Web server or FTP server and D+

Does someone know the risk to run a web server or ftp server on a home computer?

I know the NTFS permissions, I use them. But I don’t understand the security implications of having a web server or ftp server.

Let’s take the case of my Web or FTP server. The main folders are called Root on the C:\ volume. inside the folders are my files. The FTP folder is almost empty but I have several links to other folders in my document profile folder.

The folders have NTFS settings. It is a protection against other users on my computer and other computers on my LAN. Now what about people (good or bad) trying to access my server web/ftp over the internet. Do the NTFS permissions apply as protection or not anymore?

How do you best protect your machine’s content from damages (hacker, etc.) when you run a web server on your personal computer? I was thinking using the function Protect file/folder in D+. does it make sens? Specifically my question is: in what manner can I protect the content (not the access, since access is the firewall part) to be damaged, modified or to be used to access other folders on my computer, let’s say if someone could bypass the firewall? Does it make sens?

The way I understand, there are 2 types or dangers:
a. attempt to block you web site: DOS attack - this is firewall related
b. attempt to enter your computer by accessing elevated privileges

Is that correct?

Thanks

What does this have to do with D+?

If you need to run a server that will be publicly accessible, the best way is to place that PC in a DMZ (de-militarized zone) so it is publicly accessible but segregated from the rest of your LAN.

If you must place a publicly accessible server on a LAN PC, please ensure that your server software is fully patched and you have adequate router firewall rules and CIS rules to restrict access.

Do this BEFORE you worry about locking folders.

Cheers,
Ewen :slight_smile:

DMZ won’t do, I have only one router.
Agreed: Firewall and patched server.
My question is can D+ act as a security measure in case of an intrusion (e.g. using my protect file function for my root folders) or this is not advisable?
Thanks

Double check the capabilities of your router. Some routers provide a DMZ function for a single internal IP.

Can D+ act as sufficient security for a web facing server?

In theory yes, but I have to say I haven’t done a similar test in this scenario. I would still feel more comfortable having the publicly accessible bits absolutely segregated from the rest of the LAN. That is best practice, but best practice doesn’t always live in the real world. :wink: Interesting concept to lock down a server, though.

Cheers,
Ewen :slight_smile:

Double check the capabilities of your router. Some routers provide a DMZ function for a single internal IP.

Can D+ act as sufficient security for a web facing server?

In theory yes, but I have to say I haven’t done a similar test in this scenario. I would still feel more comfortable having the publicly accessible bits absolutely segregated from the rest of the LAN. That is best practice, but best practice doesn’t always live in the real world. :wink: Interesting concept to lock down a server, though.

Cheers,
Ewen :slight_smile:

Not mine, but I will definitely check for this feature when I will replace it.

Can D+ act as sufficient security for a web facing server?

The scenario is IF someone manages to bypass your security and breach into your system. I don’t think D+ will prevent such event as is. After all, D+ monitors applications, not access rights. So what setting could I implement on D+ to, by example, limit an intruder access to my Root - ftp/web folders only?

This is just a scenario. I am not sure if it is even realist? If anyone has an idea, feel free to answer.

DMZ may also be called exposed host.

News

There is a DMZ option. I can probably input 1 IP address. The router browser setting page and the help file are in Japanese characters, so it takes some time to find my way.

3 PC + 1 print server. Share folders. 1 PC is the server. I assume if I enter the IP of the server, it cannot communicate with the rest of the LAN? How does it work practically? The router divert the IP address in the DMZ from the rest of the LAN?

PS: Is there a serious risk running a private ftp server/web server + router + csi on a PC on the LAN? I have heard it is dangerous with IIS up to IIS 6-7. I use Apache. What kind of thread can I expect? DOS? Thanks.

Bump anyone

DMZ on a home LAN works like this;

ASSUMPTIONS
192.168.1.2 is your internal PC that will act as a server
192.168.1.1 is the internal LAN address of your router
200.200.200.200 is the public IP address of your connection
100.100.100.100 is an external computer

  1. Router has 192.168.1.2 entered in the DMZ configuration table

  2. 100.100.100.100 attempts to contact the server located at 200.200.200.200

  3. 200.200.200.200 receives the incoming request, checks the DMZ table, modifies the destination address of the packets, passes it off to 192.168.1.1 which sends it off to 192.168.1.2

  4. Server at 192.168.1.2 receives the incoming request, satisfies it and sends the return data

  5. 192.168.1.1 recevies the return packet from 192.168.1.2, modifies the address in the packets, hands it over to 200.200.200.200 which forwards it back out to 100.100.100.100

  6. Repeat steps 1 to 5 really, really, really quickly :wink:

PS: Is there a serious risk running a private ftp server/web server + router + csi on a PC on the LAN? I have heard it is dangerous with IIS up to IIS 6-7. I use Apache.

If you have CSI on your side, there is little to fear - they’re cops and have guns. If, OTH, you mean CIS (Comodo Internet Security) it’s still pretty toufgh, but it doesnt have a gun. :wink:

If your server is fully patched and your CIS is properly configured, you’re as safe as you can be, short of pulling the cable out. There is no such thing as perfect security, but taking reasonable steps to safeguard the perimeter (router) and interior (PC running the server software) is good practice.

What kind of thread can I expect? DOS? Thanks.

Third rule of Fight Club - expect the unexpected. Keep your eyes out for anything out of the ordinary - unexpected high levels of traffic to/from an unusual port, unexpectedly high resource usage on the server, that kind of thing.

Know your environment.
Be vigilant.
Err on the side of caution.
Take some benchmarks now, before it goes online.
This makes it easier to tell when it’s not right.

Cheers,
Ewen :slight_smile:

Let’s expand the example:
192.0.0.1 is the router and forward port 80 to 192.0.0.3 (the server)
192.0.0.2, 192.0.0.3, 192.0.0.4 are communicating on the LAN (exchange files/folder) and they also communicate with 192.0.0.5 the print server.

Q1. I assume if 192.0.0.3 is set in the DMZ Zone, communication with the rest of the LAN is cut? The router will differentiate the computers behind the LAN with the machine isolated in the DMZ?

Q2. Slightly out of topic: If I am not ready to trade usability for security, is there a way to bridge the machine in the DMZ with the other machines on the LAN, knowing they all share the same router? I guess the answer is no. It would need 2 routers for that, and bridging them would somewhat defeat the security purpose ?

Depending on the router. If it is just doing post forwarding, then the rest of your LAN will still be able to communicate. If your router creates a true DMZ, then the PC in the DMZ can only communicate with the router.

Q2. Slightly out of topic: If I am not ready to trade usability for security, is there a way to bridge the machine in the DMZ with the other machines on the LAN, knowing they all share the same router? I guess the answer is no. It would need 2 routers for that, and bridging them would somewhat defeat the security purpose ?

You guessed correctly. :wink:

Cheers,
Ewen :slight_smile:

Thank you Panic