When I was a kid, a family friend asked me to make a website for his band. I did, and we hosted it on a server PC on his DSL line. It was promptly pwnt due to flaws in my code (good ol' ASP 2.0 + ignorant overconfident teenager = failure) and turned into a spam relay, which led to his ISP to shut down his home internet, and him to have to pay an IT person to reimage the server + recover the other data that was on there. My point is, running a public-facing server is work and if you mess it up, the consequences can be at least moderately crummy.

Then there's the IP issue and the TOS issue -- does your ISP provide a static IP? If not, how conversant are you in dynamic DNS and setup? Also, does your ISP allow running servers on whatever kind of account you have?

All this to say, are you sure you want to run the server on your hardware, at your home? I can see why there might be an educational reason to want to do that, but at the same time, I'm not sure I'd want a public-facing server on my home network even now. It might be worth looking into either VM providers (if you want to do the server admin yourself, but in someone else's sandbox), or general hosting as a service (if you'd rather avoid the server admin piece, in exchange for less flexibility).
posted by Alterscape at 9:08 PM on August 23, 2023 [4 favorites]

Seconding the “are you sure” sentiment… Securing these things, especially when they’re attached to your home network? No thanks. Spend the $6/month at Digital Ocean for a small droplet (VM) and save yourself the worry. Easy to destroy and recreate at a moments notice. Plus, managing servers in “the cloud” is considerably more relevant in todays landscape.
posted by cgg at 9:16 PM on August 23, 2023 [5 favorites]

How critical will it be that you not lose any of the data?

I run a Nextcloud VM at a local provider and would think about moving it home if my ISP gave out static IP's and was happy for me to do so. Even then, the ability to tick a box and pay 50c for someone else to look after entire machine backups is pretty nice indeed.

If it is not important stuff you'll be hosting and your ISP is happy for you to do it then go for it I reckon, you and kid will learn a heap. I'd not bother with cloud panel or anything, just get into the command line, I've (hobby) managed Debian servers that way for 25 years.

Debian is my default choice for this stuff. Debian stable for a server Just Works.
posted by deadwax at 9:35 PM on August 23, 2023

We ran a server and mail server at our house from 1998 to 2018. We moved to a rented server space for our home domain and mail/list service at the time of our last house move.

We paid for a business line and static IPs from our provider, it was a pain in the butt to have to reboot things any time our DSL or power went down, and people who used our services (mail/web/blogging at various times) were frequently on our case because things did go down, including while we were on vacation. The way the internet functions now, it's just easier to let someone else do the hosting for anything that's even vaguely important.

You and the the littleoldtown will learn a lot if you put in the time and effort, but some of it will involve a lot of swearing and probably more AskMes.

Since we're chatfiltery: REALLY do not do mail. Mail was too hard five years ago because of all the spam filtering/checking and it's only getting worse. The technical knowledge and effort required mean it's just not in the hobby space any more.
posted by gentlyepigrams at 10:41 PM on August 23, 2023 [3 favorites]

Are you/kid willing to stay on top of security vulnerabilities? If not, you're not just risking bad guys getting into the web server but unless you properly firewall it off, now they can attack other systems on your home network.
posted by Candleman at 11:03 PM on August 23, 2023 [2 favorites]

I think you are better off doing a Static Site Generator and GitHub Pages kinda thing. You could still use the home computer to sync to to the GitHub repo and keep all your website development stuff, but doing it this way is easier to secure while also being a more modern approach to having a personal/vanity site. If the goal is to help your kid develop some skills then learning how to use GitHub and this kind of project structure will be very valuable.

A home server is more useful these days for self-hosting applications for personal use. Things like Plex/Jellyfin, Obsidian, Pi-hole, Komga/Kavita/Calibre, Free/TrueNAS, multiplayer game servers (minecraft, valheim, ark, etc).

Of course disregard if the goal is to get into the nitty-gritties for fun and learning.
posted by forbiddencabinet at 11:05 PM on August 23, 2023 [2 favorites]

Lots of people are saying that self-hosting is a bad idea for security reasons, and then declining to state what the security risks are or how to work around them. I'll answer the question, and you can decide whether this is too much work and risk, or not.

