security program for portforwarding

[tjeulink]

Hello there!

I am hosting a minecraft server (dont judge me ) for some people i know, and i have a question about additional security. i am doing this port forwarding temporarily to my personal computer instead of the server rack(it needs hardware upgrading and is offline for a while for big maintenance and rework).

my main question is, how can i make my port forwarding more secure? my personal router has some basic defenses (the WLR-4004) but i doubt it would hold out a real attack. i have macfilter enabled but if one of the pc's gets infected that wont hold off anyone, its merely wifi secure.(my neighbor is quite an experienced hacker and i dont like the idea of not being secure since he sniffs packets from everyone in the neighborhood and whatever.

i run it currently on windows 7 with some okay cloud antivirus (panda free antivirus). but what i basicly want to do is make sure that the incoming port forwarded packets get checked for attacks and whatnot. i'll attach a screenshot of my current router security so you dont have to google what its safety features exactly are.

Thanks for reading and possible help

~Tjeulink

attachment 1; http/i.snag.gy/VVAlL.jpg

 

[kanewolf]

Don't use well known (standard) ports on your router. If you are concerned, don't expose any PC (your primary PC for instance) directly to the web. If the server is down, then tell your friends that you won't be hosting for a while.

 

[eatmypie]

If you run any type of server with port forwarding I would suggest using something like a security onion for monitoring the security of your server and the ports you are going out on. You will need to either use an old machine, or you will need to use a very minimal VM. You can run it even on a machine with as little as 256mb of memory, and a single core processor. Like I had one running in my closet for like 5-6 years 24/7 just a p4 with 256mb of ram and a 20 gig hard drive just sitting bare on my shelf. Just set up a sensor on your server using the onion.

 

[onichikun]

There are a few different issues you mention in your post:

1) Securing port forwarding
Port forwarding is a direct result of using network address translation. Port forwarding provides no security, but enables routing of packets from a port exposed on your external network, to an address on your LAN.NAT != security. By not forwarding a port, the port is essentially "closed" to the external world, since the traffic has nowhere to go.

2) Infected PC on your LAN
Unfortunately this is likely to be a key point of failure for your network. Once a computer on a LAN with other computers becomes infected, you open up any services you have running locally to attack. The infection can come from a large number of sources, even a popular website that has been exploited, or an ad service running a malicious script. Out of date operating systems are a key target for published exploits, so if one of your machine gets pwned this will create a huge vulnerability for the rest of the machines on your network.

If you are worried about security, I would say use VLANs (or physically separate networks with a pinhole) to separate network traffic from services you provide from your local machines.

3) Wifi security
If you enable WPA2 PSK you are probably safe, unless your neighbor has a quantum computer in his house. He would have better luck leaving an infected USB thumbdrive on your door step and getting you to plug it in.

4) Deep-packet inspection / packet analysis
This is an awesome area of network security research. I know pfsense has some limited support for DPI. What your current router does is look at headers, and track patterns to filter traffic. e.g., if an IP is sending a lot of requests for a TCP connection. DPI looks at the contents of the packet and determines if it is potentially bad (identifying exploits, etc.). If you want to look into this, I say setup a pfsense router at home and play with some of the security addons.