NaibofTabr

You’re welcome. I tried to do basically the same thing a few years back (run a WordPress site from a RPi on my home network - and also a Minecraft server) and so I tried to write up the problems I ran into - I probably forgot some, but those are the major hurdles. I learned a lot along the way.

I should also point out that if you rent hosting space (from linode or inmotion or digitalocean or many other options) then problems 1 & 4 become much easier, and 2 & 3 go away entirely (most people don’t host public websites on their home networks because of these and other issues).

Happy to help. If you’re interested in learning networking more thoroughly, I want to point you to Professor Messer especially the Network+ content. He has far more complete explanations than I could write (and it’s free!). Even if you’re not interested in getting any certs, the explanations will be helpful.

So your goal is to host a publicly accessible static website from a computer in your home. There are a few problems you need to overcome before even worrying about configuring any software. You need some more basic networking knowledge first.

0. Basic Networking Theory - you should read a brief explanation of the OSI 7-layer network model. You don’t have to try to memorize this and you won’t really understand it until you start actually doing stuff, but you should read it for some basic terminology and to understand that there are distinct steps through which communication between computers happens.

   When you start running into problems (“why can’t I access the server? I did all the tutorial steps”), figuring out which layer the problem is in will help guide you to the solution:

   • is there a bad cable? -> 1. Physical
   • do I have the right IP address? -> 3. Network
   • is the firewall port closed? -> 4. Transport

1. Privacy/Security/Safety - don’t host a publicly accessible website from your personal computer. Just don’t. To make this happen you will have to open a hole in your network security that makes your computer accessible from the public internet. Don’t do this on your daily driver computer. Don’t do this with any device that has any files on it that you care about or any access to any personal information. Don’t.

   Set up your web server/learning environment on a clean, dedicated system. This could be an old laptop or a Raspberry Pi (an older 3B model will work just fine for this) or whatever cheap computer hardware you have, as long as it can run Linux and has a physical network port (using WiFi will give you extra headaches for getting this working). If you think you might want to expand your projects in the future, you can get a used Dell server for very little money, and add more hard drives as needed. Wipe the hard drive and install Debian or Ubuntu server as a base, there’s lots of resources out there for setting up web services on either.

2. Restricted Ports - you are most likely on a residential internet connection. Most residential ISPs close ports for security reasons, especially 80. For example, here is Cox’s list of restricted ports. You will need to find your ISP’s equivalent list and understand what you can and can’t do with your connection.

   There are workarounds, primarily through port forwarding. You will need admin access to your router to set this up. I recommend that you read that entire article because it probably applies directly to your situation.

3. Dynamic IP Address - most people still find it easier to work with IPv4 addresses - I won’t go into IPv6 right now, but you should read a little about it just for awareness. Your residential internet most likely has a dynamic IPv4 address, which means you can’t rely on that address staying the same forever (or even until next week), which means that you can’t configure your Cloudflare domain name to point to a single IPv4 address.

   Dynamic DNS is the solution for this, and again you’ll need admin access to your router to set it up.

4. HTTPS/TLS/SSL - if you get through all those issues then you probably have a working website, but now you’re seeing something like this when you try to view it in your browser:

   This doesn’t mean that you can’t get to your website - it just means that you can only do it via HTTP and not HTTPS, which the browser is warning you (and anyone else trying to view your website) is not secure. You can either just accept that this alert will always come up, and that you have to click through it, or you can learn about TLS and getting an SSL/TLS certificate. This is a later topic - it doesn’t matter and probably won’t make sense until after you’ve got your web server online.

I plan to RAID1 them and use them as boot drives

This will not work unless the mainboard is handling the RAID control in firmware. If you are doing software RAID then the OS must boot before the array can be accessed.

If you just want to set up a NAS, you can get a used PowerEdge tower for very little money, and it will work a lot better than what you have planned.

You will own nothing and like it have no recourse.

And even if the cooperation doesn’t last, it’s an opportunity for the open source developers to work with the product engineers and get direct information from them right now. There’s nothing as valuable as talking to the guy that actually designed the thing, or the guy who can make changes to the product code.

Even if that relationship doesn’t hold long term, the information gathered in the short term will be useful.

If I were part of this project this is what I’d be going for. Push the company to give you direct contact with the relevant engineers, right now while the negative public opinion is fresh and they’re most willing to make concessions, and then get as much out of that contact as you can. Take them at their word, make them actually back it up, take advantage of the offer to cooperate. Sort the rest of it out later.

Yes, it is damage control. That’s OK.

The whole point of spreading the word about an incident like this is to get public attention on it, and make the company realize that the way they’ve handled things was bad.

A letter like this indicates that they’ve realized they fucked up and they want to do things differently going forward. That doesn’t mean they’re suddenly trustworthy, but it does mean they can be negotiated with.

The correct response is to accept the offer of working together. We want to encourage companies to be cooperative and discourage insular, proprietary behavior. If you slap away the offered hand then you discourage future cooperation, and now you’re the roadblock to developing an open system.

When you start getting the results that you want, don’t respond with further hostility.

I was referring to OP’s use of IPQuick. This isn’t a service I’m familiar with and it doesn’t seem to be affiliated with any organization that I’m familiar with either.

1. Assuming that you mean that you are using the domain name to point to services which are at a residential, dynamic IP address, you will need to set up a Dynamic DNS service.

2. If a product is free, you’re the product.

You might be interested in the Banana Pi BPI-R4, which has an officially supported OpenWRT image and costs ~US$110.

Nah, that sounds complicated. Just open port 22 and forward it your server.

I used to run a Minecraft server with PaperMC on an RPi4, and I would only give the java environment 2G of RAM. It never crashed except when I overloaded it with plugins. The same Pi was also hosting Pihole and Ubiquiti UNMS. As long as you aren’t planning on hosting hundreds of players at the same time, you should be fine with whatever (and assuming you’re doing this at home on residential internet, your network would be the bottleneck anyway). I do recommend PaperMC, it improves the performance and stability of Minecraft and it’s a fork of Spigot so it’s compatible with most plugins.

Also /u/ShellMonkey is correct about used server hardware. You can pick up a Dell PowerEdge for about $200.

It’s definitely more difficult when you don’t have control over the DHCP server. Is it part of a router provided by your ISP?

Maybe, but I suspect it’s working like this:

• Pi boots then requests locally configured IP from DHCP server
• DHCP server grants 30 day lease for requested IP
• Pihole runs fine for awhile, DNS requests are properly handled
• IP lease expires, DHCP server returns IP to available address pool but doesn’t reassign it to anything yet
• time passes
• Random wireless device connects to router, DHCP server assigns IP to new device
• DNS requests to Pihole fail because the IP was assigned to the recently connected wireless device

This would explain why Pihole appears to cause problems every month, sometimes a little longer.

windows network settings

A 30 day DHCP lease expiration would explain OP’s issue.

A malware might create a service which opens a previously closed port on your system. An independently configured firewall would keep the port closed, even if the service was running without your knowledge, hopefully blocking whatever activity the malware was trying to do.

Also, you can configure the firewall to drop packets coming in to closed ports, rather than responding to the sending device that the port is closed. This effectively black-holes the incoming traffic, so it looks like there’s just nothing there.

The core problem with this approach is that antivirus scanning is generally based on signature recognition of malicious binaries. Behavior-based antivirus scanning mostly doesn’t work and tends to generate a lot of false positives. No freely available antivirus is going to have a signature library that is kept up to date enough to be worth the effort of running it on Linux - most vulnerabilities are going to be patched long before a free service gets around to creating a signature for malware that exploits those vulnerabilities, at which point the signature would be moot. If you want antivirus that is kept up to date on a weekly or better basis, you’re going to have to pay for a professional service.

That said, there are other, simpler (and probably more effective) options for hardening your systems:

• Firewall - if your servers are dedicated to specific services and you don’t plan on adding many more applications, you should be able to tighten up their firewalls to have only the ports they need open and nothing else. If network security is a priority, you should start with this.
• Application Whitelisting - prevent unrecognized applications from running. There are more options for this on Windows (including the builtin Applocker), but there are some AWL options for Linux. It’s a lot easier to recognize the things that you do want to run than all of the things that you don’t want to run.
• Secure OS - I assume you’re using Debian because it’s familiar, but it is a general-purpose OS with a broad scope. Consider switching to a more stripped-down variant like Alpine Linux (it can be installed on a Pi).