Originally Posted by ash_zz_00
The building owner is trying to help with port forwarding, but has security concerns that someone could reach my computer through the forwarded port and now has access to the private network and wreck havoc.
Are there ways to minimize it?
E.g. Is it possible for port forwarding to limit it to one or two external IP addresses? That is, if I know that I will be accessing from one or two external machines, and if the router only forwards requests from these known IP addresses, it might be an acceptable compromise.
Actually your building owner is showing some intelligence. Unfortunately, they are also focusing on the lesser threats.
It is true that by forwarding a port to your Apache server, you are open to exploits and if successful, the buildings network is at risk. Your level of vulnerability is going to depend on things like the kind of applications you are serving (PHP apps require a higher degree of vigilance than plain HTML), the degree to which you keep your system patched and the degree to which you monitor your system. So things you can do are:
- Run extra security measures like mod_security
- Make sure PHP is locked down tight, or don't run PHP services at all
- Run a monitoring system like Aide or Samhain or a IDS like Snort
- Have a patch/update plan that you actually follow
- Run apache in a virtual machine or chroot jail
What your owner is missing is that normal web browsing using Internet Exploder is probably a much greater threat to the integrity of the building's network than your Apache server ever could be. Most of the more common threats (trojans, viruses, warez, etc.) don't require a port to be forwarded in order for the compromised machine to wreak havoc and don't require a forwarded port in order to initiate the zombifcation of the machines.
As far as locking down access to a few trusted IP addresses, that certainly can be done very easily on your server using hosts.allow/hosts.deny or iptables. The building router might be capable of it, but that is probably dependent on the router's firmware.