On 10/01/2020 18:40, Chris Green wrote:
On Fri, Jan 10, 2020 at 05:35:28PM +0000, steve-ALUG@hst.me.uk wrote:
The above are valid points. My first thought is Do you need a public website, if it's just info for you?
Yes, mostly, for me and family and, occasionally maybe, friends. Thus it's handy for it to be out on the 'public' internet. I do such things as post pictures of things I'm selling or which I want family to look at and see if they want.
OK, so you need/want a public website. In that case I'd suggest you check that it's not got any common vulnerabilities. I'm sure there are documents on website hardening.
If so, VPN into it, or tunnel into it with SSH and then make it otherwise inaccessible to the outside world.
Relatively messy though. I do use ssh tunnels for some things but they're not really 'family friendly'.
SSH tunnels - probably not family friendly. VPN - depends. My router alleges it can handle VPNs. I hav a VPN app on my phone to allow me to seamlessly connect to my phone. I have a bash script (a one-line command) to allow my laptop to dial home when I'm out-and-about. It's basically set-up then forget. ...but that is moot - you want a public website. Fair enough.
Then you don't have to worry so much about making it secure, because no-one but you can get at it.
I had a look at http://isbd.net/ which I presume is yours. I don't know if that's the one that you are talking about, but if it is, none of the pages opened as https for me.
They should now, if not then I'd be interested to know. I did the changes today (10th January) around 2pm.
None of the pages opened as https for me 11/1/20 13:22
Also, I don't know much about trying to hack a website, but displaying the PHP status & config info on a webpage just sort of highlights if there are any vulnerabilities that may be exploited.
Yes, true enough, but hiding them is only 'security by obscurity' isn't it!
A crude analogy for you. Someone walking down my street can see my house. If I had a flyer on the door saying "I have an alarm installed by this manufacturer, with these settings set to these values". If they were temped to break in, they could look and see if there were any known vulnerabilities in the system, or if I'd left any gaping holes.
You're advertising your settings on your front page of your website. You're advertising what you've done - e.g. if you're using it out-of-the-box or if you've tweaked things. This advertises if you know what you're doing or if you're using it off-the-shelf. You're making it easy for an intruder to find points of entry.
If you need that page, move it somewhere behind a password protected HTTPS page. If you don't - remove it. It certainly doesn't need to be linked from the first page in the clear like it currently is.
I used to run a webserver so I could access my webmail. I grew uncomfortable that I didn't know well enough how to secure them against intrusion so I stopped external access to the webserver and binned my webmail.
If you're not proficient in web-server security (I am not) then I would suggest for the needs you say you have, it might be simpler just to share stuff with your family via social media, email, or use a free website/blog (Blogger, Wordpress etc) and share your stuff there. That way, someone else (e.g. Google, Wordpress) looks after the security for you.
Anyway, good luck.
Steve