October 20th, 2001 06:30 PM
NO operating system is secure without good administration. I never said otherwise.
Originally posted by Gobinjf
Let me remember you that a keenly administrated Windows NT station is far more secure than lousy administration on, let's say linux or openBSD. The security of the OS is not the only concern. The time took by the administrator to harden his system is also to be taken into account.
Where you're also wrong is that you said him that "all you need is a program to run it". False. You also need programs to ensure that only web server will be accessed from the internet, let's say an host firewall, a program to detect illegal activity/attempt, let's say an IDS or a NIDS, programs to generate dynamic pages (PHP, ASP, ColdFusion or whatever DHTML tools you may think of ...) and so on.
On the hardware level, he must ensure than nobody else than him should be able to go to console, reboot computer, cut off mains, plug an UPS and so on ...
On the link side, he must have an always-on connection with a static IP, or dynamic, but with a dynamic DNS for update.
We are far from "only apache".
Take also into account that added to the cost of the link, is the cost of electricity (or maybe you got a coal-powered computer ?), room (warming, taking care of, ...), piece of hardware (even wonder if your PC is able to run 24/7 for a long time ?)
So, hosting sites is not only a matter of "Will I get hacked", but also of "how much will it cost to me" ...
"All you NEED is a program to run it." TRUE. When I said that, I was only talking about the critical programs to get the server running. Running a personal web server without a firewall is incredibly stupid, but a firewall isn't absolutely critical. As far as logging hacking attempts, Apache has an access log. I have found hack attempts on mine before.
There is nothing he NEEDS on the hardware level, but a router with a firewall would be nice.
For security, I suggested that he put his website on a separate junker machine, and keep backups somewhere else, so if someone DOES get through, he simply has to restore his backups, and his own PC is untouched. I didn't see you mention that, or even acknowledge the fact that I said it. This is also another place where that router could come into play.
As far as a connection goes, he does not need an always on connection. All he needs to worry about is a connection that provides a static IP. That rules out dial-up anyway.
What cost of the link? Nobody is forcing him to get a domain name. Using his IP works just fine, and I recommended a free URL forwarding service, so he doesn't have to use that. There is no money involved in the link.
I did not rule in the cost of electricity for this, because that's a given. Taking care of your machine is also a given. Rebooting once in a while only comes into play if he wants to leave it on 24/7, at which time that would be a given as well.