Hosting dynamic DNS website on Virtual Box with single open port - safe?

2

I am looking to host a website on my own machine at home with something like dynamic DNS purely to demonstrate it to a some friends for a few days over my ADSL connection. On my LAN are a few precious things such as a NAS with various important photos etc. I am therefore very keen to protect the rest of my network from the possibility of being damaged/hacked by incoming traffic.

(the website can't be hosted online for technical and financial reasons - I can't afford the hosting it would require)

My router doesn't provide DMZ functionality. Therefore, I am planning on running the website in a VirtualBox VM and using port forwarding. My logic is that I can control at the Hypervisor level the amount of access the guest machine has. I would open a single incoming port on my router and forward it to the host machine which would then forward that port to the guest machine using Virtual Box's port forwarding functionality.

I'm not worried about the speed of the guest machine, like I said I'm only showing a few friends who I can't physically meet. The host machine is Lubuntu and the guest machine would be Ubuntu Server.

Is this an acceptable approach, or is there something I'm overlooking which makes it risky?

Rich

Posted 2012-03-15T13:28:26.380

Reputation: 1 647

I'm using almost exactly the same config without problems. As long as you are on top of security on your guest system, and keep a beady eye on the router's logs, you shouldn't hit anything untoward. – D_Bye – 2012-03-15T13:47:47.947

Answers

1

Take a note of the version of the software that you are running, which will listen for traffic on the open port (eg apache). Also take a note of what other related packages you are using with Apache (eg version of PHP, version of MySQL, version of Wordpress).

Check for vulnerabilities on for this software at http://osvdb.org/ - and make sure you apply patches/mitigations/workarounds.

Keep your system up-to-date, and keep an ear to the ground for any new vulns/exploits for the software you're running, and you should be OK. It can never be 100% guaranteed, though.

You will find that your webserver is scanned by all sorts of miscreants. You could install Fail2Ban to look out for abusive traffic and block the IPs.

Or, if your friends are the only people who need to see it, and they always visit from the same IP ranges, you could always block access to unknown IP addresses via htaccess (or maybe IPTables).

Adam Thompson

Posted 2012-03-15T13:28:26.380

Reputation: 1 954

Asked: 2012-03-15T13:28:26.380

Viewed: 1 196 times

Active: 2012-03-15T15:20:54.977