Jump to content
Smackover

Need to start exposing services to the internet

8 posts in this topic Last Reply

Recommended Posts

So I'm at the point where I'd like to start exposing some services externally. For instance I have a Windows 10 VM running Milestone for my security cameras, and a static IP from my ISP. I want to see the live view from the Milestone Mobile app, so I've port forwarded the two ports Milestone Mobile uses. I also run the UniFi controller docker, and have a couple of external sites I manage, so I've simply port forwarded the couple of ports I needed for that. Should I be handling these situations differently, or is this the best practice from a security standpoint?

Share this post


Link to post

As long as you only forward ports where the answering service is auditable and trusted, you should be as secure as can be expected.

 

Every exposed application must be monitored, treated as possibly hostile, and you need to keep up with the software authors recommendations for security.

 

Ideally, the machine hosting the exposed apps should be in a different network segment than your everyday internal stuff, but that's not always doable.

Share this post


Link to post

Ok, that's basically where I am. I'm up on my firewalling and VLANing, but I do see a lot of folks using Letsencrypt and a reverse proxy and I'm not up to speed on those. Would that do anything for me?

Share this post


Link to post
1 hour ago, Smackover said:

Ok, that's basically where I am. I'm up on my firewalling and VLANing, but I do see a lot of folks using Letsencrypt and a reverse proxy and I'm not up to speed on those. Would that do anything for me?

Sort of, for the services where you can use reverse proxy. Instead of opening up a bunch of ports, one for each app, you only open one port and can keep security audits focused on that port and the LE enabled NGINX server. However, for uncommon apps like your security cameras, it may not be possible to pass that through NGINX. You will have to research that with the author / company.

Share this post


Link to post
Posted (edited)
On 7/5/2019 at 5:36 PM, Smackover said:

So I'm at the point where I'd like to start exposing some services externally. For instance I have a Windows 10 VM running Milestone for my security cameras, and a static IP from my ISP. I want to see the live view from the Milestone Mobile app, so I've port forwarded the two ports Milestone Mobile uses. I also run the UniFi controller docker, and have a couple of external sites I manage, so I've simply port forwarded the couple of ports I needed for that. Should I be handling these situations differently, or is this the best practice from a security standpoint?

why not access the  vm via VNC more secure than Port Forwarding

Edited by Fiservedpi

Share this post


Link to post
On 7/12/2019 at 12:49 PM, Fiservedpi said:

why not access the  vm via VNC more secure than Port Forwarding

VNC is not secure and should never be exposed to the internet unless you use Next gen Firewalls like Palo Altos. 

Share this post


Link to post

Exposing Unraid's defaut SSH config to the internet for tunnelling is one of the worst ideas, because when compromised, gives the attackers "trusted" status on the LAN, dockers, VMs, and data.

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.