Jump to content

Another no external connection thing

arrbee99

By arrbee99
in General/Windows

 Share

Recommended Posts

seanbuff

seanbuff   846

Posted
Posted
12 minutes ago, arrbee99 said:

Do you run caddy as a service.

I do, but my setup is quite old and I used NSSM to run it as a service way back when. I'm sure the more up-to-date info from Caddy using SC or WinSW would be better.

Link to comment
Share on other sites
pwhodges

pwhodges   1538

Posted
Posted

I run Caddy (and Emby) using nssm.  The different mechanisms for running a service are of little consequence - a service is a Windows feature, which these programs merely help you set up.

Paul

Link to comment
Share on other sites
rbjtech

rbjtech   4331

Posted
Posted
6 hours ago, arrbee99 said:

Thanks. Maybe I should stop obsessing so much.

Do you run caddy as a service. I guess I can just follow the Windows section of this -

https://caddyserver.com/docs/running

 

Queries on how it runs and observations are good.  It shows interest in the subject rather than a 'i just want it to work' attitude.  Just keep an eye on the number of intrusion alerts, to reduce them maybe look at geo blocking and use an ips (possibly what norton is trying to do) but scanners/bots are the norm i'm afraid.  You may be able to surpress alerts for common scans.

Link to comment
Share on other sites
arrbee99

arrbee99   1562

Posted
  • Author
Posted

It is quite interesting, but at the same time its hopefully set and forget, so by the next time I look at it I've forgotten the tiny bit I know / knew.

And also, at the same time, I still wonder whether I should just forward 8096 (less 'attackable' than 80 / 443) and only allow it from the one computer, as in my sons laptop, which I imagine would be pretty safe, but not so good if his computer address changes every 5 minutes (or every 5 days). So its all to allow one person access (or maybe two at most).

Link to comment
Share on other sites
rbjtech

rbjtech   4331

Posted
Posted

A valid question.  If you are happy to use a non standard port for https, 8920 for example,  then that would cut down the scans for sure.   The downside of course is you need to use :8920 in a browser url.  Ip Whitelists will be a nightmare to maintain so I wouldn't go there unless they have a fixed public ip.

Link to comment
Share on other sites
pwhodges

pwhodges   1538

Posted
Posted

There would also be more work to configure Caddy to do https over a different port.

In any case you cannot completely escape attack - I'm sure that the Emby ports are on lists of ports to try.  Using a good reverse proxy should be sufficient to keep you safe.  Whitelisting a computer doesn't prevent others attacking just the same - it merely transfers the responsibility for blocking the attacks to a different piece of software or feature of the reverse proxy.

Paul

  • Like 1
Link to comment
Share on other sites
rbjtech

rbjtech   4331

Posted
Posted (edited)

If you only have one external connection,  then a better solution is actually just create a vpn between that end point and you.  This connectionis 100% private,  thus you are not exposing anything to the public internet ..  

Edited by rbjtech
Link to comment
Share on other sites
pwhodges

pwhodges   1538

Posted
Posted

Before deciding on additional security measures (which may cost money and effort), take a little time to think about what you are even trying to protect against over and above what protection you already have.

Paul

Link to comment
Share on other sites
arrbee99

arrbee99   1562

Posted
  • Author
Posted

To me I'm just trying to keep everything out that I can thats evil, using a decent router that has a firewall (at least), and Norton, which has firewall / antivirus / etc. All I want is the usual, safe browsing and hopefully remote Emby access to a child or two.

I'm not doing any hosting / torrenting etc. The occasional play with a vpn for a bit of extra security / getting round geo-restrictions, but its off most of the time.

Link to comment
Share on other sites
pwhodges

pwhodges   1538

Posted
Posted

A VPN doesn't keep things out - it is merely a different way in to your system - and having it adds an additional (small) attack surface; but its use for getting round geo-restrictions can be useful (though not always effective IME).  The privacy it affords by using an IP address not directly related to your ISP connection may be invaluable for some, but probably not many.

Paul

Link to comment
Share on other sites
arrbee99

arrbee99   1562

Posted
  • Author
Posted

you don't think a vpn just between me and the kids PCs is a decent alternative to the whole caddy thing if I wanted to give it a go ?

Link to comment
Share on other sites
pwhodges

pwhodges   1538

Posted
Posted

It's not equivalent, as it doesn't enforce encryption between your kids' client and the VPN endpoint unless you add a certificate to Emby itself (thus losing the benefit of Caddy's automation).

I wouldn't bother, but it's up to you how you run your system.

Paul

Link to comment
Share on other sites
rbjtech

rbjtech   4331

Posted
Posted (edited)
6 hours ago, pwhodges said:

It's not equivalent, as it doesn't enforce encryption between your kids' client and the VPN endpoint unless you add a certificate to Emby itself (thus losing the benefit of Caddy's automation).

I wouldn't bother, but it's up to you how you run your system.

Paul

I'm referring to a point to point VPN via IPSec - I'm not taking about a 3rd party VPN providing 'anonymous' internet access as I agree, that does not stop anything other than hiding your public IP.

If the VPN is between the end point and emby - then it's 100% secure - as the internet is only used as a transport, nothing is 'opened' on it.   

Encryption will be part of the VPN tunnel - so you don't even need to use https for emby - http will be fine - it will still be secure.  If you want to use https - no issues,  it will be encrypted twice. ;)

It's effectively like extending your LAN - over a secure private channel.

 

But if caddy is working - and you have an A rating - then in all honesty - that is secure enough . :)

 

Edited by rbjtech
Link to comment
Share on other sites
pwhodges

pwhodges   1538

Posted
Posted

I thought of mentioning point-to-point VPN, but honestly I have no idea how few or many people even realise it exists let alone set it up and use it.  But of course https provides end-to-end encryption as well - and using Caddy doesn't let you use http by mistake, because redirecting that to https is part of its default automation.

Point-to-point VPN would let Emby see the client as local, and so might upset automatic speed settings.

Paul

Link to comment
Share on other sites
arrbee99

arrbee99   1562

Posted
  • Author
Posted

Using Caddy, and the other bits around its implementation, is done on our main PC, so presumably if the main PC is powered off (to add a card or whatever...), I need to at least turn off the port forwarding on the router to be safe in that situation ?

Link to comment
Share on other sites
pwhodges

pwhodges   1538

Posted
Posted

Why?  If the port that is forwarded to is on a computer running Caddy that is then switched off, it simply becomes inaccessible - that is even more secure, not a vulnerability!

Paul

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...