Secure advices for a small webserver in private LAN

Networking & Firewalls
1

Hello gents!
I will deploy very soon a small computer (Brix, NUC) which will play the role of a webserver and digital signaling and run a custom webapp – (php,MySQL,Ajax, HTML). The Apache and MySQL will be hardened.
Now, some things needs to be remotely managed,so security is paramount. What I put already on my list:

  1. Strong passwords. Never is enough to stress this out. And PAM will be set up for forcing the use of strong passwords.

  2. I will set the webserver on a private LAN 10.0.0.1. Now, could this make things more difficult for me to acces it from the main LAN (192.168.1.1) or from outside internet?

  3. The webserver will have GUFW, fail2ban installed and will be hardened with Apparmor and Lynis. Too much, too little?

  4. A IP table will be implemented for limiting trafic from and to the webserver. Redundant or not?

  5. Zerotier could be used to acces to webserver without opening ports in the router.

I am open to sugestions here, as OpenVPN or Wireguard could be an alternative.

2

Those steps will help restrict access to the system, but it really comes down to your ability to manage them.

3

Thanks Tom for the quick response. If there is something I learned in IT is that one can never stop learing and nobody knows everything.
I will try to manage what I know and learn what I don’t.
Any ideas to add or reduce security layers ?

4

Your strategy looks good. Especially smart not to open it to the Internet directly and instead use VPN/ZeroTier for remote access. You’d never catch me with my own web server open to the Internet, just don’t have the time to take care of it properly.

I’d add:

  • Patch regularly
  • Run firewall such as ufw on the web server
  • Block admin access. If there is management through the web server use .htaccess to block normal users from accessing those pages and make sure they have really strong passwords. If administration is through SSH, etc. then use firewall to allow regular users only to access HTTP(S) ports. SSH (or any non-web ports) should only accessible from your management IPs.
  • Watch your logs for anything funky with monitoring software of your choice

You will be fine with the server on a different subnet, that’s what routing is for and in fact will be best practice because then you can have firewall rules to segment it from Staff LAN.

1 Like