Hosting Website from Home

Hosting Website from Home

I was hosting http://h1bsalary.online site from AWS on m3.xlarge Instance.
Even though its reserved instance , the cost of hosting has crossed threshold limit of hobby project.
The primary purpose of this site is democratization of publicly available salary information to help potential job seekers and others.

This website indexed About 10 Million Labor Condition Application ("LCA") disclosure data from UNITED STATES DEPARTMENT OF LABOR. This site gets about ~ 500 Daily users and the daily visitors are increasing. As the traffic incraseses, the cost of hosting increases linearly.
As you can see , Cloud providers charge NETWORK, STORAGE AND COMPUTE Seperately as the traffic and volume of data incrases, the cost lineraly increases.

Since its hobby project, I have decided to host the web site from Home and my high availability and performance requirements are not mission critical and primary objective is to drive down the Cost.

Warning: running a server of any kind at home is a security risk. Security problems are sometimes found in server software, and these can be exploited to gain access to or damage your files.

Monthly Expense for March 2018   Application Architecture Requirements:

• Static IP Address
• Decent Bandwidth (Mine is about 300 Gbps Download and 20 Gbps Upload)
• NGINX for WebServer
• SQL Server for Backend
• PHP and PHP-FPM

Installing and Securing SQL Server

Ensure you Provision you SQL Server with Network Service Account and Don't provide access to the file Systems.

DO NOT ALLOW CONNECTIONS TO SQL SERVER FROM OUTSIDE

I had free McAfee Software and I did the configuration on McAfee Firewall. This can be done through traditional windows firewall. Its extremely critical safeguard to take to protect your Database against unwanted hacking attempts.

Provision least priviliged account. That way you reduce the risk and SQL Injection attacks can't take control of your server. For my use case, I needed to provision SELECT , INSERT ,DELETE and UPDATE Operations and all other privileges are revoked from the user.

Installing and Securing NGINX Web Server
Only allow the required Methods

### Only allow these request methods ##
if ($request_method !~ ^(PUT|GET|HEAD|POST)$ ) {
return 444;
}

Remove Version from Server Header Banner in nginx

server_tokens off;

## After the config change, reload the config file and restart nginx

sudo nginx -s reload
iMac:~ $ brew services restart nginx
Stopping `nginx`... (might take a while)
==> Successfully stopped `nginx` (label: homebrew.mxcl.nginx)
==> Successfully started `nginx` (label: homebrew.mxcl.nginx)

Protect aginst XSS and ClickJacking

Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

## After the config change, reload the config file and restart nginx

add_header Strict-Transport-Security "max-age=31536000; " always;
add_header X-Frame-Options $x_frame_options;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

### Ensure File and Directory Permissions are set Correctly ##
find . -type d -exec chmod 0755 {} \;
find . -type f -exec chmod 0644 {} \;

Setup SSL Certificates

For my use case, I didn't want to spend on SSL Certificate and I decided to not to use SSL. This exposes the website for men-in-the-middle attacks. I am planning on implementing SSL as next step.

A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

Disable Directory Browsing on Web Folders
Setup Custom Error Pages and don't reveal the errors to the End User
Installing and Securing PHP
Turn off PHP Errors and Errors Displays

// Turn off all error reporting
error_reporting(0);

; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; http://php.net/expose-php
expose_php = Off

Setup Port Forwarding

References :

NGINX Security - https://gist.github.com/plentz/6737338

NGINX ClickJacking Attacks - https://geekflare.com/add-x-frame-options-nginx/

OWASP ClickJacking - https://www.owasp.org/index.php/Clickjacking

NGINX Performance Optimizations - https://www.nginx.com/blog/tuning-nginx/

Hacking Attempts

Safeguard against hacking attempts like this

111.231.56.187 - - [23/May/2018:23:11:39 +0000] "PROPFIND / HTTP/1.1" 405 13092 "-" "-"
111.231.56.187 - - [23/May/2018:23:11:41 +0000] "POST /wls-wsat/CoordinatorPortType HTTP/1.1" 404 21449 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0"
111.231.56.187 - - [23/May/2018:23:11:42 +0000] "GET /index.php HTTP/1.1" 200 35991 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:42 +0000] "GET /phpmyadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:43 +0000] "GET /phpMyAdmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
162.158.79.72 - - [23/May/2018:23:11:46 +0000] "GET /extended_perm_data.php?PermID=975969 HTTP/1.1" 200 11278 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
111.231.56.187 - - [23/May/2018:23:11:46 +0000] "GET /pmd/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:46 +0000] "GET /pma/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:46 +0000] "GET /PMA/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:48 +0000] "GET /PMA2/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:50 +0000] "GET /pmamy/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:50 +0000] "GET /pmamy2/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:50 +0000] "GET /mysql/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:51 +0000] "GET /admin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:54 +0000] "GET /db/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:54 +0000] "GET /dbadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:54 +0000] "GET /web/phpMyAdmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:55 +0000] "GET /admin/pma/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:58 +0000] "GET /admin/PMA/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:58 +0000] "GET /admin/mysql/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:58 +0000] "GET /admin/mysql2/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:11:59 +0000] "GET /admin/phpmyadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
191.100.10.131 - - [23/May/2018:23:11:59 +0000] "GET / HTTP/1.1" 200 30127 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
191.100.10.131 - - [23/May/2018:23:12:00 +0000] "GET / HTTP/1.1" 200 30127 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
111.231.56.187 - - [23/May/2018:23:12:02 +0000] "GET /admin/phpMyAdmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:02 +0000] "GET /admin/phpmyadmin2/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:02 +0000] "GET /mysqladmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:03 +0000] "GET /mysql-admin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:06 +0000] "GET /phpadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:06 +0000] "GET /phpmyadmin0/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:06 +0000] "GET /phpmyadmin1/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:07 +0000] "GET /phpmyadmin2/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:10 +0000] "GET /myadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:10 +0000] "GET /myadmin2/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:10 +0000] "GET /xampp/phpmyadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:11 +0000] "GET /phpMyadmin_bak/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
172.69.62.41 - - [23/May/2018:23:12:12 +0000] "GET /searchby_university.php?searchtext_college=UNIVERSITY%20OF%20MARYLAND,%20PROFESSOR%20PETER%20B.%20SUNDERLAND HTTP/1.1" 200 8736 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
111.231.56.187 - - [23/May/2018:23:12:14 +0000] "GET /www/phpMyAdmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:14 +0000] "GET /tools/phpMyAdmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:14 +0000] "GET /phpmyadmin-old/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:18 +0000] "GET /phpMyAdminold/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:18 +0000] "GET /phpMyAdmin.old/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:18 +0000] "GET /pma-old/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:19 +0000] "GET /claroline/phpMyAdmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
191.100.10.131 - - [23/May/2018:23:12:21 +0000] "POST /GponForm/diag_Form?images/ HTTP/1.1" 404 21448 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
111.231.56.187 - - [23/May/2018:23:12:22 +0000] "GET /typo3/phpmyadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:22 +0000] "GET /phpma/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:22 +0000] "GET /phpmyadmin/phpmyadmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"
111.231.56.187 - - [23/May/2018:23:12:26 +0000] "GET /phpMyAdmin/phpMyAdmin/index.php HTTP/1.1" 404 178 "-" "Mozilla/5.0"