Host a website on home network; security
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I'm having a hard time finding the information online.
If I were to host a website on my home network, I'm opening myself up for a hacker to gain access to my network, even if I use a different machine to host the website.
Ways I've seen vaguely discussed to get around this:
- Set up a VLAN
- Set up a subnet
- Set up a guest account on the router
- Use OpenVPN or a similar VPN service
Now, with those...
- I don't believe my router is capable of adding a VLAN.
- I'm not 100% sure how to set up a subnet...
- I've attempted to set up a guest wifi network with a password, but no matter what I do, it keeps telling me it's not active.
- Does OpenVPN actually accomplish something similar, to break something off from my main network?
Is there anything else I could do to ensure that a specific machine, in this case hosting a web server, is not able to communicate with the other devices on my network?
networking wireless-networking vpn openvpn
asked Feb 2 at 8:34
Witold KowelskiWitold Kowelski
1111
add a comment |
I'm having a hard time finding the information online.
If I were to host a website on my home network, I'm opening myself up for a hacker to gain access to my network, even if I use a different machine to host the website.
Ways I've seen vaguely discussed to get around this:
- Set up a VLAN
- Set up a subnet
- Set up a guest account on the router
- Use OpenVPN or a similar VPN service
Now, with those...
- I don't believe my router is capable of adding a VLAN.
- I'm not 100% sure how to set up a subnet...
- I've attempted to set up a guest wifi network with a password, but no matter what I do, it keeps telling me it's not active.
- Does OpenVPN actually accomplish something similar, to break something off from my main network?
Is there anything else I could do to ensure that a specific machine, in this case hosting a web server, is not able to communicate with the other devices on my network?
networking wireless-networking vpn openvpn
asked Feb 2 at 8:34
Witold KowelskiWitold Kowelski
1111
I think your initial presumption is not correct. If you setup your website properly, you won't really expose your home LAN to much threat. It is also depends to a large degree of content type you are going to host. Say, in case of static websites you can make it pretty secure without too much effort, I believe.
– rg_software
Feb 2 at 10:23
add a comment |
I'm having a hard time finding the information online.
If I were to host a website on my home network, I'm opening myself up for a hacker to gain access to my network, even if I use a different machine to host the website.
Ways I've seen vaguely discussed to get around this:
- Set up a VLAN
- Set up a subnet
- Set up a guest account on the router
- Use OpenVPN or a similar VPN service
Now, with those...
- I don't believe my router is capable of adding a VLAN.
- I'm not 100% sure how to set up a subnet...
- I've attempted to set up a guest wifi network with a password, but no matter what I do, it keeps telling me it's not active.
- Does OpenVPN actually accomplish something similar, to break something off from my main network?
Is there anything else I could do to ensure that a specific machine, in this case hosting a web server, is not able to communicate with the other devices on my network?
networking wireless-networking vpn openvpn
asked Feb 2 at 8:34
Witold KowelskiWitold Kowelski
1111
I'm having a hard time finding the information online.
If I were to host a website on my home network, I'm opening myself up for a hacker to gain access to my network, even if I use a different machine to host the website.
Ways I've seen vaguely discussed to get around this:
- Set up a VLAN
- Set up a subnet
- Set up a guest account on the router
- Use OpenVPN or a similar VPN service
Now, with those...
- I don't believe my router is capable of adding a VLAN.
- I'm not 100% sure how to set up a subnet...
- I've attempted to set up a guest wifi network with a password, but no matter what I do, it keeps telling me it's not active.
- Does OpenVPN actually accomplish something similar, to break something off from my main network?
Is there anything else I could do to ensure that a specific machine, in this case hosting a web server, is not able to communicate with the other devices on my network?
networking wireless-networking vpn openvpn
networking wireless-networking vpn openvpn
asked Feb 2 at 8:34
Witold KowelskiWitold Kowelski
1111
asked Feb 2 at 8:34
Witold KowelskiWitold Kowelski
1111
asked Feb 2 at 8:34
Witold KowelskiWitold Kowelski
1111
asked Feb 2 at 8:34
Witold KowelskiWitold Kowelski
1111
asked Feb 2 at 8:34
Witold KowelskiWitold Kowelski
1111
1111
I think your initial presumption is not correct. If you setup your website properly, you won't really expose your home LAN to much threat. It is also depends to a large degree of content type you are going to host. Say, in case of static websites you can make it pretty secure without too much effort, I believe.
– rg_software
Feb 2 at 10:23
add a comment |
I think your initial presumption is not correct. If you setup your website properly, you won't really expose your home LAN to much threat. It is also depends to a large degree of content type you are going to host. Say, in case of static websites you can make it pretty secure without too much effort, I believe.
– rg_software
Feb 2 at 10:23
I think your initial presumption is not correct. If you setup your website properly, you won't really expose your home LAN to much threat. It is also depends to a large degree of content type you are going to host. Say, in case of static websites you can make it pretty secure without too much effort, I believe.
– rg_software
Feb 2 at 10:23
I think your initial presumption is not correct. If you setup your website properly, you won't really expose your home LAN to much threat. It is also depends to a large degree of content type you are going to host. Say, in case of static websites you can make it pretty secure without too much effort, I believe.
– rg_software
Feb 2 at 10:23
add a comment |
2 Answers
2
active
oldest
votes
Yes, it is possible that a hacker can use an exploit on your web server to gain access to your network. However, if you keep your software up to date with security patches, you risk is extremely low.
That being said, most modern router/firewalls should have the ability limit access through access control lists. You can ask your ISP on how to do this. If, for some reason, your router is incapable of this, you can replace it with different router/firewall or simply place a new between the ISPs and the web server.
Additionally, you should be able to configure the software firewalls on the web server and your other machines to block access.
answered Feb 2 at 11:23
KeltariKeltari
51.7k18119171
add a comment |
Many home-routers do not support VPNs. You will need routers/switches from a higher segment for that.
The easiest way to add network security in your home is to use a DMZ between two home-routers and a small computer (for example my favorite, the Pi) as webserver.
Such a setup would look like this:
______
_( )_ a +---------------+ b c +----------------+ d +--+
(_Internet_)-------|router provider|------------|internal router |-------|pc|
(______) +---------------+ lan1 +----------------+ lan2 +--+
| e
+------------+
| web server |
+------------+
a is the WAN interface of the router that connects you to your provider. This should already be connected. b and e are LAN interfaces on your provider's router.
On your provider's router, you will probably enable DHCP for the LAN, or otherwise you will have to assign static IP addresses. For the webserver, you might use a static IP address (not in the range of the DHCP of the providers router, but in the same subnet) You will also enable port forwarding of port 80 and 443 to your webserver.
c is the WAN interface of the internal router. Make sure that the WAn interface of this router uses DHCP if you have enabled it on the provider router, or assign a static IP to the WAN interface in the subnet of the lan1 (the lan-side of the provider's router).
On the Internal router on labn2, you will probably enable DHCP. Make sure that the subnet you use here is different from lan1.
An example on what this might mean for the subnets and IP addresses:
Provider router
WAN: 83.163.211.192 (as the provider gave me)
LAN: 192.168.178.1, mask 255.255.255.0
portforward: 80 and 443 to 192.168.178.10
Web server
IP address: 192.168.178.10
netmask: 255.255.255.0
def. gw: 192.168.178.1
Internal router:
WAN IP: 192.168.178.254
WAN mask: 255.255.255.0
WAN GW: 192.168.178.1
LAN iIP: 192.168.1.1
LAN mask 255.255.255.0
dhcp-enabled
You should note however, that creating a DMZ for your webserver still requires you to keep up with (security0) patches on the webserver, and keep a strict security attitude for every thing you do on the exposed server. Although this set-up protects your internal home network, it will not completely protect you from attacks and defacing attempts.
answered Feb 2 at 11:31
Ljm DullaartLjm Dullaart
75428
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1401264%2fhost-a-website-on-home-network-security%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Yes, it is possible that a hacker can use an exploit on your web server to gain access to your network. However, if you keep your software up to date with security patches, you risk is extremely low.
That being said, most modern router/firewalls should have the ability limit access through access control lists. You can ask your ISP on how to do this. If, for some reason, your router is incapable of this, you can replace it with different router/firewall or simply place a new between the ISPs and the web server.
Additionally, you should be able to configure the software firewalls on the web server and your other machines to block access.
answered Feb 2 at 11:23
KeltariKeltari
51.7k18119171
add a comment |
Yes, it is possible that a hacker can use an exploit on your web server to gain access to your network. However, if you keep your software up to date with security patches, you risk is extremely low.
That being said, most modern router/firewalls should have the ability limit access through access control lists. You can ask your ISP on how to do this. If, for some reason, your router is incapable of this, you can replace it with different router/firewall or simply place a new between the ISPs and the web server.
Additionally, you should be able to configure the software firewalls on the web server and your other machines to block access.
answered Feb 2 at 11:23
KeltariKeltari
51.7k18119171
add a comment |
Yes, it is possible that a hacker can use an exploit on your web server to gain access to your network. However, if you keep your software up to date with security patches, you risk is extremely low.
That being said, most modern router/firewalls should have the ability limit access through access control lists. You can ask your ISP on how to do this. If, for some reason, your router is incapable of this, you can replace it with different router/firewall or simply place a new between the ISPs and the web server.
Additionally, you should be able to configure the software firewalls on the web server and your other machines to block access.
answered Feb 2 at 11:23
KeltariKeltari
51.7k18119171
Yes, it is possible that a hacker can use an exploit on your web server to gain access to your network. However, if you keep your software up to date with security patches, you risk is extremely low.
That being said, most modern router/firewalls should have the ability limit access through access control lists. You can ask your ISP on how to do this. If, for some reason, your router is incapable of this, you can replace it with different router/firewall or simply place a new between the ISPs and the web server.
Additionally, you should be able to configure the software firewalls on the web server and your other machines to block access.
answered Feb 2 at 11:23
KeltariKeltari
51.7k18119171
answered Feb 2 at 11:23
KeltariKeltari
51.7k18119171
answered Feb 2 at 11:23
KeltariKeltari
51.7k18119171
answered Feb 2 at 11:23
KeltariKeltari
51.7k18119171
51.7k18119171
add a comment |
add a comment |
Many home-routers do not support VPNs. You will need routers/switches from a higher segment for that.
The easiest way to add network security in your home is to use a DMZ between two home-routers and a small computer (for example my favorite, the Pi) as webserver.
Such a setup would look like this:
______
_( )_ a +---------------+ b c +----------------+ d +--+
(_Internet_)-------|router provider|------------|internal router |-------|pc|
(______) +---------------+ lan1 +----------------+ lan2 +--+
| e
+------------+
| web server |
+------------+
a is the WAN interface of the router that connects you to your provider. This should already be connected. b and e are LAN interfaces on your provider's router.
On your provider's router, you will probably enable DHCP for the LAN, or otherwise you will have to assign static IP addresses. For the webserver, you might use a static IP address (not in the range of the DHCP of the providers router, but in the same subnet) You will also enable port forwarding of port 80 and 443 to your webserver.
c is the WAN interface of the internal router. Make sure that the WAn interface of this router uses DHCP if you have enabled it on the provider router, or assign a static IP to the WAN interface in the subnet of the lan1 (the lan-side of the provider's router).
On the Internal router on labn2, you will probably enable DHCP. Make sure that the subnet you use here is different from lan1.
An example on what this might mean for the subnets and IP addresses:
Provider router
WAN: 83.163.211.192 (as the provider gave me)
LAN: 192.168.178.1, mask 255.255.255.0
portforward: 80 and 443 to 192.168.178.10
Web server
IP address: 192.168.178.10
netmask: 255.255.255.0
def. gw: 192.168.178.1
Internal router:
WAN IP: 192.168.178.254
WAN mask: 255.255.255.0
WAN GW: 192.168.178.1
LAN iIP: 192.168.1.1
LAN mask 255.255.255.0
dhcp-enabled
You should note however, that creating a DMZ for your webserver still requires you to keep up with (security0) patches on the webserver, and keep a strict security attitude for every thing you do on the exposed server. Although this set-up protects your internal home network, it will not completely protect you from attacks and defacing attempts.
answered Feb 2 at 11:31
Ljm DullaartLjm Dullaart
75428
add a comment |
Many home-routers do not support VPNs. You will need routers/switches from a higher segment for that.
The easiest way to add network security in your home is to use a DMZ between two home-routers and a small computer (for example my favorite, the Pi) as webserver.
Such a setup would look like this:
______
_( )_ a +---------------+ b c +----------------+ d +--+
(_Internet_)-------|router provider|------------|internal router |-------|pc|
(______) +---------------+ lan1 +----------------+ lan2 +--+
| e
+------------+
| web server |
+------------+
a is the WAN interface of the router that connects you to your provider. This should already be connected. b and e are LAN interfaces on your provider's router.
On your provider's router, you will probably enable DHCP for the LAN, or otherwise you will have to assign static IP addresses. For the webserver, you might use a static IP address (not in the range of the DHCP of the providers router, but in the same subnet) You will also enable port forwarding of port 80 and 443 to your webserver.
c is the WAN interface of the internal router. Make sure that the WAn interface of this router uses DHCP if you have enabled it on the provider router, or assign a static IP to the WAN interface in the subnet of the lan1 (the lan-side of the provider's router).
On the Internal router on labn2, you will probably enable DHCP. Make sure that the subnet you use here is different from lan1.
An example on what this might mean for the subnets and IP addresses:
Provider router
WAN: 83.163.211.192 (as the provider gave me)
LAN: 192.168.178.1, mask 255.255.255.0
portforward: 80 and 443 to 192.168.178.10
Web server
IP address: 192.168.178.10
netmask: 255.255.255.0
def. gw: 192.168.178.1
Internal router:
WAN IP: 192.168.178.254
WAN mask: 255.255.255.0
WAN GW: 192.168.178.1
LAN iIP: 192.168.1.1
LAN mask 255.255.255.0
dhcp-enabled
You should note however, that creating a DMZ for your webserver still requires you to keep up with (security0) patches on the webserver, and keep a strict security attitude for every thing you do on the exposed server. Although this set-up protects your internal home network, it will not completely protect you from attacks and defacing attempts.
answered Feb 2 at 11:31
Ljm DullaartLjm Dullaart
75428
add a comment |
Many home-routers do not support VPNs. You will need routers/switches from a higher segment for that.
The easiest way to add network security in your home is to use a DMZ between two home-routers and a small computer (for example my favorite, the Pi) as webserver.
Such a setup would look like this:
______
_( )_ a +---------------+ b c +----------------+ d +--+
(_Internet_)-------|router provider|------------|internal router |-------|pc|
(______) +---------------+ lan1 +----------------+ lan2 +--+
| e
+------------+
| web server |
+------------+
a is the WAN interface of the router that connects you to your provider. This should already be connected. b and e are LAN interfaces on your provider's router.
On your provider's router, you will probably enable DHCP for the LAN, or otherwise you will have to assign static IP addresses. For the webserver, you might use a static IP address (not in the range of the DHCP of the providers router, but in the same subnet) You will also enable port forwarding of port 80 and 443 to your webserver.
c is the WAN interface of the internal router. Make sure that the WAn interface of this router uses DHCP if you have enabled it on the provider router, or assign a static IP to the WAN interface in the subnet of the lan1 (the lan-side of the provider's router).
On the Internal router on labn2, you will probably enable DHCP. Make sure that the subnet you use here is different from lan1.
An example on what this might mean for the subnets and IP addresses:
Provider router
WAN: 83.163.211.192 (as the provider gave me)
LAN: 192.168.178.1, mask 255.255.255.0
portforward: 80 and 443 to 192.168.178.10
Web server
IP address: 192.168.178.10
netmask: 255.255.255.0
def. gw: 192.168.178.1
Internal router:
WAN IP: 192.168.178.254
WAN mask: 255.255.255.0
WAN GW: 192.168.178.1
LAN iIP: 192.168.1.1
LAN mask 255.255.255.0
dhcp-enabled
You should note however, that creating a DMZ for your webserver still requires you to keep up with (security0) patches on the webserver, and keep a strict security attitude for every thing you do on the exposed server. Although this set-up protects your internal home network, it will not completely protect you from attacks and defacing attempts.
answered Feb 2 at 11:31
Ljm DullaartLjm Dullaart
75428
Many home-routers do not support VPNs. You will need routers/switches from a higher segment for that.
The easiest way to add network security in your home is to use a DMZ between two home-routers and a small computer (for example my favorite, the Pi) as webserver.
Such a setup would look like this:
______
_( )_ a +---------------+ b c +----------------+ d +--+
(_Internet_)-------|router provider|------------|internal router |-------|pc|
(______) +---------------+ lan1 +----------------+ lan2 +--+
| e
+------------+
| web server |
+------------+
a is the WAN interface of the router that connects you to your provider. This should already be connected. b and e are LAN interfaces on your provider's router.
On your provider's router, you will probably enable DHCP for the LAN, or otherwise you will have to assign static IP addresses. For the webserver, you might use a static IP address (not in the range of the DHCP of the providers router, but in the same subnet) You will also enable port forwarding of port 80 and 443 to your webserver.
c is the WAN interface of the internal router. Make sure that the WAn interface of this router uses DHCP if you have enabled it on the provider router, or assign a static IP to the WAN interface in the subnet of the lan1 (the lan-side of the provider's router).
On the Internal router on labn2, you will probably enable DHCP. Make sure that the subnet you use here is different from lan1.
An example on what this might mean for the subnets and IP addresses:
Provider router
WAN: 83.163.211.192 (as the provider gave me)
LAN: 192.168.178.1, mask 255.255.255.0
portforward: 80 and 443 to 192.168.178.10
Web server
IP address: 192.168.178.10
netmask: 255.255.255.0
def. gw: 192.168.178.1
Internal router:
WAN IP: 192.168.178.254
WAN mask: 255.255.255.0
WAN GW: 192.168.178.1
LAN iIP: 192.168.1.1
LAN mask 255.255.255.0
dhcp-enabled
You should note however, that creating a DMZ for your webserver still requires you to keep up with (security0) patches on the webserver, and keep a strict security attitude for every thing you do on the exposed server. Although this set-up protects your internal home network, it will not completely protect you from attacks and defacing attempts.
answered Feb 2 at 11:31
Ljm DullaartLjm Dullaart
75428
answered Feb 2 at 11:31
Ljm DullaartLjm Dullaart
75428
answered Feb 2 at 11:31
Ljm DullaartLjm Dullaart
75428
answered Feb 2 at 11:31
Ljm DullaartLjm Dullaart
75428
75428
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1401264%2fhost-a-website-on-home-network-security%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I think your initial presumption is not correct. If you setup your website properly, you won't really expose your home LAN to much threat. It is also depends to a large degree of content type you are going to host. Say, in case of static websites you can make it pretty secure without too much effort, I believe.
– rg_software
Feb 2 at 10:23