Let's say that I want to host a website, on a (virtual) server. If OpenWRT comes with all packages I want, would it be safe to use OpenWRT? Another scenario would be to use a snapshot version (until next release comes..) and use docker to provide necessary software. Maybe latter would be safer approach, but let's forget about safety of web servers and talk about operating system's safety with this purpose in general.
OpenWRT is being used widely in range of home/office gateways and should be providing safe enough environment for those connections, so why wouldn't it be safe enough then for a server? It should.. But maybe there's something that should be re-considered (preferably on the safety side of this..)
Here's my plan:
- arch: x86_64
- br-lan is tied to dummy network interface
- wan is tied to ethernet that is server's actual connection
- luci is set to run in other port (for example :8080)
- only IPv4 is being used (at the moment at least)
- Access to luci/ssh is available only through VPN, preferably zerotier.
- Most probably using caddy as a proxy and Nginx as a web server.
- Exim4 for mail forwarding.
2: recovery (currently installed version of OS, but with bare minimum to operate)
3: root filesystem (same as recovery + server/extra software)
5: spare (empty partition used if I want to upgrade, I can install new version to here and set it up before I overwrite recovery with it, and then re-create root filesystem)
- very lighweight and fast OS.
- small footprint
- can contain minimum necessary software for it's purpose
- limited software when compared to bigger os's.
So, mostly I am interested in safety of server when using OpenWRT as server's operating system, but of course, other issues that come to mind are also welcome. And good ideas too
My current server runs with CentOS 8, I have a budget KVM server, there's no "easy way" to install OpenWRT, but it's not that hard either, there's a limited set of ISO's that I can boot from, and I could use any of those to write combined image to disk and boot it, set initial stuff through VNC connection and go from there, so this is how I would set it up. Next question is, is it worth my while and further, will it be destroyed due to some issues with security?
Why not keep CentOS? Well, like I told, I chose the budget version and CentOS is very heavy, especially since I use Cockpit for management which isn't very light weight. Actually, I already took a second KVM server for 1 month and have system already running and working (except web and mail server stuff..) so it's totally do-able.
Luci would be great for server's management and since all outbound connections to luci/ssh/etc is available only through LAN(dummy) and VPN, I think main issues with server's security are with Firewall, kernel and so on- but iptables afaik is the most used and one of the most reliable firewalls, and well, most servers probably run with Linux - so my first idea is that this wouldn't be issue, just looking for another opinion