Advertisement

How secure is it to host a server from home?

Started by March 20, 2016 03:06 PM
4 comments, last by Acar 8 years, 8 months ago

Hello people. I've been working on a server application for a while and I'd like to open it to public for some tests. Although I have absolutely no idea if it is secure to do it from home. I believe I need to mention that the machine I'll be hosting the server at home will have all the source/binary files. Is there a possibility of someone "hacking" into my machine and having access to files in it just by knowing the ip of the machine?

<Obligatory Clinton joke>


Although I have absolutely no idea if it is secure to do it from home.

The physical location of the machine is entirely unimportant. Security is about configuration, surface area, patches, and monitoring. Securing a server is difficult but it's a good skill to learn, particularly when it's unlikely that anyone actually wants to hack you. But:


Is there a possibility of someone "hacking" into my machine and having access to files in it just by knowing the ip of the machine?

Absolutely yes.

Our code server is configured with an absolute minimum number of services, and the services that do run are running off non-standard ports. Root logins are disabled, and other logins are only for whitelisted usernames and only via private key authentication. Access to the server itself is based off whitelisting, and there are a few misc tools like fail2ban running that monitor for suspicious activity. Most of these choices are focused around minimizing the surface area for an attack, and making it difficult to even find the server. The more a server has to advertise itself to the world and provide services, the harder these things get.

SlimDX | Ventspace Blog | Twitter | Diverse teams make better games. I am currently hiring capable C++ engine developers in Baltimore, MD.
Advertisement

That depends on the software running on the machine.

For example, if that machine is also the machine you use for your movie streaming, Torrent sharing, and WiFi light control, then the security of that machine i only as good as the weakest of those services. Also, if it's running Windows and you forget to turn off file sharing, well, file sharing will be on for the Internet.

This is why publicly visible servers will typically turn off or, even better, remove software and services that aren't needed. The best way to start is to start with a machine that doesn't expose any single port. Then you open up only the services/ports that are absolutely needed. For a Linux web server, that might be port 22 (for SSH administration) and 80 and 443 (for the actual HTTP / HTTPS server) and that's it! And if you host the machine inside a firewall with reverse NAT, port 22 can be firewalled off so the greater Internet can't see it.

So let's assume this is a dedicated machine. Let's assume you host it by turning on port forwarding on your home router, saying that port 12345 (or whatever) forwards to that server, and nothing else forwards to that server. Your home router will then be doing the reverse NAT, like a load balancer would do in a data center, but on a small scale. Now, the only thing you need to worry about is your own program. If your own program has perfect network code, with no buffer overruns, and every packet fully authenticated (so a client can't send packets out-of-order,) then it should be okay to open that up to the internet. After all, that's what every internet service has to do in the end.

If on the other hand, your server is hosted using the router DMZ function (all incoming connections to an IP goes to that server,) then you have the problem of any service you're using on the machine being potentially vulnerable to the Internet. If you have build tools on that machine (source code and compilers,) then what update mechanism do those tools use? What debugging mechanism do those tools use? Do you run file sharing to get to the files? Does the operating system have a RPC mechanism turned on? You'll have to run nmap against your own server to see what's open, BEFORE you decide to open it up to the internet.

Finally -- someone copying your source code might feel bad, but is probably not a really big deal, unless your game is inherently insecure and depends on security through obscurity. However, someone sabotaging your machine and changing/removing the source code would be worse. I hope you already are pushing your code to a remote git repo or something every day -- that's just common sense. But, 95% of internet attacks are automatic or semi-automatic botnets that just want to use your machine to send spam email and DDOS websites for money. They don't actually care what's on your machine, except that they insert their own service to also run on the machine. It's still bad to get hacked, becuse that mal-behavior may get you kicked off your ISP, will consume resources, and will make your machine (and you) look like a douchebag on the internet, but the biggest threat is not to your source code.

enum Bool { True, False, FileNotFound };

So let's assume this is a dedicated machine. Let's assume you host it by turning on port forwarding on your home router, saying that port 12345 (or whatever) forwards to that server, and nothing else forwards to that server. Your home router will then be doing the reverse NAT, like a load balancer would do in a data center, but on a small scale. Now, the only thing you need to worry about is your own program. If your own program has perfect network code, with no buffer overruns, and every packet fully authenticated (so a client can't send packets out-of-order,) then it should be okay to open that up to the internet. After all, that's what every internet service has to do in the end.

That is the method I've been using.

What I got from both replies is unless there's a service or a software running on the machine that would enable file monitoring/transfer it's very unlikely for someone to do anything unintended.

Also note that your ISP can kick you off for hosting a server on a private home line.Comcast kicked me off for hosting game servers with 30~ people back in the mid 2000's.

Thanks for the heads up. I'm aiming for 10-15 people tops and paying extra for the static ip so hopefully that won't happen.

This topic is closed to new replies.

Advertisement