In general, there are two things you need to focus on setting up and securing: the web server itself, and the remote management interface that lets you administer the computer (usually over SSH).

Debian is a good choice for a server OS. It's what I use.

For the server to be visible on the Internet, you'll need to set up port forwarding on your router. You may also want to configure the iptables firewall on the computer, as a second line of defense, to be sure you aren't accidentally exposing more ports on the public Internet than you're expecting. You can use a public port scanner like Shields Up to check what's visible from outside your network.

For a management interface you can't go wrong with basic SSH. It's safest to firewall this off from the Internet, so it's accessible only on your home network. Or for a basic home server, you can skip setting this up entirely, and just administer the PC by sitting at its keyboard.

Think twice about making SSH visible to the public Internet. If you really want to do that, you will get brute-force login attempts, so it's best to use key-based authentication and disable password login entirely. Also use fail2ban to block bots who spam you with tons of SSH login attempts. Finally, once in a while there is a vulnerability in OpenSSH itself. So, better to just hide this behind your firewall unless you really want to stay on top of it.

For the web server itself... you obviously can't firewall that off, if you want people to be able to access your site. So, use something without a ton of features. Fewer features = fewer bugs = fewer possible attacks. It's best to serve static HTML pages using something like nginx. Install a minimum of modules and watch for security advisories (thankfully, they are rare). In particular, don't install something big and complicated like Wordpress unless you want to monitor it like a hawk. If you expose relatively little to the public Internet, the chance of a successful attack is much lower.

If you want to add more services to the computer beyond the web server (Minecraft, Mastodon, whatever...) be sure to do some more reading into what security issues have been reported with the service lately, and whether new vulnerabilities are found infrequently, or come in thick and fast. Don't install more stuff than you can keep up with patching. And if you lose interest, it's better to pull the unused services offline than to let them sit there gathering dust (and security holes).

Finally, a bit of logistics: if you have a dynamic IP address, like most residential Internet connections do, use a dynamic DNS service like duckdns to get a stable link to your server that you don't have to change every time your IP changes.

I've had some home server or another running for the last ten years or so, and it works fine in my experience, if you take basic security precautions, and don't care too much about the uptime. Have fun!
posted by edlinfan at 12:04 AM on August 24, 2023 [12 favorites]

I am setting up something similar, with a box running Debian as the base OS. My planned extra precautions are running the service inside one or more containers and firewalling them off so they cannot make outbound connections, and likewise limiting what the host itself can do - hoping that in this way if it is compromised, an attacker can't do much with it.

Friends in the business have also suggested putting the setup on a separate VLAN (which implies a router better than ordinary consumer grade).

You're going to want to learn about Letsencrypt so you can serve sites securely (and also just avoid your browser giving you shit constantly), and maybe reverse proxies (I'm thinking about that so that if I run more than one site in this environment, each can be partitioned into its own container, again for better security).

Initial experiments have showed me that a new box, unlinked to from anywhere and unannounced, still gets hits and probes within minutes of going online. The public internet is a bad place. Take care.
posted by i_am_joe's_spleen at 3:15 AM on August 24, 2023 [1 favorite]

The easy answer to that is "use Digital Ocean or Linode". The slightly harder answer is "maybe Hetzner". The even harder answer is "use a cloud provider (AWS, Azure, etc.)".

Digital Ocean and Linode provide virtual private servers (Droplets for DO, Linodes for Linode) that are pretty cheap - as low as $5/mo and they both give you a pretty generous amount of free credits - and are pretty close to bare metal - you don't install the OS and there's some management stuff they put on (mostly to capture metrics and stuff) but you install everything else. You get SSH access to the server and console access via their web portal. The cons here are that they're VPS so they're shared resources at the end of the day. (You're very much separated from everyone else but you're basically a VM on a giant bank of servers.)

