Server Software Updates
I get asked or remarks are made that if I keep the server up for months or years that I will not be able to do any software
updates and the server will just get hacked. I thought I would address this. First let me start out by saying you can run any kind of server you
want. If Windows is your cup of tea and you like it then use it. I have no problems with people using what they like. However there are
differences that would make something like this hard to do running a Windows server without becoming vulnerable to attacks.
I am going to get a little technical here please don't hate. The Microsoft Windows OS requires very deep rooted network ports to be open just
to run the OS. So if you are using Windows you have to put it behind a Firewall to block the ports so you are not exposing things to the Internet
that are not needed to server a web site. You can use an OS based Firewall but these are more risky when exposed directly to the Internet then
hardware based Firewalls. If you are using the Windows IIS web server then it to is tied deeply to the OS. If there are exposed security holes
then it often requires OS level patches. If you are using other deep rooted Microsoft technologies like MS SQL, dot net, etc then parts of all
of it is exposed to the Internet and many of the product patching also requires OS level patching. Running Windows web servers require routine
updates in order to keep them secure. Microsoft has excellent tools for handling updates and many view this as a normal way to do things within
the scope of any product.
With Unix/Linux there is no requirements to run anything that would open a network port. Even when you do it is just an application that is not
rooted into the core OS. You can shutdown inetd (xinetd), ssh, everything. In fact why install crap you don't need? If you understand how
things work under the covers then you can safely put a server on the Internet with zero Firewalls because nothing is running except the web server
and it would be exposed through a Firewall anyway. In addition to this the web server software is in my case just a very small program serving
only static content. The program I build from code on the Raspberry tunning off any unneeded features that could expose an issue. If a feature is
not needed then don't even compile it in. Also this small program is running as a user that does not have privilages to do anything nasty.
Now to address the updates. None of the OS is exposed to the Internet so the OS doesn't need updates. I know that may sound like finger nails
across a chalkboard especially if you come from the Windows world of constant updates and antivirus software. It's not a valid apples to apples
comparison. I do need to keep what I have exposed updated and secure and that is just that little web server software. Updating it does not
require an OS update or reboot.
Before anyone flips out yes you could run a third party web server on Windows running as a user without priviges just like Unix. And with a
good Firewall only expose the port of the web server. Of course you would need a much more significate computer then a Raspberry Pi to
run it on.
|