Securing network server

[Car712]

Hello, so I recently setup a home 'private cloud' with proxmox, and have my VMs all ready and setup, however there is one issue, I dont want to expose my IP (and ports for the applications) to the open internet, without some sort of security firewall, or monitoring system in place. The last thing I want is for a VM to get hacked, and someone accessing other devices on my home network.. Anyways, I have looked at some systems, but I am wondering, which is the easiest to setup for 5 VMs (1 Windows and 4 CentOS)?

 

(And yes, I know about cloudflare, but that would defeat the main purpose of having a server at home, which is having good ping times, and connection speeds for the VPN, etc)

[Electronics Wizardy]

What services?

 

Proxmox has a firewall, along with the guest OSes.

 

The other thing that you normally want is a DMZ on your router, so you private devices are seprated from the servers that will be remotly accessed.

 

But for a home server, if you lock it down with passwords, and have it email logs, and keep it updated your fine. Your not getting targeted attacks.

[LtStaffel]

Would not use built in firewall, DMZ is good though.

Just get any old computer of any processing power (I'm serious, Celerons with 1 gig of RAM are more than enough for your use case) and two ethernet ports. Slap pfSense on it and roll.

[Alex Atkin UK]

DMZ just exposes them more though, just forwarding the ports you need from the router is more secure as the router firewall will block all other ports.

 

I'd replace the router with pfSense and if you have multiple public IP addresses assign them all there and just forward the ports.  Also have something like fail2ban on the servers so they can reject anyone making multiple attempts to hack in.

[beersykins]

9 minutes ago, Alex Atkin UK said:

DMZ just exposes them more though, just forwarding the ports you need from the router is more secure as the router firewall will block all other ports.

Depends if you're talking 'real' DMZ where it firewalls/denies any DMZ->Inside initiated connections, or if you're talking 'consumer grade' DMZ where it just forwards the whole list of ports to everything.

 

The former would be preferred since if your DMZ layer is compromised it's not your inside zone.

 

OP, if you are running some sort of publicly accessible server then you're pretty much stuck forwarding.  If it's for personal use then only expose a VPN on the edge and authenticate to that.  Then you can access whatever resources once on the VPN.

[Alex Atkin UK]

It also depends how much those servers will be used from inside the LAN.

 

Having them on the LAN means you get LAN speeds regardless of what the router can handle.  If they are on the DMZ you will have to perform NAT just like to any other Internet server which means a heavy data transfer can easily max out your router long before your network card, impacting REAL Internet traffic too.

 

This is why its highly recommended any server you are doing a lot of traffic to/from remains on the LAN side.

[Car712]

7 hours ago, beersykins said:

OP, if you are running some sort of publicly accessible server then you're pretty much stuck forwarding.  If it's for personal use then only expose a VPN on the edge and authenticate to that.  Then you can access whatever resources once on the VPN.

Yeah, currently I just have it all running through forwarding on my router (for outside access) and for the LAN network, there most likely wont be large data transfers to this server.

[PowerChaos]

well if you do not mind coding a bit of stuff then you could use the following OS

 

http://www.zentyal.org/server/#server-features

 

i dit this before (kinda ) on XenServer

i installed 1 public VPS , created a few networks on it and used the public vps to forward to internal ip's

 

so i got 5 differend vps servers running , a VPN to acces local network and 5 differend websites on those 5 vps servers

they where all linked with that single vps and apache proxy

based on dns, it port forwarded it to the right ip adress

ofcourse they coulnd have the same ports , so the ports are differend but because of the proxy of apache they still worked on port 80

as it was getting forwarded based on dns , so port 80 was incoming port , and it went to a other higher port over the lan

 

https://httpd.apache.org/docs/2.4/mod/mod_proxy.html

 

anyway

that OS also contains a firewall and a web interface to configure some stuff like the firewall and port forwading ( exept for the apache part ofcourse  )

 

it take some time to get it working , but it does a great job

and you only got 1 public ip adress as those others are just LAN ip's 

 

Greets From PowerChaos