Help opening ports on home network to host webserver

ebparadiseebparadise Member Posts: 3 ■■□□□□□□□□
Hi everybody, I'm new here and I did introduce myself earlier so feel free to take a look at my post at Introductions.

I've been studying networking and I like applying my knowledge as much as I can to get the best experience but I'm currently just a bit stuck about ports and port forwarding.

They say 'be careful opening your ports, if you don't know what you're doing you can compromise your network!' etc.

But my goal is this; host an apache2 webserver on my Linux laptop or my RPi 3 B+.

This is not difficult, I am able to access the web server from within my LAN. But if I want to be able to access it remotely I need to forward a port from my router to the host of the server. How do I do this securely, as a beginner? What actual risks are there to opening ports just by setting up port forwarding and nothing else? How do I do the same if I want to remotely SSH into my machine at home?

Really appreciate your answers, thank you.


  • mikey88mikey88 Member Posts: 495 ■■■■■■□□□□
    edited March 2019
    They say 'be careful opening your ports, if you don't know what you're doing you can compromise your network!' etc.
    You can always place the public facing server in a dmz to isolate it from the rest of the network. But most home networks are like a few PCs and a printer. Not in the same exposure level as a business.

    Take a look at this website: It'll give you step by step instructions on how to do it based on your router model.

    You'll also want to make sure you have a static IP that does not change or may need to look into a dns service like DynDNS. You can also configure your web server to listen on a random port other than :80 Security through obscurity as they call it.
    Certs: CISSP, CySA+, Security+, Network+ and others | 2019 Goals: Cloud Sec/Scripting/Linux

  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    edited March 2019
    The risk of opening a port itself is minimal.

    The risk comes from whether you know what you're doing with the target of that port forward, namely your apache web server. Are you sure it's set up securely such that someone from the public internet cannot compromise that machine? Same with SSH, if you allow access in from a predictable account (e.g. root) and don't use a strong password, someone may brute force their way in over a few days if you're not watching your logs and/or have settings to prevent that behavior, or prevent that behavior from succeeding.

    And yes, setting up apache to host a web site is not that hard, but doing it securely ends up being more advanced...

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
Sign In or Register to comment.