Opening TCP port 80 and port 443, the web and secure web ports respectively, can enable home based services. I run my own web server at home in its own demilitarized zone (DMZ). I would like to share with you the architecture I chose which entailed a bit more than forwarding the open ports to a host behind my firewall. In this diagram, you see the main firewall connected to the cable modem and the secondary DMZ firewall virtualized. I considered some other designs as well, but this enabled me to just plug in a computer that could run the DMZ as virtual servers.
I use VirtualBox for all DMZ systems in this environment. VirtualBox hosts the pfSense firewall, which handles traffic in the DMZ. A rule prevents all systems in the DMZ from accessing the internal 192.168.1.0/24 network. I moved critical internal server services such as NTP and proxy to the pfSense node.
The DMZ pfSense server is configured with three tiers beginning with HTTP in tier 1, web application in tier 2, and the database server in the tertiary tier. Firewall rules only allow each tier to communicate from tier 1 to tier 2, then tier 2 to tier 3. The firewall rules allow what is necessary between each tier. The example image contains extra rules such as 443 to allow Webmin from the Internet all the way to tier 3 since this site was for experimenting. The web server can access Webmin/Usermin on port 10000/20000 and Webmin/Usermin can access backend services.
In order to reach the DMZ servers, I used OpenVPN from the internal network on either the desktop or laptop. Another option is secure shell, or SSH from now on, to the pfSense firewall in the DMZ and from there, remote login to the servers in the DMZ. However, I prefer not to use that method as I don’t like using firewalls as jump servers. As a third option, I could have configured a trusted jump server in the DMZ which could access all three tiers. I only use the OpenVPN solution, but there is plenty of room for flexibility. If I run out of virtual server capacity, I can use pfSense’s bridge capability to extend the network to another computer.
I originally developed this when I wanted more than the 2 GB of storage the hosting providers were offering. I figured I could run my own apps and use my own capacity. However, this has proved unnecessary since they have increased their capacity and so many other solutions exist for cloud storage and retrieval. Today, the servers that hosts the DMZ is a lab where I experiment with all sorts of technologies.
Some of the other experiments have been put behind me buut I will explain them briefly. I opened the Secure Shell (SSH) and Squid proxy (Squid). I opened Squid because I noticed the scanners were testing port 80, which is unencrypted web access, to see if it was configured as an open proxy. It turns out people are looking for an open proxy to abuse. I left mine on for several weeks before it got listed on some hacker ‘Open Proxies’ page. Once it was posted, the floodgates were opened. Too bad for them, I routed the proxy through The Onion Router, or Tor for short. Too bad for me, my Squid server was so overwhelmed with connections, it overheated and shutdown.
I also left the SSH server port open. I saw the brute forcers (brutes) attempting to guess a password non-stop so I used a defensive program called ‘denyhosts’ to reject connections from the brutes after so many attempts. One day, one of the brutes mistakenly sent the password list as logins. I got to see what poor passwords were being tried. One password got close to a test account I setup. Well, who hasn’t lazily made a quick and easy password for a test account? I learned from that lesson and set SSH to key authentication only.
I also saw the attack scripts run and perform the standard attacks against PHP, admin tools such as eBox, and scripts. I ran Webmin and Usermin at /webmin and /usermin, respectively, and the attackers never tried for those.
I also setup the Internet Printing Protocol using Apache to reverse proxy the URIs for CUPS so I could send print jobs to my home printer from anywhere. I found that Windows would support HTTPS printing and Linux/Mac did not. Trying to use HTTPS in the IPP URL didn’t work. This was okay since I only needed to print remotely from Windows anyway. For Mac and Linux, I could just VPN in.
So, my first blog entry is about the goofy stuff I have done in my personal time. I am always interested in how other hobbyist tinker with their computers and networks. Comment on what you have done or are currently doing.
- DD-WRT Powers the Home Network (azcrumpty.wordpress.com)
- Home Network Features (azcrumpty.wordpress.com)
- The Onion Router Does Much More (azcrumpty.wordpress.com)