I self-host a custom service that I programmed. The client program sends TCP packets to the server program in order to get a response, but all clients are outside of my local network, so I need to forward a port for their installations of the client application to communicate with my server instance, which is running on Windows Server 2016. I am concerned about the security of this configuration.

Currently, I have the firewall set up to only allow incoming connections to the server via the designated port to be passed to the server instance via Windows Firewall. No other port is open on the router, and the server machine will not accept traffic from any other port, or allow it if the server instance is not running. I use a consumer grade router, with a dynamic public IP, with a script running on the server machine to update the CloudFlare DNS records on my domain as the dynamic IP changes. I don’t know much about networking, so I’m unsure if my current configuration is really safe. I don’t have many resources to use, as I’m limited to my home network and don’t have any other real networking equipment. The server runs alongside others and everything else connected to my home network on the same subnet, which is where I’m really concerned about the security of this setup. The service I’m hosting does not serve any sensitive or personal information, and does not have access to it. I guess what I’m worried about is the vulnerability of other devices, and whether it is possible for attackers (which is probably is) to access other things than the server instance of my custom service. A VPN solution is not viable.

Am I safe just with Windows Firewall and that of my router, and the fact that my service does not (to my knowledge) does not have any “backdoor” that exposes the content of my server machine, and therefore other things on the network?

I’m sorry I’m using rudimentary ways to explain my situation/setup, but I’m not really good with networking. I’m just a programmer equipped with a home network that needs my service to be accessible from outside the LAN.

Thanks in advance

  • ProfessionalAd3026B
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Look into certificate based authentication. If the clients don’t present a certificate issued by your CA, the connection won’t be fully established.