[SATLUG] Questions about home server security

David Kowis dkowis at shlrm.org
Mon Feb 11 09:59:26 CST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/10/2013 02:13 PM, Brad Knowles wrote:
> On Feb 10, 2013, at 12:35 PM, Frank Huddleston <fhuddles at gmail.com>
> wrote:
> 
>> So what can you tell me? I guess I really mean, what can I tell 
>> him? Is this relatively safe for his LAN? Is there something I 
>> should do to make it safer?
> 
> If I was going to be running a server on someone else's home 
> network, the first thing I'd want to do is make sure it's set up 
> for VPN-only access.  That way, no one can get into the machine 
> except through the VPN, which is a secure encrypted connection
> that you control (assuming the VPN software doesn't have bugs or 
> backdoors).

I'd recommend openvpn, as it's easy enough to get out via NAT using
that, as well it's simple to set up, and pretty secure.

> 
> The second thing I'd want to do is make sure that their home 
> network router/gateway is capable of having two separate networks, 
> one of which they could use for their own purposes and one which 
> you could use remotely.  These should be distinct local networks 
> without any overlap.  The local network you use at their site
> could be a "DMZ" network, if that is what the router/gateway vendor
> wants to call it. But whatever they call it, it should be separate
> and distinct from the other network -- different RFC1918 local
> network ranges and everything.

If you can't set up a DMZ and such, you can configure the local
firewall on that box to not allow access to anything on that local
network, except out via the VPN, and access to your endpoint (your
house). I'd recommend some kind of dynamic dns for connectivity back
to your home.
Of course, this doesn't solve anything if your box gets compromised,
but it can insulate your box from his network, if you cannot get a DMZ
set up.

> 
> Of course, everything you put on that machine in a remote location
>  should be using an encrypted filesystem, too.
> 
> Beyond that, you're trusting that if/when there is a dawn raid on 
> the house, the police will indescriminately grab every single 
> electronic device in the house, but when the technicians put 
> everything back together in their lab they should discover that 
> there was a "chinese wall" between the two networks, and at least 
> one set of those computers can be clearly identified as having no 
> connection to the other set, and whomever owns those computers 
> should be able to get them back in relatively short order -- maybe 
> just a few months, as opposed to being held as evidence for years 
> or decades.

Yes. Encrypt everything.

- --
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQGcBAEBAgAGBQJRGRVeAAoJEMnf+vRw63ObU3IL/2DSZ4jS2BwUkuYODxWpYppW
Em4al/V7c1by2e0f4q9Iv+4IxhP0vE5miclGPldxefQiis2qzshWqGPajrDO1YBP
HNk/a8NV67uokLwcx67t08rHp6Sn1qkyQwDtKw5SQQlK+4bIWNTZfrUwes7mhblA
9kPHshHK4gBMnezVbjMJIO4xxMmzAwhqwBZztW3PgLoSMtB42X0kDt2svapwDH08
dobElQhNeoptTWHZqlhHOn8SuRIN5FCgw/rz2YpoZiI+5Cu2AuvsnVPXHjyKeXjW
txGrN6Lu5x7Y1OfZy+0Dk2y/301Od8u9WEtNR75VMx5Ve38RLo+2MEJ8HhmhUbVQ
bUnWF51vZCBxC+DQcwxN2Inbv0ic1iVys0enXgtsaTL+8SmRXrzobiot25qAc3ou
zqJyfCDPGX/jlu/6UIhWCF8v3sPuewxsUSi4vffDfftzA17exiBcQ7n8xc8z0ytA
K+eAES0rH9gyCE9LSOmZ2jEGHAisv9uKIW+1AmWWzA==
=mLcR
-----END PGP SIGNATURE-----


More information about the SATLUG mailing list