Designing a Website for LAN use...?

Okay, I've come to ask for some help and maybe advice by anyone who may have done something similar before.

What I did here was install AMPPS quite some time ago to test and play with modifications to my web projects on my local machine before sending it up to the web server. Over time I've toyed with something else on the side and recently began focusing on it for my own home. Basically it's running a site on the AMPPS environment, which is 100% local in configuration (stock set up) and within my LAN/Router. It gives me the full function of Apache, PHP and Mysql....and so Joomla and all that brings to the table, as a home resource.

The purpose is that each member of my home has a computer, we have 4 TV's that are comp capable w/ old machines capable of connecting to my lan and feeding the TV's....and everyone has a smart phone these days with Wi-Fi capability. It works..and my Trophy loads my local site within the LAN with no problems. Everyone has a chaotic life and NAS storage still has limitations compared to a pre-made/pre-set interface for photo albums, music, video, weather maps and local school closing...etc. Additionally, RSS/Tweet feeds cover a staggering width and breadth of information and Joomla has the options to showcase it all very specifically and narrowly.

The real BIG benefit of this is that it's local in nature and...designed with this in mind....it lets the entire 'Home-Net' come up and be easily accessible by changing inputs on any television remote and grabbing a wireless mouse. We can check, for instance, the status of school closings, intersection cameras and twitter feeds from my son's school, all without getting out of bed or fiddling with a laptop and keyboard.

Now..That is the overview of what I'm doing...Here is the concern and question. What are the security concerns I'm looking at beyond the obvious that anyone faces with brute attack or similar focus on my router or set-up because someone has it in for ME/my network personally. Outside of that.....What are the pitfalls for keeping something set up to be local from being accessed on the other side of my router?

A great many things are possible for a "Web-site" (or perhaps Lan-Site is more accurate). I'm thinking that copyright for RSS feed and re-display is pretty much moot, for instance, since it isn't a public thing I'm doing. Music, photos and video as well. That is all based on it being inaccessible though...so I'm really hoping someone will mention anything that isn't obvious and that a person still learning all this might miss. I'd hate to wake up some day and find a variety of outside visitors somehow showed up on my internal home-net logs.

Thanks in advance for anyone taking the time to read this over and help. It's appreciated!

Sounds like your LAN is up and running smooth. I honestly don't understand what you question is though, no offence but you rambled quit a bit. As you inferred the router or gateway to the internet is the weakest link in your LAN. A proper admin password and not broadcasting your SSID will go a long ways to securing that link. Beyond that is issues with securing ports on your router, but securing ports will limit the capability's of your LAN so you need to decide what your goal is here.

The only way to secure it from outside access is to not connect to an outside source.

This would still be a problem with people coming in and physically doing stuff, but it would be pretty secure.

Originally posted by Wrabbit2000
Now..That is the overview of what I'm doing...Here is the concern and question. What are the security concerns I'm looking at beyond the obvious that anyone faces with brute attack or similar focus on my router or set-up because someone has it in for ME/my network personally. Outside of that.....What are the pitfalls for keeping something set up to be local from being accessed on the other side of my router?

edit on 13-2-2012 by Wrabbit2000 because: clarification made

Depending on which router you have (don't answer that here it is a security risk for that to be public), some routers have a defense against brute force attacks: after so many tries a a PW the router will ignore any requests from that IP for a specified amount of time (20 min- several hours) making it take months if not longer to gain access. I would check to see if your router has this capability. And make it a habit to change your PW at least every 60 days.

Social engineering: the ability of people to manipulate you to gain confidential information... i.e. you router brand, IP, password, IP provider and so forth. This may come in the form of a phone call asking for information, or even a knock on your door, the person calling or knocking is probably not some one you want to give this info to.

Physical access to your server or router is a "welcome" sign to any hacker. A password or port settings can be easily bypassed or reset with physical access. Many routers will reset their PW after a specified time without power, make sure at least your router has a UPS, or you check to make sure an extended amount of time without power never occurs to your router and if it does reset your password promptly.



Check out this wiki on PW useit is very usefull. Passwords

Your Password used is the singe most vunrable link in your LAN, keep it safe and keep it complicated.

I use a minimum of 16 cahracters, an good exmple would be: "GeF*176#TOm56$f!" .
Use Caps and symbols interlaced with numbers..

DO NOT USE words that are contained in a dictionary, dates, or common phrases. these are easily bypassed with downloadable bruteforce crackers.

Originally posted by Wrabbit2000
Okay, I've come to ask for some help and maybe advice by anyone who may have done something similar before.

Now..That is the overview of what I'm doing...Here is the concern and question. What are the security concerns I'm looking at beyond the obvious that anyone faces with brute attack or similar focus on my router or set-up because someone has it in for ME/my network personally. Outside of that.....What are the pitfalls for keeping something set up to be local from being accessed on the other side of my router?

Thanks in advance for anyone taking the time to read this over and help. It's appreciated!

edit on 13-2-2012 by Wrabbit2000 because: clarification made

Aamps ? What is that a server? If it is I use OmniHttpD which is very effective for running simple lan tests of webpages. Acts just like any natural server running on a windows box. If you want to go a little deeper, use Apache and run it on a Linux or Ubuntu box (or you could nuts, I run mine on a Sun server running Solaris). I need flexibility as I run both windows and unix servers on a server farm.

Now, if you want to set up protection, I did a system this way for a very large ISP/portal running over 300 apache servers and 120 windows client machines.

Run a dual IP gateway machine (Supermicro p4sci is a nice board, fast enough with about 4 geg and a pair of 250gb RAID SATA's) and a NAT router, or use two NAT routers on the cheap, one wireless and the other not wireless, put it all in series and run a class C wired behind a class C wireless (or reversed depending on the configuration you want) to protect your personal/critical machines while leaving a secondary front end network partially open, specifically ported to the internet or DMZ'd. I like Linksys myself and most of my routers are BEFSR's and WRT54's (so I can DD-WRT for MLPPP) plus the 16/24 switches, but I also have Netgear which has also been running DD-WRT. I've run Tomato firmware as well, just depends on what you like and the router your using. I picked up a WRT54Gv3 for 2 bucks at garage sale and bought an antenna set to give me about 2km radius. You can do a lot of neat things for your neighbors ;-) Like MLPPP everyone on a common system and give them all 54mps of common bandwidth speed plus the terrabyte per month of useage.

That way you are only exposed on the first class C and still have huge bandwidth ;-) I've actually been looking at ways to provide local repeating for a large areas coupled with ham radio just in case the bastards take the internet down. Again, you use the dual class C arrangement in repeater-bridge mode, with your own class C behind that, everyone runs a mirror DNS that sync'd and updated. It could work but I am still playing with the concept with my neighbours.

Cheers - Dave

Originally posted by bobs_uruncle

Originally posted by Wrabbit2000
Okay, I've come to ask for some help and maybe advice by anyone who may have done something similar before.

Now..That is the overview of what I'm doing...Here is the concern and question. What are the security concerns I'm looking at beyond the obvious that anyone faces with brute attack or similar focus on my router or set-up because someone has it in for ME/my network personally. Outside of that.....What are the pitfalls for keeping something set up to be local from being accessed on the other side of my router?

Thanks in advance for anyone taking the time to read this over and help. It's appreciated!

edit on 13-2-2012 by Wrabbit2000 because: clarification made

Aamps ? What is that a server? If it is I use OmniHttpD which is very effective for running simple lan tests of webpages. Acts just like any natural server running on a windows box. If you want to go a little deeper, use Apache and run it on a Linux or Ubuntu box (or you could nuts, I run mine on a Sun server running Solaris). I need flexibility as I run both windows and unix servers on a server farm.

Now, if you want to set up protection, I did a system this way for a very large ISP/portal running over 300 apache servers and 120 windows client machines.

Run a dual IP gateway machine (Supermicro p4sci is a nice board, fast enough with about 4 geg and a pair of 250gb RAID SATA's) and a NAT router, or use two NAT routers on the cheap, one wireless and the other not wireless, put it all in series and run a class C wired behind a class C wireless (or reversed depending on the configuration you want) to protect your personal/critical machines while leaving a secondary front end network partially open, specifically ported to the internet or DMZ'd. I like Linksys myself and most of my routers are BEFSR's and WRT54's (so I can DD-WRT for MLPPP) plus the 16/24 switches, but I also have Netgear with has also been running DD-WRT. I've run Tomato firmware as well, just depends on what you like and the router your using. I picked up a WRT54Gv3 for 2 bucks at garage sale and bought an antenna set to give me about 2km radius. You can do a lot of neat things for your neighbors ;-) Like MLPPP everyone on a common system and give them all 54mps of common bandwidth speed plus the terrabyte per month of useage.

That way you are only exposed on the first class C and still have huge bandwidth ;-) I've actually been looking at ways to provide local repeating for a large areas coupled with ham radio just in case the bastards take the internet down. Again, you use the dual class C arrangement in repeater-bridge mode, with your own class C behind that, everyone runs a mirror DNS that sync'd and updated. It could work but I am still playing with the concept with my neighbours.

Cheers - Dave

edit on 2/14.2012 by bobs_uruncle because: (no reason given)

The old WTR54G routers are some of the best made and secure made for cheap to the public. SOO many diff flash upgrades available for this router it is insane.

Packet radio will be the answer to our comms issues when the word goes to #...keep it up. Even without the repeaters up it will be able to connect entire cities with information. I am not a HAM but I belong to a long line of hams K0TAA, K0RAP and many many more.

reply to post by mileysubet


I think we can use hams effectively for transmission between major population centers. Just have to go multichannel for wider bandwidth, something like MLPPP for RF. I have to agree on the WRT54's, I can get a helluva distance out of mine with the external antennas. In fact, I ran a private broadband for a small town of about 1800, so yeah, she works. For contiguous residential areas, say actual cities, wifi repeaters and bridges would work quite well, but it is important to coordinate over large distances, hence ham or some other potentially viable form of communication pipe.

My main concern is triangulation, so I do have something else in the works that involves the emulation of quantum physical properties at classical levels to produce an entangled communicative result through a form of ER bridge. But that's a few years away I think, even though I have already physically proved the concept (NRC and universities).

Anyway, I think it's important we have solutions for "later." After all, when truth is outlawed, only the outlaws will have truth ;-)

Cheers - Dave

Originally posted by mileysubet
Sounds like your LAN is up and running smooth. I honestly don't understand what you question is though, no offence but you rambled quit a bit. As you inferred the router or gateway to the internet is the weakest link in your LAN. A proper admin password and not broadcasting your SSID will go a long ways to securing that link. Beyond that is issues with securing ports on your router, but securing ports will limit the capability's of your LAN so you need to decide what your goal is here.

Sorry about the rambling quality..I was on the wrong end of too many sleepless hours when I asked. It looks like you figured it out despite my meandering post though.

I'm running this site local and simply want to make sure there is no accidental or innocent way for anyone outside my router to get in. It looks like between the two of you here, I have good directions to go now!

reply to post by bobs_uruncle

Thank you for taking the time to lay that out. I was thinking I may have to go that route, I was just hoping for something that would avoid running two distinctly separate networks. After all, I'm not putting anything sensitive up in that sense..just personal family stuff and notes. Things like that. I don't want it public all over...but hacking is a waste of time more than anything. My music collection is probably the only remotely interesting thing a person would find...still...it's the principle of privacy I want to achieve. It's the idea of having it open somehow where people might find their way on without having meant it. I'm realistic enough to know your solution is just the basic starting point for a real sense of security for something where being compromised would matter.


Hmmm... Well I happen to have a couple other routers here and one is a straight wired with no wireless component at all. It gives me the chance to play with some of this anyway. I appreciate the feedback!


Oh.. Quick note here. This is AMPPS:

AMPPS Server Package

It's probably no different than what your using but it's a streamlined, consumer version to get Apache, PHP, Mysql and PERL up on the PC so anything that runs on the net Linux servers can run locally. Oh well... It occurred to me that while you may have checked real quick, others may also wonder and I hadn't really explained that.

reply to post by Wrabbit2000

TNX re the clarification on AAMPS, I thought it was a server package. If you run into any major problems just U2U me or email me. I would suggest that you reflash your firmware with dd-wrt, Tomato or whatever works. There are a lot of open source firmware mods out there and they are so much more adaptable and configurable than the firmware that comes with the router.

BTW, I only suggest a dual Class C system as it would give you pretty good protection on any server you wish to run downstream of the first NAT Router/Firewall. The second Class C of course gives double step protection, it's pretty hard to get through and if you run something like Zonealarm on your machines, it's pretty hard for the "wrong" stuff to get out, even if you are compromised. If you want to get really clever, put a TCP wrapper on the front end with adaptive blocking ;-)

Oh, one last thing, pick a couple of blank IP addresses on your routers/firewalls and direct all unused ports to say 192.168.1.253 an unused IP, which will become your packet garbage bin. Any ports hits or attacks to the redirected ports get directed away from all the relevant machines into a black hole, no response and no returns LOL.

Cheers - Dave