[lug] Personal Server Behind DSL Router

karl horlen horlenkarl at yahoo.com
Thu Jan 11 18:12:01 MST 2007

> Actually, you probably don't.  But we won't say "I
> told you so" when you 
> come back to ask about problems. ;-)

uhoh.. ;-)..

> If you don't have a static IP you'll have problems
> sending mail to other 
> servers due to various black lists.  It will work if
> you send via a 
> smart host but you'll need credentials to use QWest
> for that.

What do you mean by need credentials?  I am using

> If you aren't good at spam filtering you may bounce
> some spam and get 
> black listed for that.  But probably not a serious
> problem.

If I'm set up to not relay from the outside world how
would I bounce spam?  Not sure I follow you here.

> I typically don't run iptables on a box like this
> because all the 
> services it provides are public.  So there isn't
> anything for iptables 
> to block (obviously there are some other useful
> things iptables can do). 

Good point.  I was thinking though that for boxes that
live on my internal network, I might like to have the
server only explicitly accept requests from those
machines (outside of dns, mail, webserver).  I was
thinking that setting up a chain in iptables was
probably best for this.

> make sure other 
> machines don't trust it any more than the Internet. 

As I said above, I will probably be accessing this box
from my internal network.  ssh, admin, sftp, mail
realy and probably other things i haven't thought of
yet.  I'm going to have to trust it.  How can I not?

> It's worth moving ssh off port 22, at least
> externally.

Sure.  I imagine one can't get around opening up ssh
if they want to be able to access and administer the
box remotely?  Create a basic account and the su to
root once you're on the box.

If I create an sftp account for a family member, I
open up another port as well.

Are there any best practices or configurations to
limit brute force attacks on open ports like ssh? 
This might be a better separate thread.  I mean for
ssh you can restrict root logins.  And i think there
is a timeout setting between consecutive logins or max
attempts for an id in a given period. 

Any body have some good settings/guidelines for this?

> All of this should work if your router does NAT
> properly (and for UDP 
> too).  Actiontecs do some odd DNS caching I hear so
> you might run into 
> that.  But for the most part it will work.

Yeah. I've read on these boards people have problems
with actiontecs.  I have an actiontec and haven't had
any problems in 3 years.  However, I haven't tried to
run a server or dns behind one either yet ;-)

thanks for your help
> Dave
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List:
> http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667
> channel=#colug

Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.

More information about the LUG mailing list