Results 1 to 20 of 20

Thread: Personal Server

  1. #1

    Personal Server

    I am in the process of setting up a home server with a cable modem and router for personal use. Hosting my site that gets no hits and using it as a mail server. I will be using hardly any bandwidth. Here is my question:

    I am using a Linksys WRT54GS router and it has the option for me to place a static IP address in the DMZ zone, which would open all ports to that IP address. I plan on using(assigning) that static IP address (that I am putting in the DMZ zone) to my Linux server. This server will be firewalled and hardened separately. But, I have other computers connected to the router that is performing this DMZ function. My question is will my other computers using the router still be completely safe as if I didn't have this DMZ Zone option turned on at all? Or will they be exposed to whatever security weaknesses the computer in the DMZ zone may have? Could someone crack my server in the DMZ zone and then hack into the rest of my router? If so, should I buy a second router(just for the server) to put in between my cable modem and my original router? Will that effectively make my other computers completely separate from my server?


    Any help is greatly appreciated.

    Thanks

  2. #2
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    5,084
    I wouldn't lose a lot of sleep about it. Someone could infect your local linux box yes and it would have access to the local windows network either from a base network level or possibly as a windows client.

    IF someone has a grudge and has the skills yes they could do some damage but there are easier ways to harass you so don't worry about it.
    André Allen | E: aallen(a)linovus.ca
    Linovus Holdings Inc
    Shared Hosting, Reseller Hosting, VPS, Dedicated Servers & Public Cloud | USA, Canada & UK - 24x7x365 Support

  3. #3
    Could I just put a switch in between the router and the cable modem and hook my server up to that?

    Would that solve my problem?

    That way noone would have access into router network at all right?

  4. #4
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    5,084
    Ok sorry I should have given you some more info. What you could do is this. If the dlink allows you to have 2 non routable networks like 192.x xxx then you could have your machines on one like 192.168.0.x and put the linux box on 192.168.1.x and dmz it then no they couldnt get across to the .0.x network.
    André Allen | E: aallen(a)linovus.ca
    Linovus Holdings Inc
    Shared Hosting, Reseller Hosting, VPS, Dedicated Servers & Public Cloud | USA, Canada & UK - 24x7x365 Support

  5. #5
    That kind of makes sense but I am not getting it completely. It is a Linksys router where do I go to check this.

    Also, would the network switch between the router and the cable modem not work?

  6. #6
    Join Date
    Apr 2005
    Location
    Under The Floor Tiles
    Posts
    566
    Here's a good question... will you have a seperate IP for the server, or will it just use NAT and use your regular IP? An even better question is, does your cable provider allow servers? Most providers I know of do block ports and disallow servers.

  7. #7
    If I hooked up the server to the switch before the router I would just use my assigned IP address. I really don't care if my provider allows servers because I will be using next to no bandwidth so they won't know the difference. I will set different ports if they are blocking them, that isn't a concern.

    What I really want to know is if this is a viable setup:


    Modem=>
    Switch=>
    Switch Port 1=>Router=> Home PC's
    Switch Port 2=> Server


    That way my home PC's cannot be hacked through the Server, correct?

  8. #8
    Join Date
    Apr 2005
    Location
    Under The Floor Tiles
    Posts
    566
    Originally posted by drew145
    If I hooked up the server to the switch before the router I would just use my assigned IP address. I really don't care if my provider allows servers because I will be using next to no bandwidth so they won't know the difference. I will set different ports if they are blocking them, that isn't a concern.

    What I really want to know is if this is a viable setup:


    Modem=>
    Switch=>
    Switch Port 1=>Router=> Home PC's
    Switch Port 2=> Server


    That way my home PC's cannot be hacked through the Server, correct?
    Regardless of bandwidth usage or evading blocked ports, they can still detect a server or server applications on your network. It's not a matter of getting a slap on the wrist or being called a bad boy. By proceeding, you very well may be violating your provider's terms of service and if they catch you, you may get your connection cut off permenantly. I suggest you CHECK with your ISP before you continue, and if they allow it, they could help to answer your question on security.

  9. #9
    Are you kidding?

    You think "big cable corp" is going around trying to detect servers? Especially ones that are using no bandwidth at all. I am using it to store my files and use as an email server. Give me a break. Let me worry about the ramifications. I am asking about THE SET UP. That's all. I am not asking about what can happen. I appreciate your help but I'm not asking about what my provider allows and I am certainly not calling them about my question. Are you kidding about that too? Calling them asking about this stuff? Please don't post any more fluff responses to my question it is annoying.

  10. #10
    Join Date
    Apr 2005
    Location
    Under The Floor Tiles
    Posts
    566
    Originally posted by drew145
    Are you kidding?

    You think "big cable corp" is going around trying to detect servers? Especially ones that are using no bandwidth at all. I am using it to store my files and use as an email server. Give me a break. Let me worry about the ramifications. I am asking about THE SET UP. That's all. I am not asking about what can happen. I appreciate your help but I'm not asking about what my provider allows and I am certainly not calling them about my question. Are you kidding about that too? Calling them asking about this stuff? Please don't post any more fluff responses to my question it is annoying.
    Your ignorance will prove to be your downfall. Big Cable Corp WILL go around trying to detect servers if it doesn't want them on its residential network. It's a matter of safety and security. If you have a server, "Big Cable Corp" doesn't care how many security precautions you take. You STILL have a good chance of becoming infected, more of a chance than client systems. And when you're infected, you can infect other computers, and your computers can do very bad things while infected and under someone else's control, and the first person to hear the complaints about those bad things will be your cable company. It's not something ISPs enjoy hearing about every single day.

    I have personal experience in the Internet Service Provider industry. My BIGGEST pet peeve is meeting people and hearing about people who choose not to follow the terms of service, people who willingly choose not to listen to what we tell them and just shrug us off like a nagging wife, and people who think that what they're doing is okay if no one notices.
    Last edited by danclough; 06-23-2005 at 11:58 PM.

  11. #11
    Originally posted by drew145
    Are you kidding?

    You think "big cable corp" is going around trying to detect servers? Especially ones that are using no bandwidth at all. I am using it to store my files and use as an email server. Give me a break. Let me worry about the ramifications. I am asking about THE SET UP. That's all. I am not asking about what can happen. I appreciate your help but I'm not asking about what my provider allows and I am certainly not calling them about my question. Are you kidding about that too? Calling them asking about this stuff? Please don't post any more fluff responses to my question it is annoying.
    You'd be suprised. At the University of Illinois, we had folks watching for the number of MAC address swaps folks made, and they also managed to keep track of wireless networks and shut them down. If U of I of all ISPs opts to play mean on network usage, imagine what Big Cable's gonna do.

    My suggestion would be to switch to a commercial DSL line, if possible. You'll wind up paying an extra $20/month, have a bigger connection going up, and your ISP won't be breathing down your neck.
    If the bigger hosts are fancy French restaurants, consider my service the friendly small-town diner.
    HostMidwest.com- you deserve honest, helpful, and reliable service!

  12. #12
    This isn't what I really wanted to talk about, I know of at least 10 people doing this same thing and have been doing it for over a year. Can we please turn the discussion back to my set-up.

    My point is I am not MAC address swapping. I appreciate the advice but your dreaming if you think they have the time to police this(if your server was spamming, hogging bandwidth, etc. then it makes sense) If your server is not spamming or doing anything out of the ordinary nothing will happen. Yeah they have time to look through millions of residential customers for signs of a server, keep dreaming.

  13. #13
    Join Date
    Sep 2004
    Location
    Flint, Michigan
    Posts
    5,765
    U of I is a lot different than a home cable connection. The students responsible are not paying the campus for their internet connection (argue that it is in the tuition if you want), colleges make up a large portion of DDoS attacks due to their high bandwidth, and a college connection has quite a bit more power behind it than a home cable line, especially when we are talking about upsteam. Odds are that the cable company will not notice, and if they do, will only send a warning letter and not cancel the service then and there. This is just how it works. Many people run home servers for person stuff from their home computers. It is when you are making profit off of it or using major bandwidth that the cable company is going to get upset.

    In any even to the poster:

    Cable -> Router -> Switch -> Home PC and Server

    When you set the server's IP to be a DMZ it does not open up any of the other computers in the same way. This only applies to the machine that has the IP assigned as the DMZ. If they were to hack into your linux machine, they would have access to your other computers, but only via your linux box. It will not be that hard to secure your linux server though, so I wouldn't worry to much.

    If you were to get another router, that would not really secure your home machines any because the attacker could still reach them through the switch that connected both routers to your internet connection.

    Just follow the basic tips on this fourm for securing your server and you will not really face any problems.
    Mike from Zoodia.com
    Professional web design and development services.
    In need of a fresh hosting design? See what premade designs we have in stock!
    Web design tips, tricks, and more at MichaelPruitt.com

  14. #14
    Thanks for the help JustADollar I appreciate it! Also thank you for clearing up the argument above.


    How about this:


    Internet to Modem
    Modem to Router1
    Router1 to DMZ Switch WEB/FTP/Server
    ...and...
    Router1 to Router2
    Router2 to Home PC's

    So I would have Router1 set-up to make my server a DMZ. I would also have its other LAN port going into Router2's WAN port. And then my home PC's running off Router2's LAN. I hope I explained that right and it makes sense.

    Will this effectively segment my network so that my Home PC's cannot be compromised through my WEB/FTP/Server?

    Any help is appreciated.

    Thanks

  15. #15
    Join Date
    Sep 2004
    Location
    Flint, Michigan
    Posts
    5,765
    Your explanation is quite clear, however they are still all going to be able to be accessed via the WAN.

