Setting up a Website?

i don't know what I'm doing

I’m kind of new to this whole “web development” thing. Well, actually I wouldn’t call this web development per se. It's more like learning how to run a webserver and sticking a static page on top. But for me, it works. So the first official blog post that I'm making is about said website. I'm going to try a few different structures and we'll go from there. In this post, I'll be doing an intro, why it matters, research, and then follow up with things I plan to do in the future.

Why It Matters

For the longest time, I didn’t think I had anything to write about. And then also, why would I write about the things that I was doing, especially if it were confidential. In actuality, it makes incredible sense to have a website - and others agree! I follow a plethora of fabulous people on Twitter, and all of them have blogs. I've seen the question multiple times - "How can I be successful in the world of security?" The first thing they say is study, more often than not. But the second, and the most important thing I have seen - write up your studying, or your research, specifically in the form of a blog so others can benefit.

It also helps to convey your ideas in your way that a "normal reader", or a non-technical person. The tidbit that conveyed me to finally start a blog was this - when you're speaking with a client, or your manager and you are trying to convey a specific goal, there needs to be some common ground. Writing reports is different, at least in my opinion and in my experience, they sometimes focus on broad subjects. And more often than not, you're not able to post them for others.

In my opinion, you can take a topic - like "Setting up a Website" and run with it. It motivates you to do your own research because you will get something out of it, and it also motivates you because you can get feedback from the community, or even help someone that may have your same problem. So, enough rambling - let's get into the research.

How To / Research

Choosing a domain

I’ve read a lot about buying domains. Sure it’s easy, has minimal cost most of the time, and you can save yourself a lot of grief if you buy yourname.com from your friends buying it and posting dumb pictures on it (not that I know from personal experience, but you should stop reading right now and go buy that domain before it happens to you.) Some things that have been said about buying a domain - like making it creative, but catchy, do not use numbers in it, make it easy to remember, etc. But really there are no rules here, you can buy whatever you so well please. Whether or not anyone looks at it is a completely separate story. So we’ll see how many people look at this post.

I chose the domain pplepi3 because it's my twitter handle. I created that thing years ago when I first started going to DEFCON because my friends said I needed to be anonymous if I was going to talk about security. I chose pplepi3 because well... if you put the @ sign in front of it, it spells out Apple Pie. And well, I didn't add the A on the domain because everything that is related to Apple has been bought up. I'm in no way associated with the company Apple, I just use their products sometimes.

Buying a domain

There are three easy steps to buying a domain.

  1. Find a Domain Name Registrar - if you’re worried about cost, watch for sales. There are various hosting providers - Namecheap, GoDaddy, Register.com, etc.

  2. Test the domain to see if it’s available - This is probably the most important part - if it’s not free, there’s really nothing you can do besides squat or try to get in touch with the person. I’ll talk about this in another blog post soon. If it is, pull the trigger and buy that domain!

  3. Add your credit card/PayPal account - Yes, buying a domain actually requires you to buy something.

and you’re set, you bought your first domain. Congratulations! Your domain is now bought.

But Wait Securing Your Domain

Whoisguard comes free with domains purchased with Namecheap for the first year, and then it's very cost effective thereafter. I’ve done a little bit of research and it seems that other registrars similar programs, but you’ll have to do more research as to what the code is for the registrar you’re using as they seem to change.

A whois lookup can give you generic information about the website you’re looking at. When you register your domain, you’re required to put in all types of information - your name, credit card information, and billing information (yes that means your address if you don’t have a PO box setup). This information is stored with the Internet Corporation for Assigned Names and Numbers, or ICANN. It’s a global organization that manages the internet’s core infrastructure. The nifty part of this is, there’s a command (or a website for those that are not gifted with the knowledge of command line), that will tell you a bunch of information about a website (name of registerer, location, including address, etc.). This was used as a way to contact the network administrator to resolve a problem (DNS problems, netowrk-based attacks, etc) and help diagnose registration errors, etc.

Picture of cmd whois

Or you can do a quick websearch!

This might not be alarming to you now, but as Violet Blue outlines in her book “The Smart Girl’s Guide to Privacy”, not all people are created equal. Unfortunately, not all people are as nice as we were taught to be in second grade. There are bad people out there. “Well, I don’t have anything to hide, I'm not going to hide from anyone”, you tell me. Sure, that's a good school of thought when you’re walking down the hallways in school, I guess. But putting your home address online, not exactly the best idea. Would you go up to a stranger on the sidewalk and tell them, “hey, I live at 1234 main street”? Well if you do, you’re one crazy fella and I won’t be inviting you over to my house anytime soon.

The point is - this isn’t about hiding. It’s about privacy. There are some good things that can come out of the information that is being associated with a website sure. But more often than not, it’s going to be used in a malicious fashion. For me personally, enjoy my privacy - so I invest in whoisguard. Whois guard will register your domain with their company information, therefore protecting your information. If there is a problem, like someone files an abuse ticket because your vulnerable web server was taken over by a botnet and used to take down another website… Whoisguard will probably be contacting you relatively soon.

Choosing a Hosting Provider

Choosing a hosting provider
Now that we have our domain registered and our basic information protected with whoisguard, we’re now ready to compare hosting providers. Choosing a hosting provider is all about what you want to do with your money. There are various options, at various levels and not all packages are created equal.

A couple of notable cloud computing services if you want to build a web server from scratch.

There are plenty others, but these are the ones I have had experience with. The thing you want to focus on when you’re shopping around is uptime, pricing vs need when it comes to the package. If you’re just going to be running a blog with little interaction, it doesn’t make much sense to get a powerful digital ocean instance with 2 core processors and 2 gigabytes of memory.

Choosing a website platform

Content Management Systems:

  • Wordpress - beginner friendly, free, scalable
  • Drupal - better for experienced coders, very steep learning curve.
  • Joomla - involves a bit more coding, but not as intense as Drupal.

Read more if you would like!

Static pages:

If that scares you, because you’re not a developer (I mean, it scared me to be honest.), don’t worry about it! Some VPS’s have one-click deploys. Now, yes I’m aware this is cheating but it’s one thing if you set up a website and then go back and learn about it, or create a new one from scratch and write about it. As long as you know what's going on, I believe it’s okay. You can call me a cheat if you want, I’ll accept it.

I choose a static page because I know a bit about WordPress already, so I thought I’d do something new. And I also did not think I could dedicate enough time to a Drupal or Joomla server… maybe down the road, I’ll have that kinda time. Also, I'm running a blog, not the next Facebook.

Once you’ve made these huge decisions, you’re ready to create your first blog post! Or just put up a test page like I did… I agree. I’m lazy. There’s no denying that. But here we are. At the end of my first official blog post. I gotta say, I talk a lot. Thanks for sticking around til the end!

I have a few plans for future blog posts… mostly they will be centered around my work as an incident responder and forensicator. Hopefully, a few CTF blog write up’s as well. I want to say I’ll do a post a week… but I'm an incident responder and my life is not defined by a schedule. So…. I’ll post them when I have time I guess. I have to find more meme's first.