Port forwarding + public DCS server + NAS = safety?

[chnapo]

Hi guys. So I got the idea to use one machine as my personal NAS as well as DCS server, how to do that was discussed in another topic. But now I am getting a little afraid, because in order for the DCS players to connect, I have to set up port forwarding. They will know my IP address, what prevents them from accessing my NAS and files? Isn´t this like opening door for them?

[manikyath]

well.. first things first: if you're hosting something for more than your direct friends (or, people you can directly trust), it should be in a datacenter.

 

past that, ofcourse you should only forward the exact port necessary for the game server, and your NAS's file storage shares should be password protected either way.

[LIGISTX]

17 minutes ago, chnapo said:

Hi guys. So I got the idea to use one machine as my personal NAS as well as DCS server, how to do that was discussed in another topic. But now I am getting a little afraid, because in order for the DCS players to connect, I have to set up port forwarding. They will know my IP address, what prevents them from accessing my NAS and files? Isn´t this like opening door for them?

I would advise against opening a windows PC to the internet in any capacity. Regardless of what ports you open, windows desktop is just not meant to be exposed to the internet, and I would consider it a cyber risk…

 

If you want to access your NAS from outside your network, WireGuard VPN is the best option. But I wouldn’t open up a game server to the internet if it’s hosted on Windows…

[chnapo]

1 minute ago, manikyath said:

well.. first things first: if you're hosting something for more than your direct friends (or, people you can directly trust), it should be in a datacenter.

 

past that, ofcourse you should only forward the exact port necessary for the game server, and your NAS's file storage shares should be password protected either way.

Let´s assume there are some unprotected files and that it is indeed not in a datacenter yet the DCS server is shared to more than just direct friends. How much does my security change before and after port forward (which is a must for DCS server)?

[chnapo]

1 minute ago, LIGISTX said:

I would advise against opening a windows PC to the internet in any capacity. Regardless of what ports you open, windows desktop is just not meant to be exposed to the internet, and I would consider it a cyber risk…

 

If you want to access your NAS from outside your network, WireGuard VPN is the best option. But I wouldn’t open up a game server to the internet if it’s hosted on Windows…

I need my NAS only on LAN. It´s just for the sake of low cost, that I don´t have to buy 2 machines. Only DCS server will be port forwarded.

• TCP: 10308
• UDP: 10308
  As per DCS webpage.

[manikyath]

Just now, chnapo said:

Let´s assume there are some unprotected files and that it is indeed not in a datacenter yet the DCS server is shared to more than just direct friends. How much does my security change before and after port forward (which is a must for DCS server)?

it's 'eh'.

 

it uses a very weird port, i wouldnt forward the web management interface ofcourse, but the game port is fine i suppose.

 

but i repeat: you should only do this if you're sharing the server with your direct friends. if it's listed anywhere public it should be in a datacenter.

[chnapo]

2 minutes ago, manikyath said:

it's 'eh'.

 

it uses a very weird port, i wouldnt forward the web management interface ofcourse, but the game port is fine i suppose.

 

but i repeat: you should only do this if you're sharing the server with your direct friends. if it's listed anywhere public it should be in a datacenter.

Bro, I am going to jump off that bridge either way, so better give me a good bungee-rope instead of discouraging me from it. (I may not have phrased my original question well)

[LIGISTX]

5 hours ago, chnapo said:

Bro, I am going to jump off that bridge either way, so better give me a good bungee-rope instead of discouraging me from it. (I may not have phrased my original question well)

The issue here is... you may be jumping off a bridge your not prepared to jump off.

 

Folks say it may not be a good idea because, it in fact, may not be a good idea. If this is all running on your Windows PC on a flat network, if there are any exploits known for this application, someone can easily just run port scans (which bots are running 24/7/365 against every known IP) looking for open ports, looking for exploits, trying default passwords, etc. If there is a known exploit, someone exploits it, who knows what sort of privilege escalation or attack vectors may be open to them, they could end up pwning your entire network... 

 

Will this happen, maybe? If it does could it be pretty disastrous, yes. Is it worth the risk, only you can decide that. 

 

Just to put it into perspective, I block all attempts to ping my firewall from all IP's that are outside of the USA (NOT THAT US IP'S ARE SOMEHOW IMMUNE FROM BEING BAD ACTORS, I just live here, so as I don't totally inconvenience myself from being able to VPN into my own network, I have to draw the line somewhere), and I block known bad IP's based on peer lists, and in the last 30 days and 7 hours (last time I rebooted my firewall), it has blocked 505,335 IP's from attempting to ping my IP in some form or fashion. No one is poking at my IP for fun..... I guarantee 95% of those are bots running port scans and poking at anything exposed to see if they can get in, and if they can, they let their owner know "I got a noob waiting to be pwned over here". 

