Intercontinental
New Around Here
Hoping for some advice here.
Currently running a small web server for a few bits and pieces for probably a dozen users.
It is running in a KVM VM, with a PCI NIC Passthrough, with port 80 and only port 80 forwarded to the fixed IP of this machine. Ubuntu Server 14.04.3 - automatic updates on and most of http://blog.mattbrock.co.uk/hardening-the-security-on-ubuntu-server-14-04/ done too.
Currently there is only the login pages for the apache 2 based software, but I'd like to add another layer before that and ideally completely separate that machine from the rest of the network.
For the latter, I can't separate it electrically (i.e. Server is plugged in to a 24 port switch which is in turn connected to the router (RT-N66U running tomato) in another room), so I assume there is nothing I can do to prevent my server, if it is 100% compromised, from having a crack at anything else on my network?
Secondly, what would the best/easiest way of putting another login before the login pages for the software?
I.e. when the user navigates to www.mywebserver.com/softwareA, it asks for a user/pass before allowing you to continue to the normal softwareA login page?
.htaccess is a possibility, but I regularly access this outside of my network and iOS doesn't store credentials like this (Irritating and/or insecure if I don't use a decent combo!). So could I allow any IP in my home network range access this without the .htaccess login prompt and also setup something (some sort of proxy perhaps?) to allow my iPhone external access?
Any thoughts or tips? I would consider adding another NIC and VM to control access if it thought benefical?
Cheers.
Currently running a small web server for a few bits and pieces for probably a dozen users.
It is running in a KVM VM, with a PCI NIC Passthrough, with port 80 and only port 80 forwarded to the fixed IP of this machine. Ubuntu Server 14.04.3 - automatic updates on and most of http://blog.mattbrock.co.uk/hardening-the-security-on-ubuntu-server-14-04/ done too.
Currently there is only the login pages for the apache 2 based software, but I'd like to add another layer before that and ideally completely separate that machine from the rest of the network.
For the latter, I can't separate it electrically (i.e. Server is plugged in to a 24 port switch which is in turn connected to the router (RT-N66U running tomato) in another room), so I assume there is nothing I can do to prevent my server, if it is 100% compromised, from having a crack at anything else on my network?
Secondly, what would the best/easiest way of putting another login before the login pages for the software?
I.e. when the user navigates to www.mywebserver.com/softwareA, it asks for a user/pass before allowing you to continue to the normal softwareA login page?
.htaccess is a possibility, but I regularly access this outside of my network and iOS doesn't store credentials like this (Irritating and/or insecure if I don't use a decent combo!). So could I allow any IP in my home network range access this without the .htaccess login prompt and also setup something (some sort of proxy perhaps?) to allow my iPhone external access?
Any thoughts or tips? I would consider adding another NIC and VM to control access if it thought benefical?
Cheers.