<html><head></head><body><div class="ydp3b8efb17yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div></div>
<div dir="ltr" data-setdir="false">Rick:</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Time for you to repeat your description of typical web "security" being like a bank guard with photos of Al Capone and Matt Dillinger, but not photos of Bonnie and Clyde because they are new.<br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Paul<br></div><div><br></div>
</div><div id="ydp5049152cyahoo_quoted_4931247754" class="ydp5049152cyahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Friday, November 15, 2019, 10:50:02 AM PST, Rick Moen <rick@linuxmafia.com> wrote:
</div>
<div><br></div>
<div><br></div>
<div>Quoting Jim Stockford (<a href="mailto:jim@well.com" rel="nofollow" target="_blank">jim@well.com</a>):<br><br>> I still have Comcast business with<br>> five static IPs and, at least when I<br>> was using it as such, no blockage of<br>> any ports whatsoever.<br>> I've abandoned putting servers on<br>> it because they (three generations)<br>> have gotten wiped. I do not know<br>> enough of sys adm and also networking<br>> to defend myself, so if I ever decide<br>> to put up a web site, I'll use some<br>> hosting service such as SquareSpace<br>> that has a dedicate net ops team to<br>> manage intrusions from without.<br><br>I come bearing good news, then: If you stand up a Web server<br>using a reasonable distro (Devuan/Debian, CentOS) and use the <br>default configuration of one of the main HTTP daemons (Apache HTTPd,<br>Lighttp, nginx), and _don't go out of your way_ to add gratuitous<br>security loopholes _manually_, it is astronomically unlikely that <br>your system will be security-cracked / wiped from across the Internet.<br><br>_Just_ running a Web server is not security-risky in any way. There is<br>an extremely small attack surface, and even lackadaisical package<br>updating will avert even unlikely modes of entry.<br><br>Typically when someone says 'My Web server got wiped', the speaker is<br>absolutely _not_ talking about having just stood up Apache and serving <br>static Web pages. Pretty much inevitably, what the speaker is failing<br>to mention is all the other, inherently dangerous junk he/she<br>deliberately added and exposed to public attack.<br><br>And, in that category, the most frequent own-goal is unpackaged Web<br>apps. The speaker at some point yielded to temptation to pull down a<br>developer tarball of, say, some extemely buggy PHP app. That unpackaged<br>PHP code is now (1) outside the distro package regime, hence will never<br>receive security updates, and (2) creates (usually severe) ongoing<br>security risk for the system that otherwise would not exist.<br><br>The speaker then followed instructions provided by the PHP app developer<br>or elsewhere to enable PHP interpreter support inline in the packaged<br>HTTPd. Which is a manageable if (IMO) unacceptable (in the case of PHP)<br>security risk, where at least the PHP interpreter software and support<br>libs are maintained by the distro package maintenance system.<br><br><br>There are other ways to commit security own-goals with Web servers you<br>build and run, but they all follow that basic pattern: In all cases,<br>you the admin can only open yourself to serious security attacks by<br>manual and unusual, non-default steps to add gratuitous and fairly<br>severe risk factors.<br><br>And the good news is: It's dead-simple to avoid doing that. You just<br>basically stop and think before ever going way, way out of your way to<br>disfigure and injure your system, and, when in doubt, just Don't Do<br>That, Then.<br><br>A 'dedicated net ops team to manage intrusions from without' is<br>superflous. And, by the way, SquareSpace doesn't provide that.<br>They just have marketing babble about 'top-of-the-line security'.<br><br>SquareSpace is a hosted proprietary drag'n'drool 'Web site builder' CMS<br>built on proprietary JavaScript frameworks. In using it, you're giving<br>up on open source, on controlling your own software, and on controlling<br>even your own data. But hey, if outsourcing absolutely everything works<br>for you, great!<br><br><br>And hey, if you're not going to make any use of those five static IPs on<br>Comcast Business, maybe you should lend a couple to BALUG and SF-LUG.<br><br><br>_______________________________________________<br>conspire mailing list<br><a href="mailto:conspire@linuxmafia.com" rel="nofollow" target="_blank">conspire@linuxmafia.com</a><br><a href="http://linuxmafia.com/mailman/listinfo/conspire" rel="nofollow" target="_blank">http://linuxmafia.com/mailman/listinfo/conspire</a><br></div>
</div>
</div></body></html>