LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-07-2013, 07:29 PM   #1
jddancks
LQ Newbie
 
Registered: Jan 2013
Location: Central NY
Distribution: Mac, debian
Posts: 24

Rep: Reputation: Disabled
Need help isolating debian server from rest of home network?


Basically, I would like to host a website from a hobby debian linux server. I have a basic home setup, 3 additional computers, PS3, plus the server. linksys E1200 router. I can only get the thing to be seen from my iphone when I only use UPnP port forwarding. Which is fine, but I want to put the server on its own lan to eliminate the possibility of someone first hacking the server, and then using the hacked server to hack into a home computer. The other computers I believe are secure, 2 macs and one windows Asus laptop, none have file sharing or anything like that enabled. Would like just to be safe than sorry. Can someone suggest a way for me to do this with just a basic home router? I'm starting to think this might not be possible. What should I do?

My next step after this is to set up a public key for ssh login so hopefully only I can try and ssh in.

Any further suggestions on how to lock up my system would be greatly appreciated.

Update: After messing with it, now it seems like I can't get it to work at all with only UPnP port forwarding.

testpage: http://74.78.208.219/testpage.html does that link work for anybody? Sorry for the link spamming.

Thanks for any help.
 
Old 02-08-2013, 05:36 AM   #2
pan64
Senior Member
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 4,929

Rep: Reputation: 1306Reputation: 1306Reputation: 1306Reputation: 1306Reputation: 1306Reputation: 1306Reputation: 1306Reputation: 1306Reputation: 1306Reputation: 1306
I would recommend you to protect your server with a firewall. You can surely implement these features.
 
Old 02-08-2013, 06:44 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Quote:
Originally Posted by jddancks View Post
I want to put the server on its own lan (..) Can someone suggest a way for me to do this with just a basic home router?
In router PCs running Ipcop, pfSense, Vyatta or similar one of the three Ethernet interfaces would be dedicated to a separate network. The acronym of the generic term you're looking for BTW is "DMZ". Unfortunately in cheap SOHO hardware routers "DMZ" often means "just expose this IP address to World without firewall interference" which doesn't mean the same and does not provide the kind of separation you want. Slightly less cheaper SOHO hardware routers may allow you to set up multiple VLANs. If they run some form of Linux they may expose a telnet or SSH interface so you can tweak Netfilter rules. Like pan64 suggested you can do a lot with an iptables rule set on the web server-to-be but it will always be a single point of failure and if you choose to do so out of necessity access restrictions should be more restrictive than average and extra care should be given to hardening the machine.
 
Old 02-08-2013, 11:25 AM   #4
jddancks
LQ Newbie
 
Registered: Jan 2013
Location: Central NY
Distribution: Mac, debian
Posts: 24

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
In router PCs running Ipcop, pfSense, Vyatta or similar one of the three Ethernet interfaces would be dedicated to a separate network. The acronym of the generic term you're looking for BTW is "DMZ". Unfortunately in cheap SOHO hardware routers "DMZ" often means "just expose this IP address to World without firewall interference" which doesn't mean the same and does not provide the kind of separation you want. Slightly less cheaper SOHO hardware routers may allow you to set up multiple VLANs. If they run some form of Linux they may expose a telnet or SSH interface so you can tweak Netfilter rules. Like pan64 suggested you can do a lot with an iptables rule set on the web server-to-be but it will always be a single point of failure and if you choose to do so out of necessity access restrictions should be more restrictive than average and extra care should be given to hardening the machine.
So either upgrade the router or harden the crap out of the machine. It runs on an old powerpc emac. I was gonna set up port knocking and use ssh on an obscure port. Do I have to worry about firewalls? Aren't they like anti-virus software in that they go "out of date" within a couple of years? How would that work with whats already set in place? And since its supposed to be a web server, would it matter?
 
Old 02-08-2013, 01:18 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Quote:
Originally Posted by jddancks View Post
Do I have to worry about firewalls?
Let me counter that question: what would you network segment separation with? Besides, if you've got two replies and both mention the word "firewall" what does that spell?


Quote:
Originally Posted by jddancks View Post
How would that work with whats already set in place?
Please be specific about what you ask. And if the machine already runs a firewall then at least list the complete and detailed rule set.


Quote:
Originally Posted by jddancks View Post
And since its supposed to be a web server, would it matter?
See your first question.
 
Old 02-08-2013, 05:26 PM   #6
jnihil
Member
 
Registered: Dec 2012
Distribution: Debian, Xubuntu, Gentoo, CentOS, Bhodi
Posts: 47

Rep: Reputation: 2
For firewall you can simply open ssh on an non-port-22 port, and add fail2ban (http://www.fail2ban.org) so that any brute force attempt is locked out for a configured period of time. I also use PeerGuardianLinux, as it has frequent updates on known malicious hosts IPs - virus infectd PCs, botnet CommandControl, and spyware hosts. IPlist is another package with similar features. These 'bad' IP addresses get loaded into iptables to DROP. The reason for using this type of 'reputation based firewall' is because even through you've locked down you inbound ssh, if you have family members running an infected Windows machine then the malware will try and report back to its CNC (command-n-control) over the internet. So you have to somehow lockdown your outbound traffic. If your firewall has updated data for known malware CNC IPs and setup to drop packets to these destinations, your PC is saved from having its data exported to the otherside of the world, and in the meantime a log message is generated to alert you that a PC tried to access a bad IP so you can take corrective action on the infected host.

All this takes time and patience to setup, but it's very worthwhile.
Like the others have said in their posts though, it really depends on what/how you want to protect. Decide what assets you need to protect, and start from there.

Good luck.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Virtual web server isolated from the rest of the network emdiesse Linux - Networking 1 01-03-2012 08:59 PM
Isolating an untrusted network while retaining access from specific PCs lapoltba Linux - Networking 5 09-26-2010 09:44 PM
Isolating part of a network default5 Linux - Networking 2 04-08-2010 06:49 PM
Setup a linux server between NAT firewall device and rest of network scheidel21 Linux - Networking 3 06-03-2009 07:49 PM


All times are GMT -5. The time now is 07:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration