Page 1 of 1
Opening my ports at home for a demo
Posted: Thu Nov 13, 2008 12:05 pm
by alex.barylski
I have an applicaiton which I wish to allow others to begin demo'ing.
It's not quite ready for a dedicated server just yet but the idea is to use my home account (old desktop connected to web through firewall) to allow a dozen or so testers to play with the applicaiton before making the move to something more stable, etc.
I essentially am opening my port 80 to allow outside access. I know this is risky but what are some steps I can take to prevent malicious use?
My Debian machine is the only computer with a HTTP server (Apache) and I plan on re-installing the latest Debian release so I have a updated system. Then installing only those services which I know are required and I am familiar with. No SMTP, FTP, user accounts, etc.
Basically a barebones system with LAMP and a few extensions for Apache/PHP outside of default install...and SSH so I can update the system from my Windows machine.
Should I turn on the firewall for each Windows desktop connected to the network? There are 6 computers in total...2 wireless 4 physically ocnnected. None are anything other than general end user computers running XP Home or Pro.
Obviously my PHP scripts are buttoned down about as tight as I know how to make them so there should be no external access to the machine outside of PHP/Lamp.
I'm actually considering running PHP as CGI Suexec for additional security...
Any other Debian services I should be aware of or I should consider disabling when I open my port 80 to the public?
I will close the port for most of the time...it's only open for short periods of time to allow people to test the application and give me feedback, etc.
Cheers,
Alex
Re: Opening my ports at home for a demo
Posted: Thu Nov 13, 2008 12:13 pm
by Eran
There are several notches before a dedicated server, such as a basic hosting packages and VPS. You can get a deal for as low as few dollars a month to host your account on a LAMP server easily.
That being said, if you are running only this application on this desktop, you don't have much to fear from. If you have other sensitive information there, consider using a virtual machine to run your server, effectively cutting it from accessing your computer.
Google a bit about server hardening if you are up to it, just bear in mind that true security is something that takes a lot of experience and knowledge to achieve.
Re: Opening my ports at home for a demo
Posted: Thu Nov 13, 2008 1:10 pm
by alex.barylski
There are several notches before a dedicated server, such as a basic hosting packages and VPS. You can get a deal for as low as few dollars a month to host your account on a LAMP server easily.
Shared hosts are horrible. I run my web site off a shared host and few times I've had issues with other users (maybe) or system updates, etc conflicting with my applications. Besides the source is very near and dear to me and it's important to me to keep it as safe from prying eyes as possible. So a dedicated solution is the only real option. Plus I need the performance to host several clients.
That being said, if you are running only this application on this desktop, you don't have much to fear from. If you have other sensitive information there, consider using a virtual machine to run your server, effectively cutting it from accessing your computer.
Thats a good idea, although I don't think it's needed.
Google a bit about server hardening if you are up to it, just bear in mind that true security is something that takes a lot of experience and knowledge to achieve
I am familiar with most security settings for a simple LAMP server...and the very basics of system security. The thing is most security documents describe security from a multiple user perspective *not* a single Linux user, multiple web application user perspective. That changes the security requirements substantially I believe.
This is what I have in mind hitherto:
1. Disable all accounts but root & me (tight password)
2. Disable remote root login
3. Disable all public services except Apache
4. Use public key stored on thumbdrive to access SSH (not really needed as no one is going to intercept the password from my desktop to my server behind a firewall -- I dought anyways -- but for a live dedicated server I will use this)
5. (EDIT) I figure I can also use /etc/hosts.allow on my server to restrict access to only my desktop computer -- if even nessecary or possible seeing as they are both behind a NAT router.
Most other services are by default somewhat secure. For instance MySQL doesn't allow remote connections without changing the config file...at least I had to change it manually on the last Debian system.
There is no FTP service or anything so I do not see how anyone could gain effective use of the system unless they guessed my password.
I have found security checklists but how many points are relevant to a web server with a single user? When I rent a dedicated host, they usually offer firewall protection, etc (sometimes for additional fees) so as far as that security is concerned, it's usually taken care of by virtue of hosting with a data center.
http://www.debian.org/doc/manuals/secur ... st.en.html
Re: Opening my ports at home for a demo
Posted: Thu Nov 13, 2008 1:19 pm
by alex.barylski
It just occured to me that while running on my home server the router needs to be informed of what ports are opened...so if I only open 80 there is no way for anyone on the outside to access any services on other ports anyways, isn't it? Thats how I understand NAT routers to work.
Although I would be interested to see a custom firewall setup (VladSun did something like this using IPTables I believe) for a live dedicated server to prevent any access to any ports other than HTTP and SSH. That way only the server itself could access these services which is the ideal when running a web application I would imagine.
Re: Opening my ports at home for a demo
Posted: Thu Nov 13, 2008 1:24 pm
by Eran
You should have another user - apache. All files outside of its responsibility should be under root. And if you're really paranoid, you can run
SELinux... but be prepared to enter a world of pain (we are running it on our dedicated server)
Re: Opening my ports at home for a demo
Posted: Thu Nov 13, 2008 1:44 pm
by alex.barylski
I meant users which are capable of being logged in...each daemon I install has separate users.
selinux...sounds interesting but probably more than what I need or care to bother with although I might be able to learn from it so I'll keep it in mind.

Re: Opening my ports at home for a demo
Posted: Thu Nov 13, 2008 1:57 pm
by alex.barylski
I'm just reading some tutorials on Debian security and with the command:
I was able to see all the services running and LISTEN apparently indicates the ones which are network accessible:
Code: Select all
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
portmap 1739 daemon 3u IPv4 4882 UDP *:sunrpc
portmap 1739 daemon 4u IPv4 4883 TCP *:sunrpc (LISTEN)
exim4 2065 Debian-exim 3u IPv4 5453 TCP localhost:smtp (LISTEN)
inetd 2077 root 4u IPv4 5481 TCP *:auth (LISTEN)
rpc.statd 2097 statd 3u IPv4 5521 UDP *:1024
rpc.statd 2097 statd 6u IPv4 5511 UDP *:customs
rpc.statd 2097 statd 7u IPv4 5528 TCP *:2958 (LISTEN)
dhclient3 2169 root 4u IPv4 5209 UDP *:bootpc
sshd 2322 root 3u IPv6 6136 TCP *:ssh (LISTEN)
sshd 2327 root 3u IPv6 6159 TCP 192.168.1.101:ssh->192.168.1.100:1219 (ESTABLISHED)
I certianly wouldn't need Exim (either on my computer or the dedicated server -- I'll use postfix if anything) and portmap? I looked at my
inetd.conf and everything was commented out so why does this daemon run at all???
Ideally that list would only really show http, imap, smtp and ssh when the system is fully configured. My desktop will only need SSH and HTTP I believe.
So why does inetd still appear even though it's entries are all commented?
Re: Opening my ports at home for a demo
Posted: Thu Nov 13, 2008 4:18 pm
by VladSun
I need you to clarify your network topology. As far as I can understand you have 5-6 desktop machines (Windows and the Debain server) behind a router (I suppose a hardware one), right?
Re: Opening my ports at home for a demo
Posted: Thu Nov 13, 2008 6:09 pm
by alex.barylski
Yup...just a standard 4 port wireless NAT router (linksys I think).
All machines are Windows based except for one desktop which is in my bsaement running Debian Etch.
Re: Opening my ports at home for a demo
Posted: Fri Nov 14, 2008 7:37 am
by VladSun
PCSpectra wrote:... NAT router ...
So, as said above, you need to enable and configure
port forwarding router feature in order get any access from the Internet to any port on any machine
Otherwise, because of the nature of NAT, any incomming connection will be discarded.
Re: Opening my ports at home for a demo
Posted: Fri Nov 14, 2008 4:47 pm
by alex.barylski
Otherwise, because of the nature of NAT, any incomming connection will be discarded.
So as long as I only open port 80 and Apache/PHP are up to par there is little chance of anyone hacking the system?

Re: Opening my ports at home for a demo
Posted: Fri Nov 14, 2008 5:00 pm
by Eran
It only means that any possible attack would come through port 80