Running your own Servers

Remy_3D

What, me serve?

With the increasing availability of high-bandwidth "always on" connections and their decreasing costs, many people decide they'd like to take a crack at running a server from their own computer.  Or even if putting up your own Web site or FTP server isn't your idea of fun, you might want to be able to access files on your home computer while at work or while traveling.  Or perhaps on-line gaming is your passion, or chat, or videoconferencing, or swapping MP3 files via Napster, gnutella, or other similar programs.

All these applications and more require that your computer be able to be reached from the Internet in order to retrieve information, and that means you'll be running some sort of server or program that will provide controlled access to your computer and its files.

If you're thinking about this, then this section is for you!

Four Steps to Safe Serving!

There's a little more to running an server that is accessible from the Internet than installing the program, turning it on, and waiting for visitors to arrive.  When you run an Internet accessible server, you step into a different world, with a different set of rules than you may be used to.  Although the mechanics of setting up a server can be simple, there are some important things that you should do in order to do it right:

   1. Check your ISP's Terms of Service
   2. Check the service's compatibility with Firewalls
   3. Get a domain
   4. Secure yourself!

Remy_3D

Check the rulebook...

Before you turn on any serving, you'd best check your ISP's Terms of Service (or whatever they call their rules and regulations) to see if running servers is ok with them.

ISP's vary widely on this policy.  Some will boot you off their network as soon as they detect any servers running on your machine.  Others are more tolerant and will let you run most anything as long as it's not illegal, pornographic, or offensive.

No matter what your ISP's policy is, it's important to be a good "Network Neighbor".  This essentially boils down to not hogging bandwidth and running a clean, well secured server that doesn't open security holes in your ISP's network or serve as a SPAM relay.  Running a properly secured server is covered in Step 4, so we'll focus bandwidth.

Be kind to your bandwidth

Contrary to what you may hear in their advertisements, your ISP doesn't have unlimited bandwidth at your disposal.  Bandwidth is shared by everyone and is limited at many points in your data's travel from one point to another on the Internet.

Many ISP's implement some sort of bandwidth limiting at the point where they connect you to their network, usually in the cable or DSL modem itself.  Sometimes this limit is higher (i.e. they limit you to a slower speed) on the uplink side than on the downlink, primarily because most users download more data than they upload.  No matter how your ISP has "tuned" their network, there's not much you can do about it if they've cranked your upload speed way down, other than to change ISPs!

But let's say that your ISP is generous and provides you with a nice speedy connection in both directions.  Does this mean that it's ok for you to share the connection with all of your dorm buddies or suck down large MP3 files or StarWars video trailers for hours at a time, especially during peak evening hours?  Or how about running a webserver that gets tens of thousands of page views a day?  It depends on your ISP and on how much bandwidth you actually consume, but the answer is probably NO.

Basically, don't do anything that you wouldn't want done to you and you should be able to remain on good terms with your ISP.  Remember, they don't have to provide service to you and if you have only one choice for high-speed Internet service, you'll find it painful to go back to dialup if you get "de-provisioned".

Remy_3D

Hole-y firewall!

If you have multiple computers connected to the Internet, they should be on a separate network, behind some sort of firewall or Proxy Server.  Either of these Internet sharing methods will provide good protection against uninvited connection to your network's computers and data from the Internet, providing that they are properly configured.

With a properly configured firewall or proxy server in place (see the Securing section of this site), any requests for data from a computer on your LAN that come from the Internet will be rejected.  However, when you are running a server on one of your LAN's computers, you want an Internet user to be able to access the server!  With a NAT-based firewall, you'll need to open or map the ports that the application uses.  For a proxy server, you'll need to set up a TCP or UDP forwarding service and set your server to expect its data requests to come through it.  You'll need to consult the User documentation for your proxy or NAT to get the specifics of how to set up the mapping or proxy forwarding service.  (Some general information on these server-type applications and the ports they use can be found in the "Special Applications" section of the site.)

NOTE: Before you do anything to allow Internet based access to your computers, read this section of the Securing page. An incorrectly configured NAT firewall or proxy server is a threat to both your data and your ISP's network.

Directly connected? Lock it up tight!

If the computer that is running your server is directly connected to the Internet, you need to be especially careful, particularly if it is a Windows 9X based machine that is sharing files and printers with another computer directly connected to the Internet (we call this the MultipleIP method of sharing).  Windows is not a very secure operating system and the default network configurations that it installs can leave many open holes into your hard drive contents if you have File and Printer sharing enabled and bound to the TCP/IP protocol.

On the other hand, if the only thing that is on the directly connected computer is the server that you want to be accessed, and all your other computers are safely behind a firewall, and not sharing files or printers, then you actually have a quite secure setup (for your computers behind the firewall).  The server computer, however, better be locked up tight, and watched closely.  Think about doing the following for the directly exposed server:

    *run only the services that you need to run and don't run anything that you don't understand the purpose of.
    *have strong password protection on any administration interfaces.
    *back it up regularly.
    *enable logging on any services and review the logs on a regular basis for any suspicious activity.
    *run good, current version, anti-virus software and update the virus data files regularly.

There are entire Web sites devoted to security, so we've just put a tiny scratch in the surface of the subject.  But if you use the above information correctly, you should be able to serve safely!

Remy_3D

Master of your domain!

If you're serious about a professional Internet presence, then you need your own domain name.  A domain name is a word or phrase that is tied to the IP address of the server or servers that provide your web pages, email, FTP, or whatever other services that are part of your web presence.

How's it work?

Think of the domain name as your name and the IP address as your phone number.  If the only thing that was on your business card was your phone number, it would be difficult for people to locate you if that number changed.  But as long as they had your business name, they could find your new phone number by using directory assistance.

In essence, that's how Domain Names work.  When you register a domain name, you must provide the IP addresses of the DNS (Domain Name System/Service) servers that contain the translation between your domain name and IP address(es).  When someone types "www.yourdomain.com" (just an example) into their browser, the DNS servers kick into action, find the IP address of your web server, and load your homepage into the visitor's browser.

All this magic, however, requires that the IP address of your server(s) doesn't change very often (for the reason why, read this).  This isn't a problem if you're using any sort of webhosting service, since they'll assign you an unchanging or "static" IP address when you signup for service.

However, if you're trying the do it yourself method of web (or any other type of) hosting/serving, you'll probably find that your ISP provides only a "dynamic" or changing IP address.  Not very long ago, this would have killed your chances of doing your own hosting.  But where there's a problem on the Internet, there are usually some enterprising people out to solve it, and this problem is no exception.  The answer is Dynamic DNS services and you can read more about it on this page.

Sign me up!

Whether you have a static or dynamic IP, there are lots of companies who would love to sell you a domain name.  Things used to be simpler, if not more monopolistic in the domain name world.  InterNIC is a quasi-governmental organization that was the only place where you could register a .com, .net, or .org domain name.  Since sometime in 1999, however, Uncle Sam decided he wanted out of this business and opened up domain registration to the commercial world.

This "new domain world order" is still shaking out the bugs, but there are now many places where you can buy a domain name.  InterNIC keeps a list of accredited domain registrars on their Web site, and I recommend you stick with choosing a company from that list, unless you let your webhosting company do the registration for you.

NOTE: Read the information carefully when signing up for a domain through any of these services.  They would all love to lock you into their service (instead of a webhost of your choice) and their packages can be confusing.  Don't sign up for any service that doesn't make the cost and service clear, and don't pay more than $35/year to register your domain.

Call me old-fashioned, but until the dust settles, I'll stick with using NetworkSolutions.

If you don't want to do your own registration, most webhosting services will do it for you when you sign up for service.  Some charge for doing this in addition to the usual domain registration fee of about $35/year, others include it as part of their set-up fee.

Another way to get a domain name is to use a Dynamic DNS service.  These services usually include a subdomain of your choosing with their most inexpensive service.  This domain name will be based on their domain name or some other domains that they've registered (for example: "nameofyourchoice.tzo.com"), but it will be yours and will not change unless you change it.  These services usually offer the option of a "normal" domain registration (at higher cost) if you'd rather have more control over your Internet identity.

Remy_3D

Run a tight ship!

Once you've allowed access to your server through your firewall or proxy server, you need to carefully configure the computer running the service.  Although the serving computer isn't entirely exposed to the Internet, even one port can be all that a good cracker needs to mess with your data and network.  If you think of your server as being directly connected to the Internet, you'll have the right mindset toward properly locking it down.

The server computer should be locked up tight and watched closely.  Here's a list of ToDo's:

   1. Run only the services that you need to run and don't run anything that you don't understand the purpose of.
   2. Have strong password protection on any administration interfaces or access control login screens.  This is the easiest, yet most often overlooked protection against getting broken into.
   3. Share only the data you need to share.  Yes, sharing your entire hard drive is quick and easy and anyone who breaks into your system will be glad you did!  If you must share an entire drive, then create a separate drive partition, put the files you want to share there, and share that drive, not your main drive!
   4. Be careful with File and Printer Sharing. Turn it on when you need to update the server and off otherwise.  It that's not practical, at least unbind it from TCP/IP and bind it to NetBEUI or IPX/SPX (see this page).
   5. Back up the at least the server's data files regularly and periodically back up the entire machine.
   6. Enable logging on any services and review the logs on a regular basis for any suspicious activity.
   7. Run good, current version, anti-virus software and update the virus data files regularly.

There are entire Web sites devoted to security, so we've just put a tiny scratch in the surface of the subject.  But if you use the above information correctly, you should be able to serve safely!