I'm currently running a webserver from home accessible on the public internet via a static IP. What kind of risks are there in doing so?
From what I understand, the setup will not allow connections besides port 80 and thus my network and computers are safe from attacks, but is that right?
What are some steps to take to minimize the risks involved?
Well, the general recommendation would probably be something along the lines of:
Put a firewall in front of your web server. Only allow the traffic you need to allow, and deny (drop or reject is largely a matter of preference) everything else. You have already done this, but there's more to it than just running firewall software.
Go over the software configuration with a fine-toothed comb. Especially consider anything related to file uploads, execution of code, and things like that.
Keep everything that is even potentially exposed to the Internet fully up to date. This includes the operating system, web server, anything served through it (remember that those PHP scripts that let you upload and view files are executable computer code that can have security-related bugs) and anything that those applications rely on (such as for example a database server).
Even in the best case, your setup will only ever be as secure as the least secure portion of whatever is accessible over the Internet. The instant you start accepting packets from the Internet rather than flat out blocking everything, there is always the risk that a bug in the operating system's TCP/IP stack, the software that handles the packets, or where the data coming in eventually ends up, could cause the computer to exhibit behavior other than that desired by you (A.K.A. a security breach of some kind).
As soon as a fix for a security-related problem becomes available, lots of eyes start going over it to see if they might be able to exploit what's been fixed for illicit purposes.
Any host connected to the Internet will see regular scans from various bots. Some are harmless; some are stupid enough to be essentially harmless; but some are actually potentially dangerous, and HTTP on port 80 is common enough that you should expect plenty of such traffic. That you don't have a host name pointing at your IP address doesn't change that fact. Which means that the web server and whatever is running on it will have to be able to deal with anything anyone can throw at it based on currently known security vulnerabilities in any web server software and version (since the attacker won't know exactly what you might be running).
Risks:
Suggestion:
To get the most benefit (and the most security) out of a home server, I suggest the computer that actually has the static IP is a headless mini computer.
This computer without a monitor or keyboard can act as the primary firewall and reverse proxy for your home network. It can be treated as the demilitarised zone (DMZ) of your home network and protect all the assets that are stored on normal private computers. Whether any part of the rest of your normal computer network is kept on 24/7 now depends on whether the web-server is hosted within the DMZ* or not (or both for two-tier web solutions).
The idea is that this public server is hardened and highly limited in what information and inward-bound authority it possesses; typically running its own much more secure operating system (Linux for example).
The cost of a headless mini computer/home server depends on how much performance and space you need for demilitarized services. On the low end you have Raspberry Pi of perhaps $200 up to beast boxes (minus video card) of $2000 or more. The low-end is better suited for routing & access control than content-rich Drupal sites, but here is an example of a Raspberry webserver.
* Technically I'm misusing the term DMZ somewhat; as a DMZ is a logical network boxed in by two or more routers/firewalls; like the bailey/killing ground of a castle keep. The home server would be both the inner firewall of the DMZ and an asset in the selfsame DMZ.
Offering the HTTP service means that any vulnerability in that service becomes an entry point for attackers. So be sure to manage this service with all due diligence: apply security fixes published by the vendor, as promptly as possible. This is for both the HTTP server software itself (say, Apache) and the "site code" (a hole in the PHP code is still a hole). Apart from that, this server won't add much to your (in)security, on the technical side of things.
However, a publicly available HTTP server implies higher exposure. Most people evade trouble not by running fully patched software, but by being commoners. People from home doing Web surfing like normal people. Uninteresting schmucks. There are so many of those, perhaps billions, that nobody really gets motivated into hacking into their machines. Sure, there is a lot of automatic hacking going on; those botnets won't feed themselves ! But no real threat from a motivated, intelligent attacker. By running a Web server, you become uncommon. You may attract interest. People who run Web servers at home may have interesting data to provide; at least they made an effort to provide a service for other people.
Basically, offering such a service tends to remove a very powerful protection layer, i.e. anonymity (as in: "does not show up on radar among the masses"). Evading attacks by simply looking "normal" is, conceptually, a very unsatisfying way to protect your information assets, but it works very well; and your HTTP server will strip you from that.
An extra source of worry is that your home network is "protected" against intrusions by the combined forces of your cable/ADSL modem (provided by your ISP) and, possibly, some sort of home (WiFi) router. These devices use software which is rarely updated, and thus tends to have many security holes. You don't really want to attract attention to that.
