most sites. 5.) Need more info. On part 2... 1.) Ram is cheap especially on VPS. – Jordon Bedwell Jul 18 '12 at 20:41
  • @Jordon Bedwell Im not sure if you have any experience at all in the above topics but I can explain further if you would like to know. For instance, talking about onsite staff. Are you willing to take care of your server if your power goes out, if there is a fire, if there is an attack, hardware failures, someone watching "the front door"? Would you rather be sleeping, watching a movie, at the beach, or constantly watching your server yourself? – ponsfonze Jul 19 '12 at 19:52
  • 2
    I know a lot about the subject. That said, everything you listed is typical for most data centres and it's not a reason to go to one. Actually a few of those on-site staff don't even monitor/handle, that's the NOC. At home if you miss something like that, asleep or awake you have bigger issues to deal with, like your possibly dying from lack of noticing a fire and possibly having no smoke detectors. On-site staff are not going to recover your data most of the time unless you pay extra so there is more money out the door. That's why they advocate you backing up your own data. – Jordon Bedwell Jul 19 '12 at 20:29