Host a website on home network; security





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







2















I'm having a hard time finding the information online.



If I were to host a website on my home network, I'm opening myself up for a hacker to gain access to my network, even if I use a different machine to host the website.



Ways I've seen vaguely discussed to get around this:




  1. Set up a VLAN

  2. Set up a subnet

  3. Set up a guest account on the router

  4. Use OpenVPN or a similar VPN service


Now, with those...




  1. I don't believe my router is capable of adding a VLAN.

  2. I'm not 100% sure how to set up a subnet...

  3. I've attempted to set up a guest wifi network with a password, but no matter what I do, it keeps telling me it's not active.

  4. Does OpenVPN actually accomplish something similar, to break something off from my main network?


Is there anything else I could do to ensure that a specific machine, in this case hosting a web server, is not able to communicate with the other devices on my network?










share|improve this question























  • I think your initial presumption is not correct. If you setup your website properly, you won't really expose your home LAN to much threat. It is also depends to a large degree of content type you are going to host. Say, in case of static websites you can make it pretty secure without too much effort, I believe.

    – rg_software
    Feb 2 at 10:23


















2















I'm having a hard time finding the information online.



If I were to host a website on my home network, I'm opening myself up for a hacker to gain access to my network, even if I use a different machine to host the website.



Ways I've seen vaguely discussed to get around this:




  1. Set up a VLAN

  2. Set up a subnet

  3. Set up a guest account on the router

  4. Use OpenVPN or a similar VPN service


Now, with those...




  1. I don't believe my router is capable of adding a VLAN.

  2. I'm not 100% sure how to set up a subnet...

  3. I've attempted to set up a guest wifi network with a password, but no matter what I do, it keeps telling me it's not active.

  4. Does OpenVPN actually accomplish something similar, to break something off from my main network?


Is there anything else I could do to ensure that a specific machine, in this case hosting a web server, is not able to communicate with the other devices on my network?










share|improve this question























  • I think your initial presumption is not correct. If you setup your website properly, you won't really expose your home LAN to much threat. It is also depends to a large degree of content type you are going to host. Say, in case of static websites you can make it pretty secure without too much effort, I believe.

    – rg_software
    Feb 2 at 10:23














2












2








2


1






I'm having a hard time finding the information online.



If I were to host a website on my home network, I'm opening myself up for a hacker to gain access to my network, even if I use a different machine to host the website.



Ways I've seen vaguely discussed to get around this:




  1. Set up a VLAN

  2. Set up a subnet

  3. Set up a guest account on the router

  4. Use OpenVPN or a similar VPN service


Now, with those...




  1. I don't believe my router is capable of adding a VLAN.

  2. I'm not 100% sure how to set up a subnet...

  3. I've attempted to set up a guest wifi network with a password, but no matter what I do, it keeps telling me it's not active.

  4. Does OpenVPN actually accomplish something similar, to break something off from my main network?


Is there anything else I could do to ensure that a specific machine, in this case hosting a web server, is not able to communicate with the other devices on my network?










share|improve this question














I'm having a hard time finding the information online.



If I were to host a website on my home network, I'm opening myself up for a hacker to gain access to my network, even if I use a different machine to host the website.



Ways I've seen vaguely discussed to get around this:




  1. Set up a VLAN

  2. Set up a subnet

  3. Set up a guest account on the router

  4. Use OpenVPN or a similar VPN service


Now, with those...




  1. I don't believe my router is capable of adding a VLAN.

  2. I'm not 100% sure how to set up a subnet...

  3. I've attempted to set up a guest wifi network with a password, but no matter what I do, it keeps telling me it's not active.

  4. Does OpenVPN actually accomplish something similar, to break something off from my main network?


Is there anything else I could do to ensure that a specific machine, in this case hosting a web server, is not able to communicate with the other devices on my network?







networking wireless-networking vpn openvpn






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Feb 2 at 8:34









Witold KowelskiWitold Kowelski

1111




1111













  • I think your initial presumption is not correct. If you setup your website properly, you won't really expose your home LAN to much threat. It is also depends to a large degree of content type you are going to host. Say, in case of static websites you can make it pretty secure without too much effort, I believe.

    – rg_software
    Feb 2 at 10:23



















  • I think your initial presumption is not correct. If you setup your website properly, you won't really expose your home LAN to much threat. It is also depends to a large degree of content type you are going to host. Say, in case of static websites you can make it pretty secure without too much effort, I believe.

    – rg_software
    Feb 2 at 10:23

















I think your initial presumption is not correct. If you setup your website properly, you won't really expose your home LAN to much threat. It is also depends to a large degree of content type you are going to host. Say, in case of static websites you can make it pretty secure without too much effort, I believe.

– rg_software
Feb 2 at 10:23





I think your initial presumption is not correct. If you setup your website properly, you won't really expose your home LAN to much threat. It is also depends to a large degree of content type you are going to host. Say, in case of static websites you can make it pretty secure without too much effort, I believe.

– rg_software
Feb 2 at 10:23










2 Answers
2






active

oldest

votes


















0














Yes, it is possible that a hacker can use an exploit on your web server to gain access to your network. However, if you keep your software up to date with security patches, you risk is extremely low.



That being said, most modern router/firewalls should have the ability limit access through access control lists. You can ask your ISP on how to do this. If, for some reason, your router is incapable of this, you can replace it with different router/firewall or simply place a new between the ISPs and the web server.



Additionally, you should be able to configure the software firewalls on the web server and your other machines to block access.






share|improve this answer































    0














    Many home-routers do not support VPNs. You will need routers/switches from a higher segment for that.



    The easiest way to add network security in your home is to use a DMZ between two home-routers and a small computer (for example my favorite, the Pi) as webserver.



    Such a setup would look like this:



       ______
    _( )_ a +---------------+ b c +----------------+ d +--+
    (_Internet_)-------|router provider|------------|internal router |-------|pc|
    (______) +---------------+ lan1 +----------------+ lan2 +--+
    | e
    +------------+
    | web server |
    +------------+


    a is the WAN interface of the router that connects you to your provider. This should already be connected. b and e are LAN interfaces on your provider's router.



    On your provider's router, you will probably enable DHCP for the LAN, or otherwise you will have to assign static IP addresses. For the webserver, you might use a static IP address (not in the range of the DHCP of the providers router, but in the same subnet) You will also enable port forwarding of port 80 and 443 to your webserver.



    c is the WAN interface of the internal router. Make sure that the WAn interface of this router uses DHCP if you have enabled it on the provider router, or assign a static IP to the WAN interface in the subnet of the lan1 (the lan-side of the provider's router).



    On the Internal router on labn2, you will probably enable DHCP. Make sure that the subnet you use here is different from lan1.



    An example on what this might mean for the subnets and IP addresses:



    Provider router
    WAN: 83.163.211.192 (as the provider gave me)
    LAN: 192.168.178.1, mask 255.255.255.0
    portforward: 80 and 443 to 192.168.178.10

    Web server
    IP address: 192.168.178.10
    netmask: 255.255.255.0
    def. gw: 192.168.178.1

    Internal router:
    WAN IP: 192.168.178.254
    WAN mask: 255.255.255.0
    WAN GW: 192.168.178.1

    LAN iIP: 192.168.1.1
    LAN mask 255.255.255.0
    dhcp-enabled


    You should note however, that creating a DMZ for your webserver still requires you to keep up with (security0) patches on the webserver, and keep a strict security attitude for every thing you do on the exposed server. Although this set-up protects your internal home network, it will not completely protect you from attacks and defacing attempts.






    share|improve this answer
























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "3"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1401264%2fhost-a-website-on-home-network-security%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      Yes, it is possible that a hacker can use an exploit on your web server to gain access to your network. However, if you keep your software up to date with security patches, you risk is extremely low.



      That being said, most modern router/firewalls should have the ability limit access through access control lists. You can ask your ISP on how to do this. If, for some reason, your router is incapable of this, you can replace it with different router/firewall or simply place a new between the ISPs and the web server.



      Additionally, you should be able to configure the software firewalls on the web server and your other machines to block access.






      share|improve this answer




























        0














        Yes, it is possible that a hacker can use an exploit on your web server to gain access to your network. However, if you keep your software up to date with security patches, you risk is extremely low.



        That being said, most modern router/firewalls should have the ability limit access through access control lists. You can ask your ISP on how to do this. If, for some reason, your router is incapable of this, you can replace it with different router/firewall or simply place a new between the ISPs and the web server.



        Additionally, you should be able to configure the software firewalls on the web server and your other machines to block access.






        share|improve this answer


























          0












          0








          0







          Yes, it is possible that a hacker can use an exploit on your web server to gain access to your network. However, if you keep your software up to date with security patches, you risk is extremely low.



          That being said, most modern router/firewalls should have the ability limit access through access control lists. You can ask your ISP on how to do this. If, for some reason, your router is incapable of this, you can replace it with different router/firewall or simply place a new between the ISPs and the web server.



          Additionally, you should be able to configure the software firewalls on the web server and your other machines to block access.






          share|improve this answer













          Yes, it is possible that a hacker can use an exploit on your web server to gain access to your network. However, if you keep your software up to date with security patches, you risk is extremely low.



          That being said, most modern router/firewalls should have the ability limit access through access control lists. You can ask your ISP on how to do this. If, for some reason, your router is incapable of this, you can replace it with different router/firewall or simply place a new between the ISPs and the web server.



          Additionally, you should be able to configure the software firewalls on the web server and your other machines to block access.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Feb 2 at 11:23









          KeltariKeltari

          51.7k18119171




          51.7k18119171

























              0














              Many home-routers do not support VPNs. You will need routers/switches from a higher segment for that.



              The easiest way to add network security in your home is to use a DMZ between two home-routers and a small computer (for example my favorite, the Pi) as webserver.



              Such a setup would look like this:



                 ______
              _( )_ a +---------------+ b c +----------------+ d +--+
              (_Internet_)-------|router provider|------------|internal router |-------|pc|
              (______) +---------------+ lan1 +----------------+ lan2 +--+
              | e
              +------------+
              | web server |
              +------------+


              a is the WAN interface of the router that connects you to your provider. This should already be connected. b and e are LAN interfaces on your provider's router.



              On your provider's router, you will probably enable DHCP for the LAN, or otherwise you will have to assign static IP addresses. For the webserver, you might use a static IP address (not in the range of the DHCP of the providers router, but in the same subnet) You will also enable port forwarding of port 80 and 443 to your webserver.



              c is the WAN interface of the internal router. Make sure that the WAn interface of this router uses DHCP if you have enabled it on the provider router, or assign a static IP to the WAN interface in the subnet of the lan1 (the lan-side of the provider's router).



              On the Internal router on labn2, you will probably enable DHCP. Make sure that the subnet you use here is different from lan1.



              An example on what this might mean for the subnets and IP addresses:



              Provider router
              WAN: 83.163.211.192 (as the provider gave me)
              LAN: 192.168.178.1, mask 255.255.255.0
              portforward: 80 and 443 to 192.168.178.10

              Web server
              IP address: 192.168.178.10
              netmask: 255.255.255.0
              def. gw: 192.168.178.1

              Internal router:
              WAN IP: 192.168.178.254
              WAN mask: 255.255.255.0
              WAN GW: 192.168.178.1

              LAN iIP: 192.168.1.1
              LAN mask 255.255.255.0
              dhcp-enabled


              You should note however, that creating a DMZ for your webserver still requires you to keep up with (security0) patches on the webserver, and keep a strict security attitude for every thing you do on the exposed server. Although this set-up protects your internal home network, it will not completely protect you from attacks and defacing attempts.






              share|improve this answer




























                0














                Many home-routers do not support VPNs. You will need routers/switches from a higher segment for that.



                The easiest way to add network security in your home is to use a DMZ between two home-routers and a small computer (for example my favorite, the Pi) as webserver.



                Such a setup would look like this:



                   ______
                _( )_ a +---------------+ b c +----------------+ d +--+
                (_Internet_)-------|router provider|------------|internal router |-------|pc|
                (______) +---------------+ lan1 +----------------+ lan2 +--+
                | e
                +------------+
                | web server |
                +------------+


                a is the WAN interface of the router that connects you to your provider. This should already be connected. b and e are LAN interfaces on your provider's router.



                On your provider's router, you will probably enable DHCP for the LAN, or otherwise you will have to assign static IP addresses. For the webserver, you might use a static IP address (not in the range of the DHCP of the providers router, but in the same subnet) You will also enable port forwarding of port 80 and 443 to your webserver.



                c is the WAN interface of the internal router. Make sure that the WAn interface of this router uses DHCP if you have enabled it on the provider router, or assign a static IP to the WAN interface in the subnet of the lan1 (the lan-side of the provider's router).



                On the Internal router on labn2, you will probably enable DHCP. Make sure that the subnet you use here is different from lan1.



                An example on what this might mean for the subnets and IP addresses:



                Provider router
                WAN: 83.163.211.192 (as the provider gave me)
                LAN: 192.168.178.1, mask 255.255.255.0
                portforward: 80 and 443 to 192.168.178.10

                Web server
                IP address: 192.168.178.10
                netmask: 255.255.255.0
                def. gw: 192.168.178.1

                Internal router:
                WAN IP: 192.168.178.254
                WAN mask: 255.255.255.0
                WAN GW: 192.168.178.1

                LAN iIP: 192.168.1.1
                LAN mask 255.255.255.0
                dhcp-enabled


                You should note however, that creating a DMZ for your webserver still requires you to keep up with (security0) patches on the webserver, and keep a strict security attitude for every thing you do on the exposed server. Although this set-up protects your internal home network, it will not completely protect you from attacks and defacing attempts.






                share|improve this answer


























                  0












                  0








                  0







                  Many home-routers do not support VPNs. You will need routers/switches from a higher segment for that.



                  The easiest way to add network security in your home is to use a DMZ between two home-routers and a small computer (for example my favorite, the Pi) as webserver.



                  Such a setup would look like this:



                     ______
                  _( )_ a +---------------+ b c +----------------+ d +--+
                  (_Internet_)-------|router provider|------------|internal router |-------|pc|
                  (______) +---------------+ lan1 +----------------+ lan2 +--+
                  | e
                  +------------+
                  | web server |
                  +------------+


                  a is the WAN interface of the router that connects you to your provider. This should already be connected. b and e are LAN interfaces on your provider's router.



                  On your provider's router, you will probably enable DHCP for the LAN, or otherwise you will have to assign static IP addresses. For the webserver, you might use a static IP address (not in the range of the DHCP of the providers router, but in the same subnet) You will also enable port forwarding of port 80 and 443 to your webserver.



                  c is the WAN interface of the internal router. Make sure that the WAn interface of this router uses DHCP if you have enabled it on the provider router, or assign a static IP to the WAN interface in the subnet of the lan1 (the lan-side of the provider's router).



                  On the Internal router on labn2, you will probably enable DHCP. Make sure that the subnet you use here is different from lan1.



                  An example on what this might mean for the subnets and IP addresses:



                  Provider router
                  WAN: 83.163.211.192 (as the provider gave me)
                  LAN: 192.168.178.1, mask 255.255.255.0
                  portforward: 80 and 443 to 192.168.178.10

                  Web server
                  IP address: 192.168.178.10
                  netmask: 255.255.255.0
                  def. gw: 192.168.178.1

                  Internal router:
                  WAN IP: 192.168.178.254
                  WAN mask: 255.255.255.0
                  WAN GW: 192.168.178.1

                  LAN iIP: 192.168.1.1
                  LAN mask 255.255.255.0
                  dhcp-enabled


                  You should note however, that creating a DMZ for your webserver still requires you to keep up with (security0) patches on the webserver, and keep a strict security attitude for every thing you do on the exposed server. Although this set-up protects your internal home network, it will not completely protect you from attacks and defacing attempts.






                  share|improve this answer













                  Many home-routers do not support VPNs. You will need routers/switches from a higher segment for that.



                  The easiest way to add network security in your home is to use a DMZ between two home-routers and a small computer (for example my favorite, the Pi) as webserver.



                  Such a setup would look like this:



                     ______
                  _( )_ a +---------------+ b c +----------------+ d +--+
                  (_Internet_)-------|router provider|------------|internal router |-------|pc|
                  (______) +---------------+ lan1 +----------------+ lan2 +--+
                  | e
                  +------------+
                  | web server |
                  +------------+


                  a is the WAN interface of the router that connects you to your provider. This should already be connected. b and e are LAN interfaces on your provider's router.



                  On your provider's router, you will probably enable DHCP for the LAN, or otherwise you will have to assign static IP addresses. For the webserver, you might use a static IP address (not in the range of the DHCP of the providers router, but in the same subnet) You will also enable port forwarding of port 80 and 443 to your webserver.



                  c is the WAN interface of the internal router. Make sure that the WAn interface of this router uses DHCP if you have enabled it on the provider router, or assign a static IP to the WAN interface in the subnet of the lan1 (the lan-side of the provider's router).



                  On the Internal router on labn2, you will probably enable DHCP. Make sure that the subnet you use here is different from lan1.



                  An example on what this might mean for the subnets and IP addresses:



                  Provider router
                  WAN: 83.163.211.192 (as the provider gave me)
                  LAN: 192.168.178.1, mask 255.255.255.0
                  portforward: 80 and 443 to 192.168.178.10

                  Web server
                  IP address: 192.168.178.10
                  netmask: 255.255.255.0
                  def. gw: 192.168.178.1

                  Internal router:
                  WAN IP: 192.168.178.254
                  WAN mask: 255.255.255.0
                  WAN GW: 192.168.178.1

                  LAN iIP: 192.168.1.1
                  LAN mask 255.255.255.0
                  dhcp-enabled


                  You should note however, that creating a DMZ for your webserver still requires you to keep up with (security0) patches on the webserver, and keep a strict security attitude for every thing you do on the exposed server. Although this set-up protects your internal home network, it will not completely protect you from attacks and defacing attempts.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Feb 2 at 11:31









                  Ljm DullaartLjm Dullaart

                  75428




                  75428






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Super User!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1401264%2fhost-a-website-on-home-network-security%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Plaza Victoria

                      Puebla de Zaragoza

                      Musa