13

I have an old laptop with far too little RAM to run Linux (including specialty distributions). It can however run Windows 98 just fine, and I'm looking into turning it into a tiny retro webserver.

Is it possible to keep an old operating system webserver from being hacked? All I'm looking for is a simple port 80 static website with no over-the-web administration abilities.

I have no significant experience with security, or exploiting security holes. So I'm not sure where to look. Can a DOS/WIN95/WIN98 box be exploited if all it does is respond to simple HTTP requests?

hft
  • 4,910
  • 17
  • 32
Katastic Voyage
  • 271
  • 2
  • 5
  • 84
    You are going to get a LOT of questions about why you think you don't have enough RAM to run Linux, but enough to run Win98. – schroeder Mar 18 '15 at 21:38
  • Does windows 98 even support the modern WEB ? – KingJohnno Mar 18 '15 at 21:45
  • 1
    Win98 supports HTTP - the OP states "static website", so I am assuming no dynamic code. – schroeder Mar 18 '15 at 21:47
  • 19
    I question the premise of this question, windows 98 required at least 16MB of ram in order to run "Fd Linux" can run on a 386 with 8MB of ram. Therefore I question what system exists which has enough ram to run windows 98 but not Linux? Perhaps you could clarify this please. – Vality Mar 19 '15 at 01:18
  • 1
    Can't you run some Linux distro from the time Windows 98 came out? – trysis Mar 19 '15 at 01:55
  • 9
    Even if you have an old laptop unused, it doesn't seem worthwhile to use it as a webserver. You could as easily run a modern OS inside of a virtual machine on modern hardware, possibly using less electricity. – jamesdlin Mar 19 '15 at 03:27
  • 2
    What are your hardware specifications? – A T Mar 19 '15 at 04:48
  • 1
    Are you sure you do not have enough RAM? I am running a web-server on Linux which right now serves Python backed "static" pages and it needs 28 MB RAM. Including SSH server and email server, which you probably do not need. Scratching Python, uWSGI, SSH and Postfix, I am guessing that about 20-25 MB would be needed. – Fenikso Mar 19 '15 at 06:57
  • 5
    Is BSD an option? The minimal RAM requirements are extremely small. ([NetBSD's "Full install"](http://www.netbsd.org/ports/i386/hardware.html) only requires 8 MB of RAM, and the minimal install only requires 4 MB.) It would be worth a try, at least, and it would likely be far more secure than **Windows 98**. – jpmc26 Mar 19 '15 at 09:19
  • 27
    While an interesting project, using a modern mini computer (Raspberry Pi or similar) is probably both more practical and more economical. The power savings alone probably outweigh the purchase price (e.g., Raspberry Pi Model A+ costs 20 US-$, and draws 1 W). – sleske Mar 19 '15 at 09:24
  • 2
    Also a low-end VPS may serve the purpose much better then old hardware for very low price. However I do admit it is not as cool. – Fenikso Mar 19 '15 at 11:06
  • Simple static file server - http://cr.yp.to/publicfile.html I wouldn't make it public facing if you don't know how to secure the rest of the system, but with a minimal set of libraries and ram you can run linux and serve static files with this. – Eric G Mar 19 '15 at 20:18
  • 3
    -1 for bogus premise. There are plenty of modern operating systems that take a lot less memory than Win98 and that are actually suitable for running a server. The VPS I use for a real project only "uses" 3 megs; this of course is not counting kernel use, cache, socket buffers, etc. but you can still get by with very low totals. – R.. GitHub STOP HELPING ICE Mar 19 '15 at 22:04
  • 1
    Funny, that. I was running Linux before Windows 95 much less Windows 98. The Tiny Core Linux command line download clocks in at 9MB btw... – chx Mar 20 '15 at 09:40
  • 1
    I used to run Linux on 4MB of RAM. Which is not even enough for Windows98. You'll need to find specialty distros though if you want to go that small. It can be done with newer kernels if you carefully compile it to exclude all unnecessary modules such as USB or SATA drivers. But generally it's easier to get that small using an older kernel. – slebetman Mar 20 '15 at 14:37
  • 7
    It always bothers me when a question gets so much attention from everyone *except* the asker. – Digital Chris Mar 20 '15 at 15:07
  • I concede that bare-bones Linux will probably run on a RAM starved laptop. It will most likely not have driver support for the proprietary PCMCIA ethernet card, mouse, and so on. (I am an active Linux user.) Modern Linux on the laptop also violates a bit of the retro-ness of it. Regardless. This question was really to gain perspective. I could easily write a simple HTTP server, but I've learned that there's no way to protect the rest of the TCP/IP stack. As for why I haven't replied to this post, apparently I have two SO accounts and just realized this. I apologize for the suspense. – Katastic Voyage Mar 14 '16 at 19:35

9 Answers9

35

Probably not. In order to respond to HTTP requests, the operating system must be able to run a TCP/IP stack, process packets, and complete a TCP handshake, all requiring the system to utilize or spawn threads in memory, call libraries, etc. Therefore, the system would still be susceptible to protocol attacks it may not be patched for (TCP sequence prediction is one that comes to mind for a web server that might run on Win98).

