It's time to build a home server!!!! This series will be what I learned while building and configuring a server at home with the intention of making it close to common configuration standards so I can host sites/applications to test attacks on.
Note: Please take this all with a grain of salt. This is not going to be 100% secure and it is only meant for learning purposes.
Table of Contents
Overview
To begin with it is important to know what kind of setup you want do build. As few questions you might ask your self are:
- Do you want a server in your house of use a serverless system?
- Do you need an Web server, an HTTP server, or maybe an additional Proxy server?
- Do you need Virtual Hosts to host multiple web sites?
Originally I was thinking of using serverless solution like AWS, or another cloud based service, but opted for building a LAMP stack because I wanted to start with the basics of hosting an in-house server and then build up from there. This process will involve installing the OS, and then the LAMP software stack in it, and then hardening of the server.
To be begin with, what is a "LAMP" stack and why use it?
What is LAMP?
So, what is LAMP? LAMP (Linux, Apache, MySQL, PHP) is an open source software stack where each component contributes essential capabilities to an application. Though almost any OS, HTTP server, Database Manager, and data processing software could be used that suites your need the LAMP stack "has a classic layered architecture, with Linux at the lowest level followed by Apache, MySQL, and PHP. Although PHP is nominally at the top or presentation layer, the PHP component sits inside Apache." 3 Though there have been a few variations of this software stack developed over the years LAMP remains continuously popular for its historically proven record for delivering high-performance web applications.
Some variations of the LAMP stack are where MySQL is replaced by PostgreSQL and renamed LAPP, a Windows OS equivalent stack known as WAMP where Linux is replaced with Windows, or sometimes just by keeping the original acronym of LAMP but changing the meaning to Linux / Apache / Middleware (Perl, PHP, Python, Ruby) / PostgreSQL to be more flexible to developers.
"A high-level look at the LAMP stack order of execution shows how the elements interoperate. The process starts when the Apache web server receives requests for web pages from a user’s browser. If the request is for a PHP file, Apache passes the request to PHP, which loads the file and executes the code contained in the file. PHP also communicates with MySQL to fetch any data referenced in the code.
PHP then uses the code in the file and the data from the database to create the HTML that browsers require to display web pages. The LAMP stack is efficient at handling not only static web pages, but also dynamic pages where the content may change each time it is loaded depending on the date, time, user identity and other factors.
After running the file code, PHP then passes the resulting data back to the Apache web server to send to the browser. It can also store this new data in MySQL. And of course, all of these operations are enabled by the Linux operating system running at the base of the stack." 3
To learn more about how I setup my LAMP stack see each section in this series listed at the top of the page or continue on for information on different server types and possible setups you can look into for yourself.
Server Options
Now that what LAMP is is understood there are a few things what are helpful to consider before getting started when picking the type of server for you setup. The rest of this will touch on those things.
What is a Server?
A server is a specific piece of computer hardware/software that provide various functionalities, aka "services", to other programs or devices, aka "clients".
Though it doesn't sound complicated upfront, there is a lot that goes into it that we don't see. What's more, there are several types of servers that clients interact with during their time on the Internet; such as, database servers, blade server, cloud server, dedicated server, domain name server, file server, mail server, print server, web server, game server, proxy server, http server, standalone server, local network server, and application server to name a few. 1, 2, 31
Consider the common client/server restaurant example where a waiter ("server") provides various functions ("services") the restaurant patron ("client") on request. The functions that a waiter ("server") can provide can be any range of functions ("services") that they do or don't specifically perform but have access to, such as requesting a drink from the bar "server", requesting a special order from a chef "server", or requesting a bill from a hostess "server".
The same theory translates into a computer server(s) where you might request an email from a "mail server", a website from an "application server" or "HTTP server" and data for a website from a "database server". The server takes the request from the client (usually a web browser or email program) and becomes responsible for performing the service and returning the information to the client in a timely manner. And, like a restaurant, a computer can host many servers in one space or separate out each server into its own space, or host, to specialize is one service.
When building a server to host something on it's important to consider the types of servers available and what your need is. There are a lot of servers available and you won't need all of them for a website or a file sharing server, but you'll probably need more than one because each server performs for a specific task or service.
In my set up I'm going to be building a traditionally hosted server stack (or a LAMP stack) where everything shares resources of one computer. In comparison, in a large scale production environment it's common to separate out each server into their own computer, or to virtualize each server within one computer, with their own virtual resources to make troubleshooting easier.
What is Serverless?
Serverless is a catchy new way to get applications online, but are there really no servers involved?
-Short answer: no.
-Long answer: "Serverless is a cloud computing execution model where the cloud provider dynamically manages the allocation and provisioning of servers." 21
In the traditional hosting style, all parts of an application/web site are hosted on one server. It allowed for IT staff to have full access to control, install, and configure software/hardware as needed. But it also means that IT staff are needed to monitor it and physically protect it.
In the server-less hosting style, all parts of an application/web site are split up into different, event-driven, "services" and/or "processes" and the responsibility of their management falls on the (cloud) providers that are hosting the specific service you are using. Being event-driven, a serverless application will only start running when there’s a specific condition or input to trigger it.
According to Amazon AWS:
"With serverless computing, infrastructure management tasks like capacity provisioning and patching are handled by AWS, so you can focus on only writing code that serves your customers. Serverless services like AWS Lambda come with automatic scaling, built-in high availability, and a pay-for-value billing model... - all without managing any servers." 22
For my purpose I will be building a traditional hosting style. The server will be physically in my house, connected to my network, and I will need to monitor it, like IT staff would, to ensure it has its security updates and monitor its logs for malicious actions that I will be testing on it.
Web Server vs HTTP Server?
When building a server it's important to understand the difference between two commonly mixed up server types: a web server and an application server. Anymore a lot of websites are dynamic applications and not just static websites. It can be confusing what they need to be functional at the server level when the terms "web server" and "app server" are thrown around with out much understanding what the differences really are and the different services that each offer.
An HTTP web server handles communication between a client/Browser and server. Specifically, it uses the HTTP protocol to receive HTTP requests and respond back with HTML documents, images, redirects, style sheets, scripts, and text content to list a few. But despite all that, it can't handle more complex/dynamic requests such as Java or C++.32 For dynamic requests a web server will act as an intermediary and pass the request to the best program to handle it and won't provide any functionality beyond an environment for that server-side program to execute and pass back the generated response(s). A HTTP web server works well for static websites that don't process any information, but for processing information an application server is needed.
An application server is a mixed framework of software that can handle more complex/dynamic software processing requests that web servers can't; such as APIs calls, Java applets, or C++ processing. It's generally positioned behind a web server and in front of a SQL database and it handles the business logic to generate dynamic content that web applications or desktop applications run; "that is, it’s code that transforms data to provide the specialized functionality offered by a business, service, or application." 34
In general, clients/browsers access applications by communicating with a Web server via HTTP and an Application Server has separate listeners for the HTTP, HTTPS, IIOP, and IIOP/SSL protocols. Though each listener has exclusive use of a specific port number this doesn’t mean that web servers can't deliver dynamic content though CGI (Common Gateway Interface) or plugins that act as a intermediary for a process; nor does it mean that an application server can’t serve up a static website. 33 If the dynamic content is generated using java technologies an application server is generally in use. Furthermore, if the dynamic content is generated by PHP or Perl a web server is generally being used.
Service Vs Process
When researching server hosting the words "service" and "process" gets tossed around, but what is a "service" and what is a "process"?
A "process" is an instance of a running program, application, script, or executable (.exe program file) that can be running in the foreground or background of a system. It's one, or several, string(s) of executable instructions within its own environment, or application environment, that at any given time can be either running, sleeping, or zombie (completed process or process waiting for its' parent process to pick up the return value).
For example, both the Chrome Browser and Notepad++ are a process (applications/executables). However, Chrome is interesting because it separates each tab into its own instance of that process. In contrast, you can have multiple tabs open in Notepad++ but all of them live in one instance of the Notepad++ process.
A "service", also called a "Daemon" in a Linux environment, is a continuously listening process that runs in the background and provides the service to a client on request. Though a service can have an associated process with a user interface, they are usually started by the operating system and will run whether or not the associated process is open in the foreground. They don't interact with the desktop, are not interactive, and have no controlling terminal/interface.
For example, the Apache/httpd web server, SSH server, system logger, antiviruses, and your system clock are all services that run in the background even when the user is not logged in. Sure, you can modify settings of these services but they just run and wait for someone to request information from them.
To see what services and process are running on your system you can:
On Windows Open the task manager. This will give you tabs for viewing running processes (browsers and other programs you are running/interacting with) and services (helpers to the computer or a process).
On Linux
To view services run service --status-all
to view what is currently running.
To view processes run ps
for a small list of recently called processes or top
for a continuously updated and more detailed list of running processes.
What are Virtual Hosts?
Using "Virtual hosts" has become a common method for hosting multiple web sites on a single server or system. This is done because it allows one server to share its resources and doesn't require services to use the same host name.
There are 3 types of virtual hosts 5:
-
IP-based: meaning that you have a different IP address for every web site.
- For example, 172.20.30.40 and 172.20.30.50
-
name-based: meaning that you have multiple names running on each IP address.
- For example, blog1.example.com and blog2.example.com or example.com and example2.com
-
port: meaning that you have multiple ports on an IP address for every web site.
- For example, 172.20.30.40:8081 and 172.20.30.40:8080
Ooooooook! Now that that is all covered it;s time to build this thing! Check out my next blog in this series to see how to set it all up.
Top comments (1)
Well written, Well classified,
Thanks, 🙏 for you Perfect 💯 Post 👍