Wednesday, 8 December 2010

Web serving from home (Part 2)

As related in the previous post, I installed a clean version of OpenBSD on a Sun Netra T1. With all the daemons running, I decided to put it on the web --- if I could. After all, this means I have to open port 80 (http) and since we had switched to FiOS I didn't know if I could do this.

So, I logged into the router and set the security to nothing. I then realized I could put the new machine (shieldaig, named after a small coastal town in Scotland) in the DMZ. This is a more secure idea than exposing all of our machines to the wild wooly world. But, to do this meant I had to have a static address for shieldaig. That was easy enough to do ... but then I didn't have a local name! Why not? Because... in order to register the machine with the local DNS server at the router, I have to use the DHCP server. But, for once I remembered how I'd solved this problem: aliases. shieldaid has two addresses: one static, one dynamic. The static one doesn't have a name, so that's OK. Back to the router: I put the new static address in the DMZ field. I now checked that port 80 was open. It was!

So, what's the name of this machine? That's the question. Since I'd paid for kahrs.us what I needed was a DNS mapping from this name to it's IP address. I found a free DNS server --- but now the problem was how to make the DNS address point to the IP address. It took me several days of off and on tinkering to realize that the DNS server had to be all on the free DNS server. Once I did that, then the free DNS server was happy and accepted my IP address.

Now, I have to mention that FiOS has Dynamic IP unless you want to pay big bucks. It's just another layer of DHCP above our router after all... So, this means our address could change. But it appears that Verizon has set a huge timeout for the Dynamic DNS, so thus far I haven't had to reset our DNS address. Cool.

One last thing: I was trying to figure out why going to www.kahrs.us didn't work from outside. Well, turns out it gets mapped to shieldaig.kahrs.us and unless that's in the DNS entry as well, it won't work. Simple fix again.

At this point, shieldaig was now on the web. And lo and behold, immediately it was under attack. The samba server was hit constantly but since the addresses weren't local, it just failed. Then there's the constant script kiddy attacks on the sshd daemon. If it weren't so funny, I would love to trap them. I watch the logs that show constant login attempts to root (which is disabled via ssh) and then also watch as they march up the alphabet trying name after name.

I also see what's going on with web access. The machine has been found by both google and yahoo (yahoo was first). I'm wondering when random web accesses will start... thus far it's only been people who we know.

The last conundrum is why accessing www.kahrs.us fails locally but succeeds outside. I've just put this as a DNS question and decided that it doesn't really matter.

My final step was moving the machine down to the basement to live next to the router. Thus far, OpenBSD has been rock solid. And the shitehead script kiddies are deeply unsatisfied. Excellent!

No comments: