Need help isolating debian server from rest of home network?
Basically, I would like to host a website from a hobby debian linux server. I have a basic home setup, 3 additional computers, PS3, plus the server. linksys E1200 router. I can only get the thing to be seen from my iphone when I only use UPnP port forwarding. Which is fine, but I want to put the server on its own lan to eliminate the possibility of someone first hacking the server, and then using the hacked server to hack into a home computer. The other computers I believe are secure, 2 macs and one windows Asus laptop, none have file sharing or anything like that enabled. Would like just to be safe than sorry. Can someone suggest a way for me to do this with just a basic home router? I'm starting to think this might not be possible. What should I do?
My next step after this is to set up a public key for ssh login so hopefully only I can try and ssh in. Any further suggestions on how to lock up my system would be greatly appreciated. Update: After messing with it, now it seems like I can't get it to work at all with only UPnP port forwarding. testpage: http://74.78.208.219/testpage.html does that link work for anybody? Sorry for the link spamming. Thanks for any help. |
I would recommend you to protect your server with a firewall. You can surely implement these features.
|
Quote:
|
Quote:
|
Quote:
Quote:
Quote:
|
For firewall you can simply open ssh on an non-port-22 port, and add fail2ban (http://www.fail2ban.org) so that any brute force attempt is locked out for a configured period of time. I also use PeerGuardianLinux, as it has frequent updates on known malicious hosts IPs - virus infectd PCs, botnet CommandControl, and spyware hosts. IPlist is another package with similar features. These 'bad' IP addresses get loaded into iptables to DROP. The reason for using this type of 'reputation based firewall' is because even through you've locked down you inbound ssh, if you have family members running an infected Windows machine then the malware will try and report back to its CNC (command-n-control) over the internet. So you have to somehow lockdown your outbound traffic. If your firewall has updated data for known malware CNC IPs and setup to drop packets to these destinations, your PC is saved from having its data exported to the otherside of the world, and in the meantime a log message is generated to alert you that a PC tried to access a bad IP so you can take corrective action on the infected host.
All this takes time and patience to setup, but it's very worthwhile. Like the others have said in their posts though, it really depends on what/how you want to protect. Decide what assets you need to protect, and start from there. Good luck. |
All times are GMT -5. The time now is 04:44 AM. |