Re: [PLUG] Securing Web Site for External Traffic

[Timothy Marion <timothy.marion@marion.systems>]

I would go with HTTPS. HTTPS is good enough for all the online stores and banks it should protect a baby monitor. I do this as a hobby and do not have the production experience that others on list list have. I was able to setup a self signed cert and https on my VPS. It was not a walk in the park but it was not rocket science. If I can do most anybody could.

On Aug 28, 2015, at 11:46 AM, Keith C. Perry <kperry@daotechnologies.com> wrote:

If you want to do this in a web centric way then you're going to want to do a self-signed cert and use HTTPS to either the standard port (443) or something non-standard.

The two other alternatives would be:

• run encrypted VNC (i.e. tunnel over SSH) to your computer at home
• OpenVPN

I use both methods but for general purpose encrypted access to your net, OpenVPN wins the day.  Its the only full VPN solution I use and recommend.  Some routers also support it but the way I deploy (to maintain router agnosticism) is with a software appliance (i.e. a VM).

OpenVPN has clients for everything which is one of the main reasons I recommend it.  I've got clients that use from iPads to access Windows (Samba) shares and I use it routinely use it to access VNC consoles and device web admin screens like LAN printers on my Nexus 6.  I've also streamed my raspberry pi security cam and content on my mediatomb media server.

Its also very flexible- true story... once upon a time on a Carnival Cruise, my OpenVPN access got blocked (on their expensive and horrible internet service but I digress) and while I was getting them to remove that block my business partner and I, over email and IM, built another config to run OpenVPN over tcp/443 (standard web port) instead of the default udp/1194.  Carnival eventually removed the block but the lesson was learned- I keep another OpenVPN instance running in case I'm somewhere where the firewall is not OpenVPN friendly.

In the long run OpenVPN is going to be the easier thing to setup and maintain because it does exactly what you want- extending your net to wherever you are and on the device you want.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.

Owner, DAO Technologies LLC

(O) +1.215.525.4165 x2033

(M) +1.215.432.5167

www.daotechnologies.com

---

From: "Louis K" <louis.kratz@gmail.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Friday, August 28, 2015 8:50:44 AM
Subject: [PLUG] Securing Web Site for External Traffic

Hey Pluggers,

  I've got a simple website running behind my firewall for administrating our various web-based devices and services (dvr, baby monitor, etc). I'm thinking about forwarding port 80 on my router to make the site accessible from outside our home network.

What are people's opinions of the best way to secure such a site? I think the easiest would be http auth with user/password, but is that "secure enough"?

I was also thinking about a vpn solution but am admittedly pretty green with that stuff and would need it to work on different platforms (iOS and droid).

Lou

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug