I
I
Igor2021-06-08 04:56:12
Information Security
Igor, 2021-06-08 04:56:12

How to secure your home network and server?

Hello!
I am a novice system administrator and the other day I saw an ad for the sale of a server with a tasty price. 2xE5649, 24GB RAM, 5x149GB SAS 10K for only 6k forever wooden and I thought why not put my own server at home in order to do my experiments not on my home computer with important information. The server will host FTP (to share files with friends), a couple of sites with their own FTP, MAIL, sometimes host game servers and some near-IoT projects in the future.

When I installed an FTP server on Windows using Serv-U, I could sometimes observe strange activity - from 3 to 30 external IPs that were NOT connected with services or software on my computer were hammering at me. Some fell off after 1-2 authorization timeouts, some could hang for hours. If I'm not mistaken, this is due to some regions that my provider throws out to ("black and white" IP, it may not change for a year and a half, or it may change 6 times a week and there is no connection with the uptime of the router / PC), because on some IPs someone constantly hammered at me, and on some there is silence, regardless of the date and time. I could be wrong, of course, but I don't have much experience.

In this regard, I decided to play it safe, which means I ask for any recommendations or instructions for hard isolation of both projects on the server and the server itself from other members of the local network, as well as information or tips on various security software. At the moment, my connection scheme is as follows:
Router (MikroTik hAP lite)
↪ Wi-Fi for phones
↪ Computer 1 (hereinafter UserPC)
↪ Server → Computer 2 (hereinafter MainPC)
↪ Android set-top box

Details of the network and plans:
MainPC manages via SFTP server.
UserPC has a shared folder for LAN implemented by Windows to share files with MainPC .
•Android set-top box communicates with the hard disk on UserPC , but in principle this connection can be cut off, it is not fundamentally important.
•Not implemented yet, because. the server will only appear on hand one of these days , but direct (or not so) access from the server to files on the hard drive in MainPC is planned . It is in this order User ( naturally authorized ) - Server - Files on MainPC .
• Server OS Debian 10 or Ubuntu 20.04.2 Server. Debian is preferred because I worked with him the most.
•Maybe I'll hit Webmin, because I have a weakness for convenient and aesthetic GUI panels.
• LAMP, Python, FTP, SFTP and other standard.

It is highly undesirable for randomly bypassing the mediocre protection of the stock Apache to gain access to a conditional folder shared with UserPC or to infect the entire network in general, do not understand what, because in this case there is a risk of losing important data that simply cannot be secured at the moment, nor by the cloud , nor copying to physical media that will not be connected to the local network. I will consider any proposal with gratitude, including redundant ones (programmatically), because this is experience, and it is priceless.

PS Just in case I will add. It is also possible to add an active switch to the chain with the MainPC and the server, i.e. instead of this:
Router (MikroTik hAP lite)
↪ Server → Computer 2 (hereinafter MainPC)
It will be like this:
Router (MikroTik hAP lite)
↪ Switch
↪ Computer 2 (hereinafter MainPC)
↪ Server

This way you can exclude additional server settings, but I'm not sure that this has weight when planning network security.

PPS All PCs are only on Windows, even the main one from which control is being carried out. it is not possible to put Linux on it in parallel.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
A
AntHTML, 2021-06-08
@anthtml

DMZ on a hard microtic and CHR on a virtual machine for experiments, so as not to be left without the Internet because of them

A
Andrey Barbolin, 2021-06-08
@dronmaxman

Blocking port scans
https://monovm.com/blog/how-to-block-port-scanner-...
Blocking RDP enumeration as an example.
www.admblog.ru/mikrotik-bruteforce-block
There is also port nocking, for the paranoid.
https://wiki.mikrotik.com/wiki/Port_Knocking
The toughest access restrictor - VPN

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question