LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Need help isolating debian server from rest of home network? (https://www.linuxquestions.org/questions/linux-networking-3/need-help-isolating-debian-server-from-rest-of-home-network-4175449092/)

jddancks 02-07-2013 07:29 PM

Need help isolating debian server from rest of home network?
 
Basically, I would like to host a website from a hobby debian linux server. I have a basic home setup, 3 additional computers, PS3, plus the server. linksys E1200 router. I can only get the thing to be seen from my iphone when I only use UPnP port forwarding. Which is fine, but I want to put the server on its own lan to eliminate the possibility of someone first hacking the server, and then using the hacked server to hack into a home computer. The other computers I believe are secure, 2 macs and one windows Asus laptop, none have file sharing or anything like that enabled. Would like just to be safe than sorry. Can someone suggest a way for me to do this with just a basic home router? I'm starting to think this might not be possible. What should I do?

My next step after this is to set up a public key for ssh login so hopefully only I can try and ssh in.

Any further suggestions on how to lock up my system would be greatly appreciated.

Update: After messing with it, now it seems like I can't get it to work at all with only UPnP port forwarding.

testpage: http://74.78.208.219/testpage.html does that link work for anybody? Sorry for the link spamming.

Thanks for any help.

pan64 02-08-2013 05:36 AM

I would recommend you to protect your server with a firewall. You can surely implement these features.

unSpawn 02-08-2013 06:44 AM

Quote:

Originally Posted by jddancks (Post 4886665)
I want to put the server on its own lan (..) Can someone suggest a way for me to do this with just a basic home router?

In router PCs running Ipcop, pfSense, Vyatta or similar one of the three Ethernet interfaces would be dedicated to a separate network. The acronym of the generic term you're looking for BTW is "DMZ". Unfortunately in cheap SOHO hardware routers "DMZ" often means "just expose this IP address to World without firewall interference" which doesn't mean the same and does not provide the kind of separation you want. Slightly less cheaper SOHO hardware routers may allow you to set up multiple VLANs. If they run some form of Linux they may expose a telnet or SSH interface so you can tweak Netfilter rules. Like pan64 suggested you can do a lot with an iptables rule set on the web server-to-be but it will always be a single point of failure and if you choose to do so out of necessity access restrictions should be more restrictive than average and extra care should be given to hardening the machine.

jddancks 02-08-2013 11:25 AM

Quote:

Originally Posted by unSpawn (Post 4886971)
In router PCs running Ipcop, pfSense, Vyatta or similar one of the three Ethernet interfaces would be dedicated to a separate network. The acronym of the generic term you're looking for BTW is "DMZ". Unfortunately in cheap SOHO hardware routers "DMZ" often means "just expose this IP address to World without firewall interference" which doesn't mean the same and does not provide the kind of separation you want. Slightly less cheaper SOHO hardware routers may allow you to set up multiple VLANs. If they run some form of Linux they may expose a telnet or SSH interface so you can tweak Netfilter rules. Like pan64 suggested you can do a lot with an iptables rule set on the web server-to-be but it will always be a single point of failure and if you choose to do so out of necessity access restrictions should be more restrictive than average and extra care should be given to hardening the machine.

So either upgrade the router or harden the crap out of the machine. It runs on an old powerpc emac. I was gonna set up port knocking and use ssh on an obscure port. Do I have to worry about firewalls? Aren't they like anti-virus software in that they go "out of date" within a couple of years? How would that work with whats already set in place? And since its supposed to be a web server, would it matter?

unSpawn 02-08-2013 01:18 PM

Quote:

Originally Posted by jddancks (Post 4887145)
Do I have to worry about firewalls?

Let me counter that question: what would you network segment separation with? Besides, if you've got two replies and both mention the word "firewall" what does that spell?


Quote:

Originally Posted by jddancks (Post 4887145)
How would that work with whats already set in place?

Please be specific about what you ask. And if the machine already runs a firewall then at least list the complete and detailed rule set.


Quote:

Originally Posted by jddancks (Post 4887145)
And since its supposed to be a web server, would it matter?

See your first question.

jnihil 02-08-2013 05:26 PM

For firewall you can simply open ssh on an non-port-22 port, and add fail2ban (http://www.fail2ban.org) so that any brute force attempt is locked out for a configured period of time. I also use PeerGuardianLinux, as it has frequent updates on known malicious hosts IPs - virus infectd PCs, botnet CommandControl, and spyware hosts. IPlist is another package with similar features. These 'bad' IP addresses get loaded into iptables to DROP. The reason for using this type of 'reputation based firewall' is because even through you've locked down you inbound ssh, if you have family members running an infected Windows machine then the malware will try and report back to its CNC (command-n-control) over the internet. So you have to somehow lockdown your outbound traffic. If your firewall has updated data for known malware CNC IPs and setup to drop packets to these destinations, your PC is saved from having its data exported to the otherside of the world, and in the meantime a log message is generated to alert you that a PC tried to access a bad IP so you can take corrective action on the infected host.

All this takes time and patience to setup, but it's very worthwhile.
Like the others have said in their posts though, it really depends on what/how you want to protect. Decide what assets you need to protect, and start from there.

Good luck.


All times are GMT -5. The time now is 04:44 AM.