Hetzner (and others, singling out Hetzner because I'm using them, there are a lot of options here) provide dedicated servers. This is more expensive than a droplet/linode but you have control over an entire machine. This is "more harder" because if you mess it up it's more involved to get stuff back to a good state (whereas with a droplet you can really just can it and start over). But, these are also bigger machines - you can do more with them. (I have one that runs about $77/mo and hosts Proxmox, which allows me to carve it up and basically do my own tiny Linode deployments. I moved my stupidly overspec'ed Mastodon instance running there which was costing me like $90/mo at DO, and now I have tons of room to spare and really, really can run whatever I want in VMs.) Hetzner specifically does also have a server auction where you can get old stuff for less money, if you don't mind being on, say, a 6th gen Intel system rather than the latest and greatest stuff.

AWS, Google Cloud, Azure, IBM Cloud, etc. are the hardest option - you have to learn a lot containerizing your stuff and how all their cloud stuff works. But there's options on all of those to just spin up a server. I'm including it here just for completeness. You really want to stick with DO or Linode.

As an aside: both DO and Linode have extensive community sites with guides and howtos and stuff that are all generally real good for server stuff, especially for starting admins and stuff. Here's DO's one and here's Linode's. I've been a web dev for a long time and I still hit these things up occasionally to figure something out.

Finally - there's nothing wrong with firing up a Ubuntu install on a machine in your network and setting it up for this and just not having it exposed to the outside world (or maybe doing it temporarily with ngrok). You can do all the learning without spending money until you need to.
posted by mrg at 5:46 AM on August 24, 2023 [2 favorites]

A very cheap and blank-slate provider that I learned about here on MeFi is Nearly Free Speech.net. Worth checking out for the scenario you're describing, I think.

That said, I am a Unix sysadmin of 20+ years who has edited infosec training courseware, and I don't open any of my home network to the Internet. Too much FOSS and commercial software is getting cracked lately, and where you used to get turned into a DDOS/spam bot, now you're getting ransomwared.

I have a decent NAS unit that can run Docker or real software, but it also holds things that really matter to me (photos, home movies, etc.). If it gets owned, I could lose all of that. For me, that risk is not worth it for the fun of learning.

And email is just such a no-man's land these days that self-hosting it is purest folly.
posted by wenestvedt at 6:22 AM on August 24, 2023 [2 favorites]

To answer the new question -- the absolutely most basic way of dipping your toe into the world of static HTML vanity webpages is Neocities, which is run as a passion project by people who fondly remember the Geocities web host from the early days of the Internet. It has few features and a small space allotment, but it's free, dead simple (the interface is "drag and drop HTML files into your browser"), and doesn't require you to run a server yourself. If kiddo has fun with this and outgrows it, you can upgrade to Github Pages, or one of the other VPS solutions suggested by others.
posted by edlinfan at 7:59 AM on August 24, 2023

I use a home server for an intranet (ie: not generally accessible outside my home) and it's awesome. I have a music player, movie player, climate data, web-facing apis for various data, and extending services out to the internet (so other people can see them, you can use them away from home) is IMO generally unnecessary.

I use Apache on a windows computer for my server, but I'm not an optimization guy so I don't know or care about the most optimal choice.
posted by The_Vegetables at 8:05 AM on August 24, 2023 [2 favorites]

Also, I have had mine for 20 years, and I sort of recently got a new computer to serve it, but before that it ran on a Compaq computer from 1998 running windows 2000. So heck yeah to reusing an old computer for it. If it sucks, you can just unplug and throw it back in the closet.
posted by The_Vegetables at 8:08 AM on August 24, 2023

Maybe do both: host your little server, but then transfer that content to a cloud server like AWS or something.

There’s lots of fun and learning: “oh, it’s listening on port 80, now let’s move it to port 8080”. “Let’s unplug the cable.” “Oh, we forgot to re-run the server.” For this, Debian is fine, and I’d use Apache and a cgi interface, so we can run stuff from the command line and see how html is just text.

And for the cloud stuff, I’d use AWS, because it’s fun to say “I’ve heard that AWS also has a smaller side business that sells books and beef jerky and stuff thru an online store.” But there are tons of options as others have suggested.

I’d also use a few of these sites that offer dev frameworks and also host your code: Unity, code.org, glitch. Those get you quickly up and running with animation, games, etc. Maybe also later check out Wordpress, google sites (whatever they call it now), GitHub pages, etc.

