Or an alternative title, “An Extra Fiver For A Static IP Hyperoptic?? For That, I Can Get an EC2 Instance”
I used to host my portfolio site and blog the good old fashioned way, from a Raspberry pi 3 plugged directly into the back of my router awkwardly and with an overly large ethernet cable. The whole thing ran on Ubuntu; with NGINX handling VHOSTS, My portfolio site running on a Node instance and WordPress handling my blog. It was a mess, to say the least.
The Problems: Security and Cost
1. £5.00/month For A Static IP
I’m currently using the most basic 1GBP/S package from Hyperoptic, which for the low price (sarcasm btw) of £5.00/month I could get a Static IP. I didn’t want to do that. I understand there are solutions which detect a change in IP and automatically update DNS accordingly, DNSsimple being a nice little solution. They are a nightmare for security and even more of a pain to set up.
Should I include folders in the NGINX config I’m not supposed to, accidentally opening myself up to an LFI bug, an RCE onto a device on my own network is a possibility. Normally this would be worst case scenario, but I also have to include API keys which control my DNS locally on the Raspberry PI. Not just compromising my home network BUT MY ENTIRE DOMAIN.
2. The Ping Bombardment
As soon as my site went live, the pings started. My router logs were flooded with connection attempts from all over the world. Most were indexing bots, but some were a lot more obstructive scans looking for vulnerabilities.
3. A Basic Router Setup
My home router isn’t exactly enterprise grade. It comes straight from Hyperoptic and lacks any sort of VLAN or Firewall controls. Ideally, I’d set up separate VLANs for my personal devices and my externally facing ones. Whilst I could’ve invested in a better setup, I have budget constraints and it feels like overkill.
The Risks of SelfHosting
Hosting a website from home is definitely a great learning experience and something I’d recommend to anyone hoping to set up a home lab or learn more about networking, It is always good security posture to and external facing network connections on any network.
1. Exposing Your Home Network
By opening up ports you’re essentially inviting strangers into your network. One wrong misconfiguration and you’re leaving a potentially vulnerable open to being used as a place to pivot into your home network (where your things are)
2. DDOS Attacks
I have almost no online presence, I don’t post offensive things on social media. I don’t play any online games (over 77% of cyber-attacks are aimed at online gaming services (this isn’t just server hosting but players also)). Yet for the 5 months in which I self hosted at home, I was the target of DDOS twice. Each attack lasted for about an hour, It wasn’t life threatening just annoying. As I am not a corporation I do not have the facilities to sinkhole it or provide any mitigation.
3. ISP Restrictions
I’m almost certain that I broke a clause in Hyperoptics TOS where I’m not allowed to host servers on residential connections. Please don’t tell on me…
My Solution: Moving to AWS
I decided to move to AWS with my site. Mostly for the fact that its popular and it looks good on a CV to put that I know AWS.
AWS Amplify for My Portfolio
My portfolio is just a one page ThreeJS program that runs on a node backend, All of my content pages are just hardcoded in so its perfect for Amplify. For those of you who don’t know, AWS Amplify is Amazon’s solution for hosting single page webapps, and its really affordable. I pay a total of $0.04/month on the free tier. My portfolio doesn’t generate a lot of traffic and gets looked at for web design jobs about once or twice a month.
AWS LightSail
Lightsail offers a preconfigured WordPress cluster which made porting over my local WordPress instance to the cloud only a few console commands. By hosting my blog on a separate instance to my portfolio, it minimises the risk of cross contamination should either site be compromised. Lightsail also offers an auto backup feature, so I don’t have to worry about loosing my content.
Final Thoughts
Moving my portfolio Offsite was absolutely the right decision. Not only hasImoving my networking project onto the cloud given me significant experience with configuring AWS platforms, I’ve saved a bunch of money. The Raspberry Pi felt like a fun DiY project, but as I’ve grown in Cybersecurity I am terrified by literally anything with a processor.
My total hosting costs are now around $4.00 a month with static IPs. Cheaper than Hyperoptic’s £5.00/month for a static IP on its own.
(Leave IOT, IOTside)
