4

The intention behind this is that I'll be able to host a website from a home server (another pc with ECC ram etc.), but what worries me is that the network I'm using is also the same network which I use in my normal daily activities (my home network).

Before sending a request to my housing company to open those ports I want to make sure that it really is safe to open those ports as I do not have access to the "sharing center" nor its infrastructure (I do not know the correct term in English but it's the place where the internet is distributed(?) between tenants), although I do have my own router with its own firewall.

Currently: Sharing center (closed, need to open a few ports) -> router (port forwarded) -> pc (open ports)

On a side note, I suppose you can host multiple different websites under different domains on the same port? (no need for explanation here, I can look that up)

Nuubles
  • 43
  • 4
  • Please check the similar: https://security.stackexchange.com/questions/190435/dealing-with-the-dangers-of-self-hosting-a-webserver/190438#190438 – bashCypher Dec 05 '18 at 20:18

1 Answers1

3

Generally the best practice for this is to have a DMZ. The DMZ is a subnet for any servers (like web servers) which will service requests from clients off your network. In addition any databases or other devices/servers that are needed to provide services for the web servers should live in the DMZ (preferably each on their own VLANs). These external facing servers sit behind a firewall (which only allows proper http or https traffic to go to your DMZ). Additionally, if you are protecting sensitive information I would use a Web Application Firewall (WAF). There are good free ones out there. The WAF will inspect the http/https traffic and filter out a huge collection of known malicious http/https sql etc attacks common to web servers.

One major purpose of this design is to limit the damage in the (reasonably likely) event that somebody manages to compromise your web server.

note* The DMZ should not be able to initiate connections into your internal network. You only want internal to DMZ traffic (not DMZ to internal).

DarkMatter
  • 2,681
  • 2
  • 6
  • 23
  • I just want to add that the DMZ function on SOHO routers is really just "open all ports to this server" and not anything like the DMZ you're talking about. – Monica Apologists Get Out Dec 05 '18 at 15:56
  • @Adonalsium Even on SOHO why would you ever open all ports? Even basic home routers allow you to limit to needed ports. – DarkMatter Dec 05 '18 at 16:01
  • @Adonalsium sorry I just realized I misread your comment. You are warning that some routers claim to have a built in "DMZ" function... got it. – DarkMatter Dec 05 '18 at 16:45
  • Thanks for the information! I'll make sure to remember that combined with the comment added to my question and mark this as solved as these gave pretty much all the information that I needed. – Nuubles Dec 06 '18 at 13:44