It’s tragic that this stuff is so Balkanized.
posted by at at 8:28 AM on August 24, 2023 [2 favorites]

Do any of these sites need to be accessible outside your home network? If not, hosting your own exactly as you describe is fine with some explicit port and traffic rules that limit access to your intranet. If any of it is to be available on the actual web, I would do as others advise and avoid doing the hosting/hardware part yourself.

I have been running Debian-based media and print servers at home for ages, and setting up your own would be a really fun experience for a kid who is interested.
posted by aspersioncast at 9:45 AM on August 24, 2023 [1 favorite]

If you just want to hack and don't need access outside the house then you can do what I did (twice!).

Buy a three year old thin client or Small Form Factor PC off of eBay for like $30-40. Buy a cheap SSD for it, and some extra RAM -- maybe $25 more. Install Debian on it, and then go nuts!

Add Docker and the sky is the limit. I run Calibre-Web to serve my ebooks at home. I run Plex Média Server on my NAS, but you could use a different DLNA media server. Add some cheap SDR dongles and sniff RF traffic from your gas meter and wireless appliances. Install Home Assistant and then hook up everything.
posted by wenestvedt at 9:55 AM on August 24, 2023

Lots of good thoughts above. I have a few that overlap and a few that I don’t think have been mentioned yet

• when serving at home it is really nice to have your home server on its own VLAN. A software router on a dinky machine is a way to start, can be it’s own project and is worth exploring
• it would have sounded overkill not long ago but now I would suggest separating services into containers. Learn about docker, it’s a useful thing anyway
• I would skip NGINX and look at Caddy instead. It’s a nice proxy with easier setup and can front the various web servers you will want to spin up. And it does https by default and automated getting certificates
• list possible not everything will need unfettered access to the larger internet. For publishing things to a controlled VPN I’d look at Tailscale.
• regular updating h to roll up security fixes, using fail2ban, limiting ssh access to key-only, use a port scanner from another machine to double check nothing is open that you don’t want all good thing ha
• as mentioned above forget email. It’s nearly impossible to keep secure, the failure mode is terrible, and most of the large providers won’t deliver your email anyway. Selfhosted email is a list cause at this point
• when possible look at static site generators, doesn’t matter which one, live database queries are cool to play with but keep them for your projects that require them. Keep everything else separate.

posted by mce at 11:29 AM on August 24, 2023 [2 favorites]

For the few things that you want on the Real Internet, I agree about using Tailscale. Put the home server in a DMZ, lock down your router, and connect with Tailscale.

You can't welcome in everyone....but that's probably for the best these days.
posted by wenestvedt at 11:32 AM on August 24, 2023

Hetzner has dirt cheap virtual servers starting at about $5 a month. You can spin up a Linux VM with Debian and install whatever other hosting software you like. I recommend installing Cockpit to add a nice web console to the server. Set it up so that you're only using SSH keys to log in, as others have recommended add fail2ban and I'd make sure that you change the port your SSH daemon listens on.

Let's Encrypt will let you add SSL certs for free and it's pretty easy to use with certbot.

You might want to fiddle with static sites, which is fine. I've tried almost all of them and finally worked my way back to WordPress. If you don't like the new Gutenberg stuff, there's ClassicPress.
posted by jzb at 1:17 PM on August 24, 2023 [1 favorite]

As others have said, I'd look at getting a VPS from Digital Ocean or wherever. You can be as manual as you like with how you set things up and there's a lot to learn, configure, tweak, optimise, add, change, etc, etc.

It seems to me that the only extra skills you'd be learning by setting it up on a server in your own home aren't that useful in the real world. You/he would learn so much of what it sounds like you're interested in by setting up a VPS using the command line, without the hassle and potential risk of managing a public webserver in your home.
posted by fabius at 5:15 AM on August 25, 2023

Fabius: It seems to me that the only extra skills you'd be learning by setting it up on a server in your own home aren't that useful in the real world.

Well, you'd be avoiding learning about Incident Response while you make your first mistakes in private on your home LAN (instead of on the wild Internet) -- but I take your meaning, and agree. :7)
posted by wenestvedt at 1:49 PM on August 25, 2023 [1 favorite]