Posted on by Aaron Ridgeway

Lock Down Your Exposed Server

Do you have a server running on your computer that you access outside of your home network? Is it locked down? If not, what’s stopping someone else from accessing it? An IP address is not obscure enough to deter threats.

The internet is full of bots that crawl the internet, scanning for open ports at all hours of the day. Within minutes of searching shodan.io, you can generate a report listing several public IP addresses that don’t have any authentication protecting them. What are the chances that your IP appeared was on someone’s report? Would it really be considered “hacking” if there was never any authentication, authorization, or encryption method in place? So how can we fix this?

Methods To Secure Your Server:

  1. Deploy a Virtual Private Network (VPN). A VPN allows you to create a “tunnel” back to your home network, encrypting your traffic until it reaches the network. With this approach, you would only need to expose the one/two VPN port(s), and you can access your servers. This method physically reduces the next of vulnerabilities as you would no longer need an open port for each server. This method uses public key cryptography where keys are configured for access. The challenge with this approach is that in order to access the server remotely, you must already have the VPN tunnel setup on the remote computer.
  2. Incorporate Two Factor Authentication (2FA). 2FA provides an additional layer of security, by requesting a randomly generated pass code to be entered, which is sent to your device or authentication app. In order to log into a server that has 2FA enabled, you would need both the user credentials to log on, in addition to the 2FA code. Unless the hacker has access to the account, app, or recovery codes, you can rest assured that 2FA will virtually stop any unauthorized access. This is one of the most commonly used authentication methods that I use to protect myself. If the app/ website has the capability, then you can bet that I have it enabled.
  3. Incorporate TLS certificates. These certificates provide authenticated access only to those who have them. They leverage public key cryptography which consists of public/ private key pairs. You can tell if a site leverages TLS certificates by checking the beginning of the URL for https (the S stands for secure). Home servers can leverage TLS certificates in cases where they are connected to a proxy server (like cloudflare), or a firewall. That way, even though your port is exposed on your router, no access will be granted as the guest does not have the certificate.
  4. Lock down your server with Cloudflare Access. If you have a domain pointing to your server, then you can leverage Cloudflare’s “easy” VPN alternative. By placing your trust in the company, it can protect your server with federated authentication that enables only user’s with the specified accounts access.
  5. Leverage username/ password authentication. Most servers have this capability out-of-the-box. It’s simple enough to enable and can deter a lot of threats. With this, you’d need to consider the complexity of your credentials, or else you could be susceptible to dictionary or brute force attacks.
  6. Whitelist your remote public IP address. If you know the public IP address of where you’d connect from remotely, then you can add that IP address to a whitelist so that traffic can only come from the approved IP addresses on that whitelist. Be careful though as someone can still spoof your IP address. Unless you have a static public IP address, this approach can be hard to manage.

There are many different ways to mitigate the threats to your server. As long as you have at least one method of authentication enabled, then you will stop the random internet troll from “hacking” you.