Questions regarding security / running a server from home.

[NachT]

Hi there

I've just got a few things on my mind, that I'd love to know the answers to if possible and a bit of info on certain things

Well firstly, I'm wanting to run a server here. What it will be is an FTP / web server / MySQL / media server ( access to my media from anywhere, not just the home ).

Just a few simple questions really,

If I do run a server, say a web server... but I don't forward the ports from my router to the server. Is it still possible for someone to access those websites on the server? Or do the ports HAVE to be forwarded? Just a bit of a security question, wondering if its possible to gain access even if I didn't forward them.

Also, is it possible for anyone to gain access any of my other files or do anything with the server through any port? Say if I only forward port 80. Could someone come along and gain access to files not even in the web server directory? or do anything els to the server?

Another one. So for example, I have 2 completely unsecured computers on my network, along with my server. Is it possible for someone to do a scan or anything to be able to know that those 2 computers are also on the same network as the server they are accessing, and gain access to those 2 unsecure computers?

+ is there anything els I should know security wise if going along with putting a server on my network?


Thanks all for any input

 

[Skidilliplop]

You do have to forward ports to get access to services behind NAT. That's just the way it works.

All the destination port does is identify a service application to receive the datagrams. How secure that is depends entirely on the limitations of the application handling the requests and the way it's set up.

Provided the server is secure it shouldn't be possible to know from outside that you have two unsecured computers on the forwarded ports alone. One thing you might consider though is the outbound connections of those machines can be monitored and this can alert someone to their presence. By accessing this forum you are establishing and closing TCP connections across the NAT that can be seen if packets are intercepted. not usually a big issue as there's no reason anyone would be monitoring you but IF you are running a public server with an FQDN associated with it then you will be drawing a lot more attention to your public IP which will make it more likely someone might go looking.

You can put the server on a separate subnet to the rest of the network to protect it from "leapfrogging" from the server to the LAN devices, however if i was associating my WAN IP with a Public domain then I would want everything that used that public IP to be secured to a reasonable extent.