Web Server Security - is it safe?

[Tiki]

I'm wondering what people's opinions are on the safety of running web servers (like the Sage web server add-on) over the open internet?

What's the risk if I get a dynamic dns account and setup port forwarding in my router so that I can access a lightweight web server like this over the internet?

I'm interested because I recently installed some security cameras outside my house and have been playing with some different camera monitoring software. One of the programs I have been looking at is Blue Iris. The Blue Iris software has its own web server built-in to allow you to access your live cameras and recorded clips over the LAN or WAN. I plan to run it on the same PC that is used as my Sage Server. I was also thinking about installing the web server plugin for Sage (I can set it to use a different port than Blue Iris).

1. Does using a port other than 80 reduce the risks much?
2. If someone tries to hack the web server, how likely is it that they could gain access to files outside the www directory?
3. How likely is it that they could gain access to other computers on my LAN?
4. Does the fact that the Sage plugin (or Blue Iris) are relatively obscure webservers make them less likely to be hacked than a major web server (like IIS or Apache)?

[nycjoe]

Just my opinion...

Quote:

Originally Posted by Tiki

Does using a port other than 80 reduce the risks much?

Not really

Quote:

Originally Posted by Tiki

If someone tries to hack the web server, how likely is it that they could gain access to files outside the www directory?

Unlikely if they try.. Very likely if they succeed.

Quote:

Originally Posted by Tiki

How likely is it that they could gain access to other computers on my LAN?

Make sure to install updates regularly and this probably isn't a big concern, and disable stuff like paswordless RDP

Quote:

Originally Posted by Tiki

Does the fact that the Sage plugin (or Blue Iris) are relatively obscure webservers make them less likely to be hacked than a major web server (like IIS or Apache)?

Sagetv uses Jetty which isn't quite as common as apache/iis, so it is less-hardened. For that reason, there probably have been fewer vulnerabilities discovered in it, so I don't think there's a right answer. I'd be hesitant to put a web server on the internet that wasnt IIS, jetty, apache, tomcat, or nginx.

What I do at home is I use apache as a reverse proxy for this sort of thing - this allows me to wrap the sagetv web interface with SSL.

[bastafidli]

You may want to look at port knocking

http://en.wikipedia.org/wiki/Port_knocking

to improve your chances.

[drewg]

You might want to look into running a VPN server for access to your internal network. OpenVPN is quite good.

Also, running a simple / small / obscure web server does tend to help. I ran my company's web server with thttpd running under FreeBSD on a DEC Alpha for many years. It was never down & never hacked. All the apache / x86 targeted attacks just bounced right off. With "professional IT" now running the server since it is "business critical", it is running some kind of "best practices" apache/php clusterf*ck and gets hacked pretty much weekly.. So much for the pros.

Drew

[DMT]

+1 for VPN

Jetty can use HTTPS but obviously you still have to forward the port. I am using pfSense firewall and IPsec VPN (for iOS clents). If you don't need iPhone/iPad access you can use OpenVPN.

IMHO
Ps. I also use Blue Iris ...very good.

[Tiki]

Quote:

Originally Posted by DMT

+1 for VPN

Jetty can use HTTPS but obviously you still have to forward the port. I am using pfSense firewall and IPsec VPN (for iOS clents). If you don't need iPhone/iPad access you can use OpenVPN.

IMHO
Ps. I also use Blue Iris ...very good.

I would want to be able to access through iPhone and PC at least.
This wouldn't be for public viewing (just me and possibly family members), but I want to be able to access from the office or when traveling.

I'm not sure what Blue Iris uses for its web server (maybe it's Jetty, maybe not).

After reading the various comments, I'm beginning to think the VPN route makes the most sense. I see that iPhone doesn't support OpenVPN, but it looks like it supports PPtP. It looks like Windows 7 has built in support to set-up PPtP for inbound connections, so I may give that a shot.

Even with VPN, I'll need to open up a port on the router, but it seems like a VPN connection is a lot more secure than an exposed web server.

[KeithAbbott]

Every time I see this topic, I think of this:

http://www.youtube.com/watch?v=UP-Nlb549J8