    An example of this would be the fact that I can talk to your webhostingtalk.com right now even though I am going through many routers to get to it. What you could do is deny all traffic from the first router on the second router, but instead of doing this you could simply install a firewall on your windows machines and drop all traffic comming from your server. This would prevent you from accessing your server from your lan though.

    In all honesty you are over-thinking the security Just do it the way I said earlier and you will not have any problems. Your machines will be able to be accessed via the LAN if the linux machine was compromised, but it won't be like the 'hacker' for lack of a better word, would be able to access them unless they had a working exploit for one of the machines on your lan. If you really wanted to you could simply shut down the SSH service on your linux machine and just access it directly if you ever needed to do anything on it. This would prevent any hacker from being able to login to it. In the event that they did go in through a FTP/Apache/Whatever exploit, it would take them way too much time to get shell working and be able to do anything major. They could execute a piece of code via web/ftp technically, but it'd really be much more trouble than it's worth for somebody that wanted in on your cable line. Your network will be plenty secure just going with:

    modem -> router -> switch -> LAN and setting your server as the DMZ
    Mike from Zoodia.com
    Professional web design and development services.
    In need of a fresh hosting design? See what premade designs we have in stock!
    Web design tips, tricks, and more at MichaelPruitt.com

  16. #16
    Thanks for the explanation JustADollar, I appreciate it very much, again

    I am still not getting how they would have access to my home PC's if they were behind Router2. Once they hacked into the Linux server they would only have access to Router2 which would be stealthing/blocking all incoming ports right? Or does it always have ports open? Sorry for not knowing to much about this stuff I have never tried to set anything up like this.

    I *really* would prefer the networks be segmented because 3 or 4 other people have their PC's on the LAN and I absolutely cannot afford their computers to get hacked due to my server, even if the chances are really slim. It is just a risk I can't take. Maybe I am being to paranoid? I am just trying to figure this thing out.

    Any more advice would be great.

    Thanks for all you have told me so far, it has been very helpful

  17. #17
    Join Date
    Sep 2004
    Location
    Flint, Michigan
    Posts
    5,765
    Well a router is used to "Connect Networks" in the simplest terms. having router 1 connected to router 2 would connect the networks together. Even through the networks are segmented, that does not stop one network from being able to communicate to another network.

    An example would be talking to your friend via AIM.

    We'll keep this simple:

    You send a message to your friend:

    Your Computer -> Your LAN -> Your Switch -> Your Router -> Your Modem -> The Internet -> Their Modem -> Their Router -> Their Switch -> Their LAN -> Their Computer.

    Just the reverse when you recieve a message. As you can see, there is two routers in that configuration (technically much more because of the itnernet, but we're keeping it simple) yet they are able to communicate to your computer.

    Now in your case you could setup the second router (one for the home PCs) to block all traffic comming from the Ip of the first server, but you could also do this with a regular router. The problem that comes in is when you want to FTP/SSH to your web-server over your LAN. You would have to do everything over the internet which would require setting up port-forwarding on the one router to send specific traffic to the server. In any event even if you wanted to do this, you could do the exact same thing with a software firewall on all the machines on your LAN. If you installed a software firewall on ever desktop computer and set it to drop all traffic from 192.168.1.1 (whatever the IP of your server is) it would have the same effect and save you some money.

    Router's like you are using come with firewalls built in, but in truth they really do not do too much to help protect you from any hacking attempts.
    Mike from Zoodia.com
    Professional web design and development services.
    In need of a fresh hosting design? See what premade designs we have in stock!
    Web design tips, tricks, and more at MichaelPruitt.com

  18. #18
    Wow, Thanks Again

    So, I can basically just block all incoming traffic to my PC's from my server by blocking all traffic from the IP address of the server with a software firewall(which I already have installed on all my PC's).

    BUT I can still access my SSH/FTP/MAIL via the internet as long as the proper ports 80,21,25 are being forwarded to the server.

    Is that right?

    If so then my problem is solved.

    Thanks for all the help!!!!!!


  19. #19
    Join Date
    Sep 2004
    Location
    Flint, Michigan
    Posts
    5,765
    Yup that is right on. On your router you'd forward all incomming traffic to your IP for ports 21, 25, 80, etc... to your server's IP. On all the home machines you'd deny any incomming traffic from your server's IP. Then to connect to your server you'd do ftp 65.74.150.18 (just a random IP, replace with your internet IP of course) and all should work well. If a hacker was to get into your server, they would not be able to access any home machine because all traffic generated from the server would be dropped by the firewalls. Even if they were to access the router, the firewall is located on the home server so it would be the one dropping the traffic.
    Mike from Zoodia.com
    Professional web design and development services.
    In need of a fresh hosting design? See what premade designs we have in stock!
    Web design tips, tricks, and more at MichaelPruitt.com

  20. #20
    Thanks so much!!! You solved my problem!!! I will be able to sleep easy tonight. I can't thank you enough.



    Good Karma to you my friend.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •