I found my old Raspberry Pi 2 Model B (900MHz quad-core ARM Cortex-A7 CPU and 1GB RAM) and rather than recycle it, I documented my effort to get a blog started, up and running, and serving over my home internet. Don't DDOS my (very) barebones setup!
You might want to run it through something like Cloudflare to prevent the DDOS problem. It's free, easy to configure and has a couple more perks on top.
I'm not a fun of Cloudflare, but until I'll find time to organize a proper security for my network (I too host a personal website on my home BananaPi m1), Cloudflare is better than nothing / being completely opened to the world.
It basically comes down to mastering a firewall on your side and having visibility of what's going on with incoming traffic. I' ll do my stack the old-school way. I've got a nice Mikrotik combo router with a lot of very advanced configuration options for pennies (a pretty advanced ones are like $70, will do for 1Gbps WAN), including a nice firewall) and I already mounted it on the edge of my home network; I didn't have time to tinker with it extensively yet so learning the firewall is yet to be done. I'd like to somehow process at least firewall logs from that device in a centralized way with alerting for DDOS like events (easy to do - the Mikrotik already can send logs to a central server, so I only need to decide which network monitoring software I', going to use). For the incoming traffic analyzing I'll use GoAccess harvesting logs from NGINX, which works as a reverse proxy for all web services on my home Pi.
All of that is easier to do than it sounds. It's all about having visibility over what's going on and being able to react when needed.
The idea of Cloudflare - yeah, I don't like it either, because what they do is basically a man-in-the-middle probing on my personal services, but temporarily, or if one is under heavy attack, it does the job too. This is what that service has been intended for - to make the external IP address for your web services unavailable / not visible for general audience of the Internet.
Makes sense for a more robust setup. Here's my config; do you think there are any obvious shortcomings with it?
- Port forwarding only 80 and 443 on my router to the RPi. That should be the only incoming traffic allowed through my regular home router. What would a more advanced router add?
- Setup firewall on the RPi using ufw to allow 80 and 443 to Nginx. Port 22 also allowed for SSH only on the local network (I can't edit my site away from home). I think ufw also allows some rate limiting, so will set that up next too.
- Nginx only listens to 80 and 443 to serve content.
"What would a more advanced router add?" -> A centrally managed firewall integrated with the rest of the networking stack = having cotroll in one place. You also can use the software one on Linux directly. I like to have a central one, because I have multiple servers behind it and I don't want to think too much about hardening them. This how I can make experiments inside the network not risking anything and overthinking the security for partially ready services. Good security is always about the firewall stuff divided into 2 parts - 1) a firewall on an edge; + 2) a light set of firewall rules on a server. It's just much simpler that way. Even if for the sake of reporting only.
PS: You can also buy just a firewall leaving your current router intact. pfSense is great software and it's free! You can install it on almost anything. An old laptop will do the job. Probably you could even run it on your Pi in a Docker container, leaving your Pi to perform 2 functions with additional Ethernet cards: the www server, and a dedicated firewall. Many options are available and tinkering with that is fun!
The config you've mentioned looks fine. The rest comes down to details: is your network going to survive a lot of incoming DDOS like traffic (how beefy is your network edge device, is your system going to block DDOS attempts automatically (with fail2ban for instance)), etc. Good idea with rate limiting on UFW. Try to take a look on the mentioned fail2ban too. It can do wonders combined with UFW. I consider it a mandatory resource on every of my servers, even if for SSH protection only (controlling login attempts).
If that's not clear enough: at this point I'm pretty sure your server is going to survive a flood of incoming traffic, but I'm not so sure about your router. If it's a consumer grade device, the answer is obvious - it's going to freeze when a DDOS is going to start. Too much traffic to handle. Either make it beefy to handle EVERYTHING possible and/or put a firewall before it, so it can put thru only the valid traffic. Otherwise you have a weak spot. As you see DDOS is also possible when targeted to a network edge, not only www servers.
Ok, let's not be paranoid. If you're going to have real trouble with DDOS your ISP is going to intervene. But anything below massive floods is on you. I'm just saying that most home routers are VERY weak to host any services behind them, so they're naturally a weak spot I'd be targeting first knowing your IP. This is why for anyone serving web services from your home it's worth to buy a professional networking equipment. Ten years ago I was selling that kind of stuff for 5k-40k USD a piece (like Cisco stuff). Now I have a $250 beefy Mikrotik which handles 10Gbps and does things on the Cisco level easily. I like where the networking market went! One of those good and cheap companies is also Ubiquity, which might be better know in the US than Mikrotik.
I'm definitely going to add fail2ban and UFW rate limiting to start with, and look into a firewall on the edge in the unlikely event that GoAccess shows a deluge of traffic. I feel a bit better at least knowing now what the weak point is, so thanks!
If you're not making money off the site and downtime won't cost you anything, maybe don't use Cloudflare (at least not in the beginning) and use eventual DDoS (both unintentional ones like being on the HN front page and intentional ones from malicious attackers) as an opportunity to learn how to optimize your setup so it survives the attacks (not saying it will survive everything, but it's worth trying everything you can on your side first before giving up and using a third-party).
9 comments
[ 4.4 ms ] story [ 35.2 ms ] threadI'm not a fun of Cloudflare, but until I'll find time to organize a proper security for my network (I too host a personal website on my home BananaPi m1), Cloudflare is better than nothing / being completely opened to the world.
All of that is easier to do than it sounds. It's all about having visibility over what's going on and being able to react when needed.
The idea of Cloudflare - yeah, I don't like it either, because what they do is basically a man-in-the-middle probing on my personal services, but temporarily, or if one is under heavy attack, it does the job too. This is what that service has been intended for - to make the external IP address for your web services unavailable / not visible for general audience of the Internet.
- Port forwarding only 80 and 443 on my router to the RPi. That should be the only incoming traffic allowed through my regular home router. What would a more advanced router add?
- Setup firewall on the RPi using ufw to allow 80 and 443 to Nginx. Port 22 also allowed for SSH only on the local network (I can't edit my site away from home). I think ufw also allows some rate limiting, so will set that up next too.
- Nginx only listens to 80 and 443 to serve content.
PS: You can also buy just a firewall leaving your current router intact. pfSense is great software and it's free! You can install it on almost anything. An old laptop will do the job. Probably you could even run it on your Pi in a Docker container, leaving your Pi to perform 2 functions with additional Ethernet cards: the www server, and a dedicated firewall. Many options are available and tinkering with that is fun!
The config you've mentioned looks fine. The rest comes down to details: is your network going to survive a lot of incoming DDOS like traffic (how beefy is your network edge device, is your system going to block DDOS attempts automatically (with fail2ban for instance)), etc. Good idea with rate limiting on UFW. Try to take a look on the mentioned fail2ban too. It can do wonders combined with UFW. I consider it a mandatory resource on every of my servers, even if for SSH protection only (controlling login attempts).
If that's not clear enough: at this point I'm pretty sure your server is going to survive a flood of incoming traffic, but I'm not so sure about your router. If it's a consumer grade device, the answer is obvious - it's going to freeze when a DDOS is going to start. Too much traffic to handle. Either make it beefy to handle EVERYTHING possible and/or put a firewall before it, so it can put thru only the valid traffic. Otherwise you have a weak spot. As you see DDOS is also possible when targeted to a network edge, not only www servers.
Ok, let's not be paranoid. If you're going to have real trouble with DDOS your ISP is going to intervene. But anything below massive floods is on you. I'm just saying that most home routers are VERY weak to host any services behind them, so they're naturally a weak spot I'd be targeting first knowing your IP. This is why for anyone serving web services from your home it's worth to buy a professional networking equipment. Ten years ago I was selling that kind of stuff for 5k-40k USD a piece (like Cisco stuff). Now I have a $250 beefy Mikrotik which handles 10Gbps and does things on the Cisco level easily. I like where the networking market went! One of those good and cheap companies is also Ubiquity, which might be better know in the US than Mikrotik.
Have fun!
I'm definitely going to add fail2ban and UFW rate limiting to start with, and look into a firewall on the edge in the unlikely event that GoAccess shows a deluge of traffic. I feel a bit better at least knowing now what the weak point is, so thanks!