Secure way to host a public server

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Secure way to host a public server

dt

1152 posts

Uber Geek
Inactive user

#242898 19-Nov-2018 14:06

Hi, I looking at throwing up an old quake world server for the community and was wondering the most secure was to do this?

Im just using a residential Orcon connection so only have one public facing address.. I'm using a pfsense firewall and thought perhaps I could setup a separate VLAN to put the server on and port forward to that server keeping it outside of my home network

If that is completely wrong, you have probably already guessed I have no idea what im doing here :) but i'm a computer/network hobbyist so would like to give whatever is suggested as best practice for my type of setup

or am I being paranoid that someone might gain access to my network by knowing my IP address?

Cheers,

Coil

6614 posts

Uber Geek
Inactive user

#2129446 19-Nov-2018 14:24

I have hosted a few game servers from home in past years. Was mainly minecraft, COD, GMod and a few others.
By simply knowing your IP people can't do a whole lot. I could do a DOS attack and flood your network but other than that I couldn't do much myself.
Seemed to work fine. I would suggest you use No-IP if you are concerned. AFAIK they mast your IP with a subdomain but anyone with wireshark could probably see past that.

Cheers

chevrolux

4962 posts

Uber Geek
Inactive user

#2129447 19-Nov-2018 14:26

Sticking it on a separate VLAN is a good start. Then make some firewall rules to not allow traffic from that subnet to your main subnet.

Andib

1364 posts

Uber Geek

ID Verified

Trusted

#2129488 19-Nov-2018 15:11

Coil:

I have hosted a few game servers from home in past years. Was mainly minecraft, COD, GMod and a few others.
By simply knowing your IP people can't do a whole lot. I could do a DOS attack and flood your network but other than that I couldn't do much myself.
Seemed to work fine. I would suggest you use No-IP if you are concerned. AFAIK they mast your IP with a subdomain but anyone with wireshark could probably see past that.

Cheers

noip just gives you a CNAME, It offers no protection against DOS attacks etc.

<#
.DISCLAIMER
Anything I post is my own and not the views of my past/present/future employer.
#>

vulcannz

436 posts

Ultimate Geek
Inactive user

#2129737 19-Nov-2018 18:33

Coil:

I have hosted a few game servers from home in past years. Was mainly minecraft, COD, GMod and a few others.
By simply knowing your IP people can't do a whole lot. I could do a DOS attack and flood your network but other than that I couldn't do much myself.
Seemed to work fine. I would suggest you use No-IP if you are concerned. AFAIK they mast your IP with a subdomain but anyone with wireshark could probably see past that.

Cheers

If a firewall is half decent you can just enable connection limits per IP, that tends to inhibit DoS attacks. If you're hosting NZ mates, geo-ip filtering is a good idea as well.

vulcannz

436 posts

Ultimate Geek
Inactive user

#2129738 19-Nov-2018 18:33

Coil:

I have hosted a few game servers from home in past years. Was mainly minecraft, COD, GMod and a few others.
By simply knowing your IP people can't do a whole lot. I could do a DOS attack and flood your network but other than that I couldn't do much myself.
Seemed to work fine. I would suggest you use No-IP if you are concerned. AFAIK they mast your IP with a subdomain but anyone with wireshark could probably see past that.

Cheers

If a firewall is half decent you can just enable connection limits per IP, that tends to inhibit DoS attacks. If you're hosting NZ mates, geo-ip filtering is a good idea as well.

dt

1152 posts

Uber Geek
Inactive user

#2130130 20-Nov-2018 11:39

Ok will give setting up another vlan a crack with no access to the home network.

Are there any other suggestions?

Every time i've tried connecting to a quake server using a dns name it always shows the IP address during the connection i.e connect my.quakeserver.com > connecting to xxx.xxx.xxx.xxx

In this case would it still show my IP address or an IP address of NOIP? also all the quake server browsers show the IP addresses rather than hostnames? Maybe just an old quake thing?

chevrolux

4962 posts

Uber Geek
Inactive user

#2130136 20-Nov-2018 11:48

Unless No-IP proxy to your server (which I highly doubt they would want to do for free), it's always going to show your IP address. But don't get caught up on that, just understand that if you have a public server, your IP is quite easily found - it's just how it is.

As @vulcannz said, some rules to drop IP's that attempt TCP floods and port scanners are a good idea to slow down normal DoS attacks, but never full proof. Some hardware accelerated routers can deal with things a bit better when the CPU doesn't need to be involved - something you can't avoid with pfSense.

But just go for it, worst that can happen is you get DDoS'd, your ISP gets grumpy, you say sorry and shut down the server.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

timmmay

20592 posts

Uber Geek

Trusted

Lifetime subscriber

#2130139 20-Nov-2018 11:50

IP addresses are public. You're just trying to obfuscate yours to specific users. All IPs are likely scanned constantly, and a new server that comes up on the internet without recent patches can be compromised within 60 seconds.

I'd be fairly careful putting a public server on your network.

SpartanVXL

1323 posts

Uber Geek

#2130147 20-Nov-2018 11:59

Are you hosting it just for Aus/NZ? Geo filtering is a good way to drop the majority of crap that comes in. Otherwise vlan the server off and make sure you're not running anything with elevated permissions.

dt

1152 posts

Uber Geek
Inactive user

#2130205 20-Nov-2018 12:51

timmmay:

IP addresses are public. You're just trying to obfuscate yours to specific users. All IPs are likely scanned constantly, and a new server that comes up on the internet without recent patches can be compromised within 60 seconds.

I'd be fairly careful putting a public server on your network.

It's certainly a concern of mine, I don't want to compromise my families safety just so a few randoms have a free place to blow off a bit of steam after work :)

You've got me worried now, I might just bite the bullet and go with a VPS that someone here has kindly offered to provide relatively cheap as its for the community.

SpartanVXL: Are you hosting it just for Aus/NZ? Geo filtering is a good way to drop the majority of crap that comes in. Otherwise vlan the server off and make sure you're not running anything with elevated permissions.

Yep just NZ/AU so great idea about Geo filtering, I would have gone down that route

Coil

6614 posts

Uber Geek
Inactive user

#2130248 20-Nov-2018 13:31

Andib:

Coil:

I have hosted a few game servers from home in past years. Was mainly minecraft, COD, GMod and a few others.
By simply knowing your IP people can't do a whole lot. I could do a DOS attack and flood your network but other than that I couldn't do much myself.
Seemed to work fine. I would suggest you use No-IP if you are concerned. AFAIK they mast your IP with a subdomain but anyone with wireshark could probably see past that.

Cheers

noip just gives you a CNAME, It offers no protection against DOS attacks etc.

I never said it did give protection, it just provides an alternative to an IP to give out...

vulcannz:

Coil:

I have hosted a few game servers from home in past years. Was mainly minecraft, COD, GMod and a few others.
By simply knowing your IP people can't do a whole lot. I could do a DOS attack and flood your network but other than that I couldn't do much myself.
Seemed to work fine. I would suggest you use No-IP if you are concerned. AFAIK they mast your IP with a subdomain but anyone with wireshark could probably see past that.

Cheers

If a firewall is half decent you can just enable connection limits per IP, that tends to inhibit DoS attacks. If you're hosting NZ mates, geo-ip filtering is a good idea as well.

Your router will still be dead if I did a DOS attack on your IP. No firewall exception will stop that.

You've got me worried now, I might just bite the bullet and go with a VPS that someone here has kindly offered to provide relatively cheap as its for the community.

VPS is the best idea.. Someone else issue and not yours!

xpd

Geek @ Coastguard NZ
13771 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2130253 20-Nov-2018 13:38

Coil:

VPS is the best idea.. Someone else issue and not yours!

Or have a friend host it on his connection so if any DDOS does appear, my connection is fine ;) Not that I'd ever do that....... (walking away whistling)

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree

Coil

6614 posts

Uber Geek
Inactive user

#2130255 20-Nov-2018 13:43

xpd:

Coil:

VPS is the best idea.. Someone else issue and not yours!

Or have a friend host it on his connection so if any DDOS does appear, my connection is fine ;) Not that I'd ever do that....... (walking away whistling)

Whats the IP again? Just gonna go re open the botnet and do some stress testing.

vulcannz

436 posts

Ultimate Geek
Inactive user

#2130576 20-Nov-2018 19:35

PM'd. Let me know when you do it, I'd like to watch what happens.