Hack and / - Your Own Personal Server: the Network

 in
This first installment of Kyle's personal server series will walk you through some common network hangups that can get in the way of hosting your own server at home.
Modems and Gateways

These days, most people who would want to host a server at their homes tend to access the Internet through some sort of DSL or cable modem. This device connects to either a phone line or some other cable on one end and provides a network port (or sometimes a USB port) on the other. More sophisticated modems actually can act as a gateway, and even a DHCP server, and hand out internal IPs to computers in the home while the public IP resides on the modem itself.

If you plan on having multiple computers inside your home network, I recommend getting the modem configured so it acts more like a bridge, so that the publicly routed IP address is assigned to a device that is under your control, whether it's a home router or a computer on your network. Most home routers these days (including DSL and cable modems, if your ISP gives you the ability to configure them) have the ability to do port forwarding so that incoming traffic intended for your Web server (ports 80 and 443) can be redirected to the internal IP address. The more control you have over your gateway, the more flexibility you will have in how you set up your servers and your network. If you do opt to use a consumer router instead of turning a home computer into the gateway, you might want to choose a router that can be reflashed with custom Linux firmware (like OpenWRT or DD-WRT), so you can have some of the same flexibility you would have if a Linux server acted as the gateway.

Security, Firewalls and Virtual IPs

Of course, any time you open up a service to the Internet, you are opening yourself up to attack. These days, it doesn't matter if you just have a lone server on the Internet; attacks are automated, so your obscurity doesn't ensure security. Be sure that any service and server you make available on the Internet is kept up to date with the latest security patches. If you have the ability to configure a firewall on your gateway router, block all incoming ports by default and allow in only ports you know need to be open. If you are going to open up an SSH server to the public Internet, be sure to audit your passwords, and make sure they are difficult to guess (or better, disable passwords altogether and use key-based authentication). These days, more home (and enterprise) Linux servers are hacked due to bad passwords than just about anything else.

While I'm on the subject of firewalls, here's a quick tip if you happen to use a Linux device as your router with iptables. Even if you are granted multiple public IPs, you may find you prefer to have all Internet traffic come through a central router so it's easier to monitor and secure. To accomplish that, you likely will need to have your gateway device configured to answer on all of the public IPs and assign private IPs to the computers inside your home. Let's assume I have a few static IPs, including 66.123.123.63 and 66.123.123.64, and a gateway router that is configured to answer to both of those IPs on eth0. I have an internal server on my network with an IP address of 192.168.0.7. Because it has an internal IP, I want to forward traffic on my gateway destined for 66.123.123.64 to 192.168.0.7. The first way I could do it is to forward traffic only on specific ports to this host. For instance, if this were a Web server, I might want to forward only ports 80 and 443 to this server. I could use these iptables commands on my gateway router for the port forwarding:

iptables -t nat -A PREROUTING -d 66.123.123.64 -i eth0 -p 
 ↪tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.7:80
iptables -t nat -A PREROUTING -d 66.123.123.64 -i eth0 -p 
 ↪tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.7:443

This is also a common solution if you have only one public IP but multiple servers in your network, so you can forward Web ports to an internal Web server and e-mail ports to a different e-mail server. This method works; however, I'll have to be sure to add new firewall rules each time I want to forward another port. If I simply want to have the router forward all traffic destined for 66.123.123.64 to 192.168.0.7, I could use these two commands:

iptables -t nat -A PREROUTING -d 66.123.123.64 -i eth0 -j 
 ↪DNAT --to-destination 192.168.0.7
iptables -t nat -A POSTROUTING -s 192.168.0.7 -o eth0 -j 
 ↪SNAT --to-source 66.123.123.64

Note that because these commands forward all traffic to that internal host, regardless of port, I will want to make sure to lock down the firewall rules on that internal server.

This should be enough information to get you started on your network setup at home so that by next month, you'll be ready to set up your first service. In my next column, I'll focus on DNS, including how to register a domain and how to set up your own home DNS server.

Kyle Rankin is a Systems Architect in the San Francisco Bay Area and the author of a number of books, including The Official Ubuntu Server Book, Knoppix Hacks and Ubuntu Hacks. He is currently the president of the North Bay Linux Users' Group.

______________________

Kyle Rankin is a director of engineering operations in the San Francisco Bay Area, the author of a number of books including DevOps Troubleshooting and The Official Ubuntu Server Book, and is a columnist for Linux Journal.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Ethical Hacking

akki's picture

Hello Friends,

Nice Post quite knowledgeable but learn ethical hacking from scratch with the training program conducted by experts at Inferno Solutions (http://www/inferno.co.in).They also train on linux & java. I learned linux by purchasing the training kit from http://www.ebooksyours.com/linuxtutorial.html.They cover everything from basics like live cd,hard disk installation,virtualization,vpn,IDS-IPS,UTM, Firewall,Mail Server,Proxy Server,NFS,Samba,LDAP,Clustering,Bandwith management,Kernel Programming,Device Drivers etc. I would highly recommend this kit for every linuxite.

Thanks & Regards,
Akki

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix