July 5, 20196 yr So I'm at the point where I'd like to start exposing some services externally. For instance I have a Windows 10 VM running Milestone for my security cameras, and a static IP from my ISP. I want to see the live view from the Milestone Mobile app, so I've port forwarded the two ports Milestone Mobile uses. I also run the UniFi controller docker, and have a couple of external sites I manage, so I've simply port forwarded the couple of ports I needed for that. Should I be handling these situations differently, or is this the best practice from a security standpoint?
July 5, 20196 yr As long as you only forward ports where the answering service is auditable and trusted, you should be as secure as can be expected. Every exposed application must be monitored, treated as possibly hostile, and you need to keep up with the software authors recommendations for security. Ideally, the machine hosting the exposed apps should be in a different network segment than your everyday internal stuff, but that's not always doable.
July 5, 20196 yr Author Ok, that's basically where I am. I'm up on my firewalling and VLANing, but I do see a lot of folks using Letsencrypt and a reverse proxy and I'm not up to speed on those. Would that do anything for me?
July 6, 20196 yr 1 hour ago, Smackover said: Ok, that's basically where I am. I'm up on my firewalling and VLANing, but I do see a lot of folks using Letsencrypt and a reverse proxy and I'm not up to speed on those. Would that do anything for me? Sort of, for the services where you can use reverse proxy. Instead of opening up a bunch of ports, one for each app, you only open one port and can keep security audits focused on that port and the LE enabled NGINX server. However, for uncommon apps like your security cameras, it may not be possible to pass that through NGINX. You will have to research that with the author / company.
July 12, 20196 yr On 7/5/2019 at 5:36 PM, Smackover said: So I'm at the point where I'd like to start exposing some services externally. For instance I have a Windows 10 VM running Milestone for my security cameras, and a static IP from my ISP. I want to see the live view from the Milestone Mobile app, so I've port forwarded the two ports Milestone Mobile uses. I also run the UniFi controller docker, and have a couple of external sites I manage, so I've simply port forwarded the couple of ports I needed for that. Should I be handling these situations differently, or is this the best practice from a security standpoint? why not access the vm via VNC more secure than Port Forwarding Edited July 12, 20196 yr by Fiservedpi
August 19, 20196 yr On 7/12/2019 at 12:49 PM, Fiservedpi said: why not access the vm via VNC more secure than Port Forwarding VNC is not secure and should never be exposed to the internet unless you use Next gen Firewalls like Palo Altos.
August 21, 20196 yr Exposing Unraid's defaut SSH config to the internet for tunnelling is one of the worst ideas, because when compromised, gives the attackers "trusted" status on the LAN, dockers, VMs, and data.
Archived
This topic is now archived and is closed to further replies.