Should I open port 22 and port 80 for my homenetwork?

I've been at Digital Ocean for 6 months. However, I don't want to pay anymore and want to start my own server from home. (This is also for educational purposes. In this way I can learn how to maintain a server)

I think if I open port 80 people can easily see what I am searching on the web (Man in the middle attack). Should I open my port? How should I secure the server if so? I know about fail2ban and rootkit hunter.

I don't have a lot of experience on setting up a home server and opening all the ports.

It would be awesome if someone could tell me if I should do it and how I should do it.

fredsco

Posted 2016-08-05T12:56:07.160

Reputation: 45

3On your run-off-the-mill consumer NAT router, you aren’t opening ports, you’re forwarding them. This is very different. It is also only about incoming traffic and not related to outgoing traffic at all. If you don’t have experience, do not operate an internet-accessible server on your home network. If it were to be compromised, an attacker would have complete access to your internal network. – Daniel B – 2016-08-05T13:39:55.410

Seriously, if you need to ask this question, you are not prepared to do this securely. Also, understand that you may not even be able to do this at home, or it may quit working after a while if you do. See this question about CGN problems.

– Ron Maupin – 2016-08-05T14:47:08.817

@RonMaupin Ok thanks I think it is better that I won't. – fredsco – 2016-08-05T16:41:22.927

You might discover that your internet service provider blocks incoming port 80, such as my beloved ISP Cox, in which case you wouldn't be able to host public pages on the standard port anyway. It's an incentive to upgrade to a costly business connection because they know it's really ghetto referring customers to http://example.com:8080

– Jeff Puckett – 2016-08-11T01:33:50.170

Answers

When you request an HTTP website (for instance, http://example.com), you make a connection to port 80 on example.com's server. This does not use port 80 on your local machine.

It follows that if you want to run an HTTP server on the traditional port at your house, you need to use port forwarding to tell your router to forward any requests on port 80 to your server. This will not in any way affect your traffic out to other servers' port 80s or expose you to a MitM.

There are many people around the world who are constantly hitting every possible IP address and trying common ports for vulnerabilities. They have been trying to get into your Digital Ocean server, and they will try to get into your home server. The difference is what happens if they succeed: on one hand, your DO machine gets temporarily turned into a spam machine (likely) until DO notices and shuts it off, while a breach in your home system can not only do that (which is why most ISPs block outgoing mail server requests) but potentially gain access to your internal network and all your other computers.

It is not necessarily a bad idea to run a small webserver at home. But you should learn about common hardening techniques (more than I can go into for an answer here), keep it up to date with security patches, and actively monitor it for breaches.

Boycott SE for Monica Cellio

Posted 2016-08-05T12:56:07.160

Reputation: 678

Thanks, so you are telling me if I forward port 80 to my server, it won't open a breach to let hackers perform a MitM. – fredsco – 2016-08-11T14:38:59.507

As of security reasons, on my DO I have rootkit hunter, firewall-cmd and fail2ban. I also use ssh and google-auth. – fredsco – 2016-08-11T14:43:26.780

1Correct, I don't see any way that this would lead towards a MitM. That list of tools you're using on your VPS looks like a great start towards having active security on your server. – Boycott SE for Monica Cellio – 2016-08-11T18:36:00.793

you only open the ports that your server is actually going to use and only open them if it needs to be publicly accessible. if its a webserver then 80 will be needed.

acme64

Posted 2016-08-05T12:56:07.160

Reputation: 402

Yes, I am aware of that. The question is should I do it or is it insecure. If I should do it, what security actions are the best? Thanks! – fredsco – 2016-08-05T13:33:50.497

What do you mean? It's a matter of need not should. If its a web server then you need web related ports. ftp server needs port 22 etc. for web you can also use HTTPS on port 443 for encrypted traffic – acme64 – 2016-08-05T13:39:16.863

Yea, but is it secure to open port 80 on my home network if not how can I secure it. – fredsco – 2016-08-05T13:40:06.693

its not secure to open any port but with a proper firewall in place and a properly configured server (for example not replying to unknown requests if you're expecting a specific client) then you should be fine. – acme64 – 2016-08-05T14:09:16.313

2MITM attacks and forwarding ports are not related (won't develop it here). – Doezer – 2016-08-05T14:27:40.647

The only time you need to opten a port is that when you want to allow connections from the outside world to server on your local network.

Port 80 HTTP - a webserver running the graphical interface used to administer your Router.

If you have the need, you can have a try.

Mark Twain

Posted 2016-08-05T12:56:07.160

Reputation: 244

Is it possible to open a port only for a specific pc without mac address bcs mac spoofing. – fredsco – 2016-08-11T09:46:17.530