1

If I were to host a website on my home network, I'm opening myself up for a hacker to gain access to my network, even if I use a different machine to host the website.

Ways I've seen vaguely discussed to get around this:

  1. Set up a VLAN
  2. Set up a subnet
  3. Set up a guest account on the router
  4. Use OpenVPN or a similar VPN service

Now, with those...

  1. I don't believe my router is capable of adding a VLAN.
  2. I'm not 100% sure how to set up a subnet...
  3. I've attempted to set up a guest wifi network with a password, but no matter what I do, it keeps telling me it's not active.
  4. Does OpenVPN actually accomplish something similar, to break something off from my main network?

Is there anything else I could do to ensure that a specific machine, in this case hosting a web server, is not able to communicate with the other devices on my network?

Improve this question
1
  • I think your initial presumption is not correct. If you setup your website properly, you won't really expose your home LAN to much threat. It is also depends to a large degree of content type you are going to host. Say, in case of static websites you can make it pretty secure without too much effort, I believe.
    – rg_software
    Commented Feb 2, 2019 at 10:23

2 Answers 2

Reset to default
0

Yes, it is possible that a hacker can use an exploit on your web server to gain access to your network. However, if you keep your software up to date with security patches, you risk is extremely low.

That being said, most modern router/firewalls should have the ability limit access through access control lists. You can ask your ISP on how to do this. If, for some reason, your router is incapable of this, you can replace it with different router/firewall or simply place a new between the ISPs and the web server.

Additionally, you should be able to configure the software firewalls on the web server and your other machines to block access.

Improve this answer
0

Many home-routers do not support VPNs. You will need routers/switches from a higher segment for that.

The easiest way to add network security in your home is to use a DMZ between two home-routers and a small computer (for example my favorite, the Pi) as webserver.

Such a setup would look like this:

   ______
 _(      )_      a +---------------+ b        c +----------------+ d     +--+
(_Internet_)-------|router provider|------------|internal router |-------|pc|
  (______)         +---------------+   lan1     +----------------+  lan2 +--+
                                 | e
                           +------------+
                           | web server |
                           +------------+

a is the WAN interface of the router that connects you to your provider. This should already be connected. b and e are LAN interfaces on your provider's router.

On your provider's router, you will probably enable DHCP for the LAN, or otherwise you will have to assign static IP addresses. For the webserver, you might use a static IP address (not in the range of the DHCP of the providers router, but in the same subnet) You will also enable port forwarding of port 80 and 443 to your webserver.

c is the WAN interface of the internal router. Make sure that the WAn interface of this router uses DHCP if you have enabled it on the provider router, or assign a static IP to the WAN interface in the subnet of the lan1 (the lan-side of the provider's router).

On the Internal router on labn2, you will probably enable DHCP. Make sure that the subnet you use here is different from lan1.

An example on what this might mean for the subnets and IP addresses:

Provider router
         WAN:        83.163.211.192 (as the provider gave me)
         LAN:        192.168.178.1, mask 255.255.255.0
         portforward: 80 and 443 to 192.168.178.10

Web server
         IP address: 192.168.178.10
         netmask:    255.255.255.0
         def. gw:    192.168.178.1

Internal router:
         WAN IP:     192.168.178.254
         WAN mask:   255.255.255.0
         WAN GW:     192.168.178.1

         LAN iIP:    192.168.1.1
         LAN mask    255.255.255.0
                     dhcp-enabled

You should note however, that creating a DMZ for your webserver still requires you to keep up with (security0) patches on the webserver, and keep a strict security attitude for every thing you do on the exposed server. Although this set-up protects your internal home network, it will not completely protect you from attacks and defacing attempts.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .