Things have been very busy around here while I transition from my old position to my new one. Hence, postings may be few and far between.
+ + +
Insert disclaimer here. YMMV. Use at your own risk.
Now that I've finished working on my media PC, I think I'll start working on getting my home web server project re-started. As you may remember, I'm spending hundreds of dollars per year paying pair.com to host my site.
Although I get reasonably good service for my money, it's still rather expensive to keep this site going. Hence, I've been trying to see how I can host my own site from home.
The biggest problem, other than not having a lot of time to work on it, is not knowing enough on how to set-up not only the web server, but the entire home network in a way that will provide a level of security against hackers.
By that I include the router/firewall, the web server and its operating systems and software, and the internal network.
For the router/firewall, it's possible to open a port and forward traffic to a specific PC inside my network. The problem is, is that the best way to do it? By opening a port, you are announcing to the world, and all the hackers therein, that your PC exists. That is, your network is no longer stealthed and will respond to various scans. Once the script kiddiez know your address, they will come knocking.
If the kidz should get in, your entire network could be compromised because, in this configuration, the web server is behind your firewall.
From what I understand, some routers have another way of giving access to a server (it also appears to be a much less secure way). It is called a DMZ (short for demilitarized zone), that is, the router opens all ports to a PC, but only this PC. While this may solve some problems, as far as I know, it is the same as not having a firewall. Again, the kidz will want to come and play.
A better way of protecting a PC, whether it is port forwarded to or is in a DMZ, is to chain two routers/firewalls. That is, have a router/firewall in front of the web server PC, then another router behind that first router that routes traffic to your internal network. That way, the server is somewhat protected by the first router (assuming here you are port forwarding and not using a DMZ), and the rest of your network is protected by the second (assuming here all ports on the second router/firewall are stealthed and all other applicable security practices are in place). Hence, even if your server PC is hacked, all else being equal, your internal network should be relatively secure.
I am open to suggestions for other configurations so leave me a comment or email me if you can think of a better way of doing it. A tip of the hat to Gibson Research for the suggestion (link to Multi-Nat Router page).
Aloha!