You could compile and run a modern server like nginx or Apache (probably would have to heavily modify it, as it won't run on Win98 out of the box), but older operating systems being on a network are inherently prone to network probing and network attacks. Even if TCP 80 were port forwarded through a firewall, the web server process would still be running inside of a system lacking modern protections like DEP, ASLR, etc.

armani
  • 2,658
  • 19
  • 20
  • 4
    [Buffer overflows in low-level networking code also come to mind.](http://en.wikipedia.org/wiki/Ping_of_death) – user253751 Mar 19 '15 at 09:27
  • He could run a user-space TCP stack and ignore the OS one completely, at least in theory.... – armb Mar 20 '15 at 15:47
  • @armb - good suggestion, but anything compromised in user space (super especially on an older, less secured OS) would still be prone to privilege escalation techniques (not to mention the goal of serving web pages is put at risk). – armani Mar 20 '15 at 16:44
  • @armb On Win9x the user/kernel space boundary is not a security boundary. (Win9x effectively *has no security boundaries*. It was designed to make things possible, not to make things impossible) – user253751 Mar 21 '15 at 08:25
15

Do you have experience with CLI (command line interface), like Windows command prompt? If so, why not get a Raspberry Pi? The Pi is going to be smaller, faster, and more efficient than your old laptop. You can get a Pi for ~$50. Then you download (or get pre-installed SD card with ) their NOOBS software and install Raspbian OS, which is a Debian fork, install Nginx and you have a web server about the size of your wallet that consumes 3 Watts of power.

If CLI is a bit much for you, I suggest Linux with XCFE desktop rather than relying on Windows 98, although I don't recommend using old hardware like your laptop. A minimal Ubuntu (like Lubuntu) would be appropriate if you want the installer to do most of the work for you.

Robert Munn
  • 456
  • 4
  • 5
  • 2
    This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post. – M'vy Mar 19 '15 at 20:09
  • 4
    @M'vy True, but it _is_ a bit of an [XY Problem](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). – JLRishe Mar 19 '15 at 20:41
  • CLI is fine. Thanks for the answer. This was specifically what was asked in the title. "Can an old retro computer be a viable server without being compromised." – Katastic Voyage Mar 14 '16 at 19:39
  • If you follow a few infosec people on Twitter you will find that any system can be compromised given time and resources for an attack. See armani's answer for details on why older OSes are probably not a good choice. In the mid-90's, I ran some Web servers on Windows NT, which would be a better choice than 95/98, but still has known vulnerabilities: https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-39/cvssscoremin-4/cvssscoremax-4.99/Microsoft-Windows-Nt.html You would be better off installing a modern minimal Linux/BSD distro. – Robert Munn Mar 18 '16 at 18:45
8

I also am questioning how this machine can run Win98 (which wasn't exactly an efficient OS in its day), but it cannot run Linux. How about taking a Linux Live CD (bootable "frozen" OS), editing the ISO to include the web pages you want to serve, removing local storage (pull out the hard drive), then boot off of the Linux Live CD and reboot daily? Even if the machine does get attacked, in that configuration nothing will persist beyond the reboot (except for theoretical blue-pill attacks).

Of course, at minimum you'll also want to stick the machine in your DMZ, isolate it from talking to other machines on your LAN, and run a firewall at minimum with only port 80 open (and 443 if you're supporting TLS / "HTTPS").

user70664
  • 81
  • 1
  • I think you should change "theoretical" to "national security service" as there is proof that the spooks do use this technology. – Snowbody Mar 19 '15 at 19:11
4

This is simply a bad idea unless you just want to try it for fun.

Anyone who suggests it could be done is making too many assumptions. There isn't enough information to make a call.

Probably the main issues include

  • Win98 is old, is no longer patched and is likely vulnerable to many existing penetration techniques which were not even thought of back when it was last patched/tested. Bottom line, it is a huge unknown and almost certainly has vulnerabilities.

  • What web server would you run? It is likely you can only get an old web server i.e. old version of IIS or similar due to the age of libraries etc. This means running old server which almost certainly will have significant vulnerabilities.

  • More effor than it is worth. I suspect once you start trying to get this to work, you will run into all sorts of problems. This sounds like a very difficult task compared to the benefit/result you will get.

Others have focused on the comment that it is too old to run Linux. This is not true. If it can run win98, it can run Linux. It might have difficulty with current distributions, but you could do it with probably the same level of effort, but this is still more effort than it is worth.

Given the age of the system, more than likely, you will put in hours to get it working and then find it suffers a hardware failure. It could be an interesting thing to do as an experiment and learning exercise, but certainly isn't worth the effort if you actually want it to be useful

Tim X
  • 3,242
  • 13
  • 13
  • I believe win98 support only PWS (personal web server) and support up to classic ASP (thats where i learn about dynamic page) :) – vasin1987 Mar 20 '15 at 10:32
  • @vasin1987 That might be what's built into it, but porting another web server (or even writing your own) shouldn't be a difficult task. (Note I said "porting"; probably any modern web server uses *some* API not available in Win9x) – user253751 Mar 21 '15 at 08:27
  • The idea was really just for fun and curiosity. A Pi would be a cheap solution if retro/re-use wasn't the constraint. – Katastic Voyage Mar 14 '16 at 19:40
3

In the end, it's not the OS that's the issue, but the application and the service running it. If your firewall is locked down tight, if the computer is physically secured, and the ONLY thing you are doing to serving a static page, then it comes down to the web server and what "else" the static page could do.

It CAN be done, but the web server you choose to use, the way you configure it, and the technology that you use to display the web page will all be important.

Even then, you need to provide yourself mitigations in case of a compromise, including separating the computer from the rest of the network, and the ability to blow it away and restore from back up in case things go badly.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 6
    The OS is part of the issue. Windows has historically had many network services enabled by default. I'm not sure about Windows 98 specifically, but definitely port-scan it and make sure only the port you expect to be open is open. – ash Mar 18 '15 at 23:39
  • 2
    What about issues in the networking stack itself? They are OS and not application dependent. – Cybergibbons Mar 18 '15 at 23:48
  • @Cybergibbons So, DoS? I'm not sure that's an issue for the OP. – schroeder Mar 18 '15 at 23:53
  • Why is it restricted to DoS? Etherleak exploited an issue in the networking stack that isn't DoS and is independent of the application. – Cybergibbons Mar 18 '15 at 23:56
  • @Cybergibbons DoS and info leakage do not appear to be important to the OP. Why? Because the page is static, and it is HTTP. The MOMENT, the page is supposed to be dynamic, or there is a login, then my advice falls apart. So, taking the OP at face value, compromise of the OS using the network stack is the threat to be concerned about, and I'm unaware of a way to do that. – schroeder Mar 19 '15 at 00:00
  • 1
    Let's not forget that everything on Windows 98 basically runs as root. – Brad Mar 19 '15 at 01:32
  • 6
    My point is that it's an unknown - we can't rule out issues with the network stack. The OS/hardware also means that DEP, ASLR, and NX can't be used, there is no concept of user accounts, no proper file permissioning, so if there was, for example, an overflow, it would be much easier to exploit. I can't find any research on Windows 98 security - it's just not used any more. – Cybergibbons Mar 19 '15 at 08:26
  • @ash hence my requirement that the "firewall is locked down tight" – schroeder Mar 19 '15 at 23:31
  • @Cybergibbons yes, you are correct with ALL those things. And yet, is it possible to gain enough access to a Win98 box through a static page served over port 80? I'm NOT saying that it's smart. I'm saying that it's possible, with some very tight constraints. – schroeder Mar 19 '15 at 23:34
  • I'm just saying the statement "it's not the OS that's the issue" doesn't seem to hold true. – Cybergibbons Mar 20 '15 at 08:39
  • I'm diggin the fact you're throwin down a recovery plan. How to back out of the disaster.... – Citizen Mar 20 '15 at 08:44
3

How about KolibriOS and write your own web-server?

Or Tinfoil Hat Linux and maintain it? (shouldn't take too long, just upgrade everything to the latest versions and hack around with dependencies until you get it to compile)

Most importantly before I can provide other suggestions, what are you hardware specifications; and personal skill level?

A T
  • 183
  • 7
3

Get rid of that old box! It's too much hassle. Buy a Raspberry Pi B+. It's fast for your needs, cheap to buy, and within five to ten months it will earn the investment back by saving electricity. That old box maybe uses up to $10 a month for electricity, the RPi maybe $1.

SPRBRN
  • 7,379
  • 6
  • 33
  • 37
2

Considering that a modern computer (or even a smartphone) can compute circles around a 15 year old laptop one would need to ask "why?", esp. as the old hardware is expected to fail more-or-less anytime.

If this is a "because I can" project, then have at it and good luck.

If you simply want your own webserver, it is very easy to set one up on your current desktop. If you have a Mac, it comes from Apple with all the software you need to run your own copy of Wikipedia. If you have windows, get XAMPP. Either way, everything is up to date, security patches come regularly, decent interface software etc. etc. Windows 98 hasn't seen an update since 2006.

paul
  • 195
  • 1
  • 2
1

This is mainly an addition to armani's answer.

As Win98 has not been maintained for years, you cannot expect the OS TCP/IP stack to be exempt of bugs.

But you certainly can find a recent (decent) OS accepting to run on an old computer. NanoBSD for example declares that it can be customized to low requirements : it is possible to cut the system down, so it will fit on as little as 64MB.

But beware, the performances will not be those of a recent hardware !

A T
  • 183
  • 7
Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84