 

So.... of all of this to say, opening ports to a Windows host is never a great idea since windows is not a secure operating system in the slightest, and running game servers without much thought into their security is also just as bad. IF you do your homework and do diligence and determine it is safe, then you have done what you can to understand the risk, weighed it, and moved on. I will soon be running a dedicated game server on my homelab - but that virtual machine will be vlaned off on its own subnet with no access to the rest of my network, and it'll be running under a hardened linux OS.

[chnapo]

12 hours ago, LIGISTX said:

The issue here is... you may be jumping off a bridge your not prepared to jump off.

 

Folks say it may not be a good idea because, it in fact, may not be a good idea. If this is all running on your Windows PC on a flat network, if there are any exploits known for this application, someone can easily just run port scans (which bots are running 24/7/365 against every known IP) looking for open ports, looking for exploits, trying default passwords, etc. If there is a known exploit, someone exploits it, who knows what sort of privilege escalation or attack vectors may be open to them, they could end up pwning your entire network... 

 

Will this happen, maybe? If it does could it be pretty disastrous, yes. Is it worth the risk, only you can decide that. 

 

Just to put it into perspective, I block all attempts to ping my firewall from all IP's that are outside of the USA (NOT THAT US IP'S ARE SOMEHOW IMMUNE FROM BEING BAD ACTORS, I just live here, so as I don't totally inconvenience myself from being able to VPN into my own network, I have to draw the line somewhere), and I block known bad IP's based on peer lists, and in the last 30 days and 7 hours (last time I rebooted my firewall), it has blocked 505,335 IP's from attempting to ping my IP in some form or fashion. No one is poking at my IP for fun..... I guarantee 95% of those are bots running port scans and poking at anything exposed to see if they can get in, and if they can, they let their owner know "I got a noob waiting to be pwned over here". 

 

So.... of all of this to say, opening ports to a Windows host is never a great idea since windows is not a secure operating system in the slightest, and running game servers without much thought into their security is also just as bad. IF you do your homework and do diligence and determine it is safe, then you have done what you can to understand the risk, weighed it, and moved on. I will soon be running a dedicated game server on my homelab - but that virtual machine will be vlaned off on its own subnet with no access to the rest of my network, and it'll be running under a hardened linux OS.

I am very allergic to discouraging, I just don´t pay enough attention to the security BUT. You are the first one to actually provide me an useful answer in that last sentence. VM vlanned off to its own subnet. Thanks, I will wait a bit if some other people come with useful advice.

[wseaton]

Guys.....

 

A port is a port. Doesnt matter if that port is on Linux, or a mainframe, or Unix, or windows or hosted in a data center. A port is a port. The data center comment is funny. Like....RDS servers on Azure have never been hacked..rofl.

 

I repeat.. a port is a port. roll. No one hacks ports. They hack the app behind the port. Computers are binary. Stop watching NCS and TV shows.

 

What gets devices hacked is the *application* behind that open port has a bug in it that can be exploited by throwing malicious code at it or you have a gimpy password. Just because a port is open doesn't mean its an automatic security hole. 

 

If you can't use a VPN then use a firewall rule that only allows connections from your friends IP. 

[LIGISTX]

1 hour ago, wseaton said:

Guys.....

 

A port is a port. Doesnt matter if that port is on Linux, or a mainframe, or Unix, or windows or hosted in a data center. A port is a port. The data center comment is funny. Like....RDS servers on Azure have never been hacked..rofl.. 

I fully agree. The data center comment doesn’t make much sense - all it does is remove your network from the equation which is an added security benefit.

 

But, I wouldn’t punch holes through firewalls to windows machines on my local LAN… unless it was vlanned off and segmented, but that goes for mostly anything tiger punching holes through for. If there was an exploit that allowed someone basically any privilege level of the host windows box to do anything, they could do basically everything. At least with a linux box it’s a more secure staring point. 
 

But mostly regardless, network segmentation is the way to secure your LAN, so even if the box is used as a way to attempt lateral movement, there won’t be anything to move into, assuming your firewall doesn’t just fall over. OP would need a firewall with vlan capability and a hypervisor that supports it (hypervisor is the east part here, most do). 

[jde3]

Design wise it's a bad idea to have all your data and backups exposed to the internet.

Bad bad bad, where is the rolled up newspaper... hmm.. well it's bad.

 

However... TrueNAS and FreeBSD that it's based on has a very good Virtual OS layer called Jails that can be used to securely isolate software. Think of it like an onion make sure there are many layers you have to pass through in order to get to the data, and always make sure any access methods use "something physical you have" and "something you know" such as a unique key file and a password, or your phone with 2fa and a password.. Keep in mind that ANYTHING you connect to the internet must be tested and updated regularly.

 

Security by it's nature is a hassle. Think like the TSA, big hassle.. (wait that is prob a bad example.. lots of hassle and no real security with the TSA.. lol) but you get the idea.

Also it's very true that every one of us can design a security system we ourselves can't break into. Don't fall into this trap.. use trusted known good methods.