
Running my blog on an old Raspberry Pi - ramsj
https://blog.jandhyala.in/posts/2020/06/rpi-home-server/
======
ramsj
I found my old Raspberry Pi 2 Model B (900MHz quad-core ARM Cortex-A7 CPU and
1GB RAM) and rather than recycle it, I documented my effort to get a blog
started, up and running, and serving over my home internet. Don't DDOS my
(very) barebones setup!

~~~
user_agent
You might want to run it through something like Cloudflare to prevent the DDOS
problem. It's free, easy to configure and has a couple more perks on top.

I'm not a fun of Cloudflare, but until I'll find time to organize a proper
security for my network (I too host a personal website on my home BananaPi
m1), Cloudflare is better than nothing / being completely opened to the world.

~~~
ramsj
That is a great suggestion, thanks! What other steps would you recommend to
"organize proper security"?

~~~
user_agent
It basically comes down to mastering a firewall on your side and having
visibility of what's going on with incoming traffic. I' ll do my stack the
old-school way. I've got a nice Mikrotik combo router with a lot of very
advanced configuration options for pennies (a pretty advanced ones are like
$70, will do for 1Gbps WAN), including a nice firewall) and I already mounted
it on the edge of my home network; I didn't have time to tinker with it
extensively yet so learning the firewall is yet to be done. I'd like to
somehow process at least firewall logs from that device in a centralized way
with alerting for DDOS like events (easy to do - the Mikrotik already can send
logs to a central server, so I only need to decide which network monitoring
software I', going to use). For the incoming traffic analyzing I'll use
GoAccess harvesting logs from NGINX, which works as a reverse proxy for all
web services on my home Pi.

All of that is easier to do than it sounds. It's all about having visibility
over what's going on and being able to react when needed.

The idea of Cloudflare - yeah, I don't like it either, because what they do is
basically a man-in-the-middle probing on my personal services, but
temporarily, or if one is under heavy attack, it does the job too. This is
what that service has been intended for - to make the external IP address for
your web services unavailable / not visible for general audience of the
Internet.

~~~
ramsj
Makes sense for a more robust setup. Here's my config; do you think there are
any obvious shortcomings with it?

\- Port forwarding only 80 and 443 on my router to the RPi. That should be the
only incoming traffic allowed through my regular home router. What would a
more advanced router add?

\- Setup firewall on the RPi using ufw to allow 80 and 443 to Nginx. Port 22
also allowed for SSH only on the local network (I can't edit my site away from
home). I think ufw also allows some rate limiting, so will set that up next
too.

\- Nginx only listens to 80 and 443 to serve content.

~~~
user_agent
"What would a more advanced router add?" -> A centrally managed firewall
integrated with the rest of the networking stack = having cotroll in one
place. You also can use the software one on Linux directly. I like to have a
central one, because I have multiple servers behind it and I don't want to
think too much about hardening them. This how I can make experiments inside
the network not risking anything and overthinking the security for partially
ready services. Good security is always about the firewall stuff divided into
2 parts - 1) a firewall on an edge; + 2) a light set of firewall rules on a
server. It's just much simpler that way. Even if for the sake of reporting
only.

PS: You can also buy just a firewall leaving your current router intact.
pfSense is great software and it's free! You can install it on almost
anything. An old laptop will do the job. Probably you could even run it on
your Pi in a Docker container, leaving your Pi to perform 2 functions with
additional Ethernet cards: the www server, and a dedicated firewall. Many
options are available and tinkering with that is fun!

The config you've mentioned looks fine. The rest comes down to details: is
your network going to survive a lot of incoming DDOS like traffic (how beefy
is your network edge device, is your system going to block DDOS attempts
automatically (with fail2ban for instance)), etc. Good idea with rate limiting
on UFW. Try to take a look on the mentioned fail2ban too. It can do wonders
combined with UFW. I consider it a mandatory resource on every of my servers,
even if for SSH protection only (controlling login attempts).

If that's not clear enough: at this point I'm pretty sure your server is going
to survive a flood of incoming traffic, but I'm not so sure about your router.
If it's a consumer grade device, the answer is obvious - it's going to freeze
when a DDOS is going to start. Too much traffic to handle. Either make it
beefy to handle EVERYTHING possible and/or put a firewall before it, so it can
put thru only the valid traffic. Otherwise you have a weak spot. As you see
DDOS is also possible when targeted to a network edge, not only www servers.

Ok, let's not be paranoid. If you're going to have real trouble with DDOS your
ISP is going to intervene. But anything below massive floods is on you. I'm
just saying that most home routers are VERY weak to host any services behind
them, so they're naturally a weak spot I'd be targeting first knowing your IP.
This is why for anyone serving web services from your home it's worth to buy a
professional networking equipment. Ten years ago I was selling that kind of
stuff for 5k-40k USD a piece (like Cisco stuff). Now I have a $250 beefy
Mikrotik which handles 10Gbps and does things on the Cisco level easily. I
like where the networking market went! One of those good and cheap companies
is also Ubiquity, which might be better know in the US than Mikrotik.

Have fun!

~~~
ramsj
This is incredibly helpful, thank you!

I'm definitely going to add fail2ban and UFW rate limiting to start with, and
look into a firewall on the edge in the unlikely event that GoAccess shows a
deluge of traffic. I feel a bit better at least knowing now what the weak
point is, so thanks!

~~~
user_agent
You're welcome. It's easy to forget about those things in the age of cloud
computing ;)

