Hosting Website from Home

It's time to get outdoors and Explore

Hosting Website from Home

I was hosting http://h1bsalary.online site from AWS on m3.xlarge Instance.
Even though its reserved instance , the cost of hosting has crossed threshold limit of hobby project.
The primary purpose of this site is democratization of publicly available salary information to help potential job seekers and others.

This website indexed About 10 Million Labor Condition Application ("LCA") disclosure data from UNITED STATES DEPARTMENT OF LABOR. This site gets about ~ 500 Daily users and the daily visitors are increasing. As the traffic incraseses, the cost of hosting increases linearly.
As you can see , Cloud providers charge NETWORK, STORAGE AND COMPUTE Seperately as the traffic and volume of data incrases, the cost lineraly increases.

Since its hobby project, I have decided to host the web site from Home and my high availability and performance requirements are not mission critical and primary objective is to drive down the Cost.

Warning: running a server of any kind at home is a security risk. Security problems are sometimes found in server software, and these can be exploited to gain access to or damage your files.

Monthly Expense for March 2018 March 2018 AWS Hosting Expenses  Application Architecture H1BSalary.Online Architecture Requirements:
  • Static IP Address
  • Decent Bandwidth (Mine is about 300 Gbps Download and 20 Gbps Upload)
  • NGINX for WebServer
  • SQL Server for Backend
  • PHP and PHP-FPM
Installing and Securing SQL Server
  • Ensure you Provision you SQL Server with Network Service Account and Don't provide access to the file Systems.
  • SQL Server Network Service Account
  • DO NOT ALLOW CONNECTIONS TO SQL SERVER FROM OUTSIDE
    SQL Server Firewall Configuration

    I had free McAfee Software and I did the configuration on McAfee Firewall. This can be done through traditional windows firewall. Its extremely critical safeguard to take to protect your Database against unwanted hacking attempts.

    Provision least priviliged account. That way you reduce the risk and SQL Injection attacks can't take control of your server. For my use case, I needed to provision SELECT , INSERT ,DELETE and UPDATE Operations and all other privileges are revoked from the user.

  • Installing and Securing NGINX Web Server
    Only allow the required Methods
    
    ### Only allow these request methods ##
    if ($request_method !~ ^(PUT|GET|HEAD|POST)$ ) {
    return 444;
    }
    
    
    

    Remove Version from Server Header Banner in nginx

    
    server_tokens off;
    
    ## After the config change, reload the config file and restart nginx
    
    sudo nginx -s reload
    iMac:~ $ brew services restart nginx
    Stopping `nginx`... (might take a while)
    ==> Successfully stopped `nginx` (label: homebrew.mxcl.nginx)
    ==> Successfully started `nginx` (label: homebrew.mxcl.nginx)
    
    
    
    

    Protect aginst XSS and ClickJacking

    Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

    
    
    ## After the config change, reload the config file and restart nginx
    
    add_header Strict-Transport-Security "max-age=31536000; " always;
    add_header X-Frame-Options $x_frame_options;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    
    
    
    
    
    ### Ensure File and Directory Permissions are set Correctly ##
    find . -type d -exec chmod 0755 {} \;
    find . -type f -exec chmod 0644 {} \;
    
    
    
    Setup SSL Certificates

    For my use case, I didn't want to spend on SSL Certificate and I decided to not to use SSL. This exposes the website for men-in-the-middle attacks. I am planning on implementing SSL as next step.

    A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

    Disable Directory Browsing on Web Folders
    Setup Custom Error Pages and don't reveal the errors to the End User
    Installing and Securing PHP
    Turn off PHP Errors and Errors Displays
    
    // Turn off all error reporting
    error_reporting(0);
    
    ; Decides whether PHP may expose the fact that it is installed on the server
    ; (e.g. by adding its signature to the Web server header).  It is no security
    ; threat in any way, but it makes it possible to determine whether you use PHP
    ; on your server or not.
    ; http://php.net/expose-php
    expose_php = Off
    
    
    
    Setup Port Forwarding
    Port Forwarding Setup
    Hacking Attempts
    Safeguard against hacking attempts like this
    111.231.56.187 - - [23/May/2018:23:11:39 +0000] "PROPFIND / HTTP/1.1" 405 13092 "-" "-"
    111.231.56.187 - - [23/May/2018:23:11:41 +0000] "POST /wls-wsat/CoordinatorPortType HTTP/1.1" 404 21449 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0"
    111.231.56.187 - - [23/May/2018:23:11:42 +0000] "GET /index.php HTTP/1.1" 200 35991 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:42 +0000] "GET /phpmyadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:43 +0000] "GET /phpMyAdmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    162.158.79.72 - - [23/May/2018:23:11:46 +0000] "GET /extended_perm_data.php?PermID=975969 HTTP/1.1" 200 11278 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    111.231.56.187 - - [23/May/2018:23:11:46 +0000] "GET /pmd/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:46 +0000] "GET /pma/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:46 +0000] "GET /PMA/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:48 +0000] "GET /PMA2/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:50 +0000] "GET /pmamy/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:50 +0000] "GET /pmamy2/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:50 +0000] "GET /mysql/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:51 +0000] "GET /admin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:54 +0000] "GET /db/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:54 +0000] "GET /dbadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:54 +0000] "GET /web/phpMyAdmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:55 +0000] "GET /admin/pma/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:58 +0000] "GET /admin/PMA/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:58 +0000] "GET /admin/mysql/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:58 +0000] "GET /admin/mysql2/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:11:59 +0000] "GET /admin/phpmyadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    191.100.10.131 - - [23/May/2018:23:11:59 +0000] "GET / HTTP/1.1" 200 30127 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
    191.100.10.131 - - [23/May/2018:23:12:00 +0000] "GET / HTTP/1.1" 200 30127 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
    111.231.56.187 - - [23/May/2018:23:12:02 +0000] "GET /admin/phpMyAdmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:02 +0000] "GET /admin/phpmyadmin2/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:02 +0000] "GET /mysqladmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:03 +0000] "GET /mysql-admin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:06 +0000] "GET /phpadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:06 +0000] "GET /phpmyadmin0/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:06 +0000] "GET /phpmyadmin1/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:07 +0000] "GET /phpmyadmin2/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:10 +0000] "GET /myadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:10 +0000] "GET /myadmin2/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:10 +0000] "GET /xampp/phpmyadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:11 +0000] "GET /phpMyadmin_bak/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    172.69.62.41 - - [23/May/2018:23:12:12 +0000] "GET /searchby_university.php?searchtext_college=UNIVERSITY%20OF%20MARYLAND,%20PROFESSOR%20PETER%20B.%20SUNDERLAND HTTP/1.1" 200 8736 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    111.231.56.187 - - [23/May/2018:23:12:14 +0000] "GET /www/phpMyAdmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:14 +0000] "GET /tools/phpMyAdmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:14 +0000] "GET /phpmyadmin-old/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:18 +0000] "GET /phpMyAdminold/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:18 +0000] "GET /phpMyAdmin.old/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:18 +0000] "GET /pma-old/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:19 +0000] "GET /claroline/phpMyAdmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    191.100.10.131 - - [23/May/2018:23:12:21 +0000] "POST /GponForm/diag_Form?images/ HTTP/1.1" 404 21448 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
    111.231.56.187 - - [23/May/2018:23:12:22 +0000] "GET /typo3/phpmyadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:22 +0000] "GET /phpma/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:22 +0000] "GET /phpmyadmin/phpmyadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    111.231.56.187 - - [23/May/2018:23:12:26 +0000] "GET /phpMyAdmin/phpMyAdmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
    

    Posted in AWS, Cloud Computing on Apr 15, 2018.


    Comments

    Please sign in to comment!