Smackover Posted July 5, 2019 Share Posted July 5, 2019 So I'm at the point where I'd like to start exposing some services externally. For instance I have a Windows 10 VM running Milestone for my security cameras, and a static IP from my ISP. I want to see the live view from the Milestone Mobile app, so I've port forwarded the two ports Milestone Mobile uses. I also run the UniFi controller docker, and have a couple of external sites I manage, so I've simply port forwarded the couple of ports I needed for that. Should I be handling these situations differently, or is this the best practice from a security standpoint? Quote Link to comment
JonathanM Posted July 5, 2019 Share Posted July 5, 2019 As long as you only forward ports where the answering service is auditable and trusted, you should be as secure as can be expected. Every exposed application must be monitored, treated as possibly hostile, and you need to keep up with the software authors recommendations for security. Ideally, the machine hosting the exposed apps should be in a different network segment than your everyday internal stuff, but that's not always doable. Quote Link to comment
Smackover Posted July 5, 2019 Author Share Posted July 5, 2019 Ok, that's basically where I am. I'm up on my firewalling and VLANing, but I do see a lot of folks using Letsencrypt and a reverse proxy and I'm not up to speed on those. Would that do anything for me? Quote Link to comment
JonathanM Posted July 6, 2019 Share Posted July 6, 2019 1 hour ago, Smackover said: Ok, that's basically where I am. I'm up on my firewalling and VLANing, but I do see a lot of folks using Letsencrypt and a reverse proxy and I'm not up to speed on those. Would that do anything for me? Sort of, for the services where you can use reverse proxy. Instead of opening up a bunch of ports, one for each app, you only open one port and can keep security audits focused on that port and the LE enabled NGINX server. However, for uncommon apps like your security cameras, it may not be possible to pass that through NGINX. You will have to research that with the author / company. Quote Link to comment
Fiservedpi Posted July 12, 2019 Share Posted July 12, 2019 (edited) On 7/5/2019 at 5:36 PM, Smackover said: So I'm at the point where I'd like to start exposing some services externally. For instance I have a Windows 10 VM running Milestone for my security cameras, and a static IP from my ISP. I want to see the live view from the Milestone Mobile app, so I've port forwarded the two ports Milestone Mobile uses. I also run the UniFi controller docker, and have a couple of external sites I manage, so I've simply port forwarded the couple of ports I needed for that. Should I be handling these situations differently, or is this the best practice from a security standpoint? why not access the vm via VNC more secure than Port Forwarding Edited July 12, 2019 by Fiservedpi Quote Link to comment
Geezup Posted August 19, 2019 Share Posted August 19, 2019 On 7/12/2019 at 12:49 PM, Fiservedpi said: why not access the vm via VNC more secure than Port Forwarding VNC is not secure and should never be exposed to the internet unless you use Next gen Firewalls like Palo Altos. Quote Link to comment
Fiservedpi Posted August 21, 2019 Share Posted August 21, 2019 meehh slap a putty tunnel on that sum b%#$ch call it a dayy Quote Link to comment
ken-ji Posted August 21, 2019 Share Posted August 21, 2019 Exposing Unraid's defaut SSH config to the internet for tunnelling is one of the worst ideas, because when compromised, gives the attackers "trusted" status on the LAN, dockers, VMs, and data. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.