[lug] Personal Server Behind DSL Router
horlenkarl at yahoo.com
Thu Jan 11 18:12:01 MST 2007
> Actually, you probably don't. But we won't say "I
> told you so" when you
> come back to ask about problems. ;-)
> If you don't have a static IP you'll have problems
> sending mail to other
> servers due to various black lists. It will work if
> you send via a
> smart host but you'll need credentials to use QWest
> for that.
What do you mean by need credentials? I am using
> If you aren't good at spam filtering you may bounce
> some spam and get
> black listed for that. But probably not a serious
If I'm set up to not relay from the outside world how
would I bounce spam? Not sure I follow you here.
> I typically don't run iptables on a box like this
> because all the
> services it provides are public. So there isn't
> anything for iptables
> to block (obviously there are some other useful
> things iptables can do).
Good point. I was thinking though that for boxes that
live on my internal network, I might like to have the
server only explicitly accept requests from those
machines (outside of dns, mail, webserver). I was
thinking that setting up a chain in iptables was
probably best for this.
> make sure other
> machines don't trust it any more than the Internet.
As I said above, I will probably be accessing this box
from my internal network. ssh, admin, sftp, mail
realy and probably other things i haven't thought of
yet. I'm going to have to trust it. How can I not?
> It's worth moving ssh off port 22, at least
Sure. I imagine one can't get around opening up ssh
if they want to be able to access and administer the
box remotely? Create a basic account and the su to
root once you're on the box.
If I create an sftp account for a family member, I
open up another port as well.
Are there any best practices or configurations to
limit brute force attacks on open ports like ssh?
This might be a better separate thread. I mean for
ssh you can restrict root logins. And i think there
is a timeout setting between consecutive logins or max
attempts for an id in a given period.
Any body have some good settings/guidelines for this?
> All of this should work if your router does NAT
> properly (and for UDP
> too). Actiontecs do some odd DNS caching I hear so
> you might run into
> that. But for the most part it will work.
Yeah. I've read on these boards people have problems
with actiontecs. I have an actiontec and haven't had
any problems in 3 years. However, I haven't tried to
run a server or dns behind one either yet ;-)
thanks for your help
> Web Page: http://lug.boulder.co.us
> Mailing List:
> Join us on IRC: lug.boulder.co.us port=6667
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
More information about the LUG