0

I have an old laptop that I decided to use as a server, with some samba shares and whatnot (making available some dvd rips and the like), and I'd like to be able to access the files in it from not only inside my home network, but also the outside network.

I read about port knocking, and that seemed like a decent idea — until I realized that because the server would be behind a router it might not be the best idea unless I get a new router that allows for it specifically. Then I read a bit more, and realized it might not be as safe as I'd originally gathered.

While investigating if my router allowed for port knocking, though, I came upon the notion of the DMZ — 'cause my router lets me configure that and all. My understanding of this, though, is that I'd need to make the whole server available to the world, and I'm not entirely sure how complicated it'd be to set up proper protection on a server in a router's DMZ, to later SSH into it from the outside.

Finally, while trying to get some answers out there, I also crossed paths with the idea of maybe getting a RaspberryPi and making it a VPN server so I can VPN into my home network. However, once again, not sure how vulnerable to exploitation that'd be.

I have a limited knowledge of security principles, not being a pro or anything, hence the doubt on this. My knowledge of iptables, for instance, is very limited, so I wouldn't know how to properly protect the router if I put it in the DMZ.

Is one of the three methods mentioned above generally preferred, in terms of safety? And what methods of securing it are generally recommended too? Bonus points: is one of them easier to set up too?

Marcy
  • 3
  • 4
  • I know the tour page mentions this site is for "information security professionals" and I'm far from that — so if there's a way to reword the question to make it work, feel free to edit it (also, not sure if I misused tags). **I'm not looking for a tutorial, but an objective comparison of what methods are more advisable for the intended purpose.** – Marcy Apr 16 '19 at 10:50

1 Answers1

1

In no way I would put the system directly as fully accessible into the DMZ of the router.

If you only need to make the server available for yourself while outside of your network then a (properly secured) VPN into your network might be the best option when taking both usability and security into account. The VPN makes sure that only you (with the proper credentials) can build the tunnel into your network. And from there you have easy access to the whole home network.

Another option would be to only expose SSH to the outside and transfer your files with SFTP or SCP (file transfer over SSH). This is more secure since only a single service on a single machine instead of the whole internal network is available from remote, i.e it offers a reduced attack surface. But at the same time it might cause worth usability since you cannot simply use the built-in file sharing to access your files but would need an application like Putty or Filezilla (assuming you are using Windows on your mobile system) to transfer the files.

If the SSH based solution is acceptable to you in terms of usability it is probably the preferable and also the easiest to setup too.

Marcy
  • 3
  • 4
Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Again, no expert, but: to make SSH available to outside the network wouldn't I need to open ports both on the router and on the server? And if so, isn't that a vulnerability for some sort of brute force attack — or at least, isn't it scannable (to see what ports are open and whatnot)? I have the SSH currently set up to only work with keys and not passwords — does that remove the brute force attack possibility from the equation? – Marcy Apr 16 '19 at 11:06
  • @Marcy: No matter if SSH and VPN - ports would need to be opened in order to allow connections from outside. And yes, SSH with only keys and no passwords allowed is robust enough against brute force attacks. Additionally you could move the SSH port to some non-standard port so that it gets less brute-force attempts in the first place. – Steffen Ullrich Apr 16 '19 at 11:09
  • Ok, cool. And yeah, my SSH is already set for a non-standard port ^_^ When you say, re: VPN "with proper credentials" do you mean that it will use something similar to how you can SSH with keys instead of user/password combinations? Or something different? Can you include a bit more details on that? – Marcy Apr 16 '19 at 11:11
  • @Marcy: https://openvpn.net/community-resources/hardening-openvpn-security/ – Steffen Ullrich Apr 16 '19 at 11:13
  • Tangential question: d'you know anything about http://www.pivpn.io/ ? Safety-wise and all, that is :) – Marcy Apr 24 '19 at 10:53
  • @Marcy: no, I don't. – Steffen Ullrich Apr 24 '19 at 11:02