[Novalug] Basic security questions, NAT routers, LAMP

Jon Taimanglo jontaimanglo at gmail.com
Wed Jul 2 06:28:17 EDT 2008 

NAT router = Network Address Translation.  In a nutshell, the router is
keeping a table of IP's on the backside (private, usually RFC 1918 addresses
- i.e. 192.168.x.x/16, 172.16.x.x/12 and 10.x.x.x/8) and mapping them to a
single or group of IP's on the frontside (routable IP address(es)).  You can
tell NAT is being run if you have any of subnets in these IP ranges on your
home computers.  RFC 1918 addresses are blocked (or they are at supposed to
be) by routers on the internet (you can imagine the problems if someone
starting accepting routes to these IP's and they are being used all over the
world).  That being said, NAT is not a firewall.  If you want a true
firewall, look for something like a SPI (stateful packet inspection)
firewall (more than adequate for a home user - deep packet inspection is hot
now in security but probably a little much for a home user).
The modem could also be preforming NAT - depends on how your ISP sets up
these things.  And more than likely you have a DHCP routable IP - some ISP's
change these around frequently.  If you ever decide to go down the route to
allow outside people to access your websites, look in to dyndns.

As far as your websites being accessible, I imagine the linksys devices has
a firewall built in to it, or maybe it has a port forwarding option.  If you
have nothing set up in the firewall or port forwarding, you should be good
to go.  A way to check this to find out your routable IP (google what is my
ip).  Then open a browser and attempt to connect to that IP (if you have a
SSL site, dont forget to https).  Alternatively, you could attempt telnet
with the specific port.

You can further restrict your server configuration by installing a host
firewall (iptables - guarddog has a pretty good front-end) and looking in to
apache configurations for Allow,Deny (these are foolproof, but they can add
a layer of additional security).

Also, if you ever open up your websites, please take a look at secure PHP or
at the least securing php.ini.

Lastly, if you have questions about PHP (and usually any part of the LAMP
stack), look in to DC PHP.  They are good group of people, just like
novalug.

Jon

On Wed, Jul 2, 2008 at 12:12 AM, Mackenzie Morgan <macoafi at gmail.com> wrote:

> On Tue, 2008-07-01 at 21:06 -0700, John Christopher wrote:
> > Hi -
> >
> > I have the following:
> >
> > - Laptop with Ubuntu Linux
> > - Verizon DSL connected with a Westell Wirespeed C90-36R516 ADSL modem
> > - Linksys WRT54G wifi router
> >
> > I use the computer mainly for surfing, email, etc., but I am also
> > using it to learn web design and programming.
> >
> > I don't know much about computer security, and I have several questions.
> >
> > I have read that a NAT router is essential equipment to protect your
> > computer from, attackers, etc.
>
> It's a minor inconvenience to attackers, yes...
>
> You know it does NAT if you've only got one IP address from the outside
> but lots inside.  And yes, those are NAT.  I'd be quite surprised if
> your ISP gave you more than one IP at a time.
>
> --
> Mackenzie Morgan
> http://ubuntulinuxtipstricks.blogspot.com
> apt-get moo
>
> _______________________________________________
> Novalug mailing list
> Novalug at calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://calypso.tux.org/pipermail/novalug/attachments/20080702/ccfa1984/attachment.htm

More information about the Novalug mailing list