mamp and dyndns security

Question

Hi,

I have set this up so I can test sites and let my client see them, the thing is I am worried about potential security to my local machine.

I port forwarded port 80. What's the risk if any?

Thanks,

R.

Answer 1

First, know that no matter what you do, there are always risks, so you should instead be thinking about mitigating these risks. Some of the main attack points you should consider:

• dyndns - how strong is your password, and do you login via https? If your account here is compromised someone can hijack your clients.
• router - can your router be compromised, allowing unwanted traffic on your local network? For this, if you're using a commercial router (rather than a computer hooked directly up to the WAN, which I would recommend against), then make sure to keep it updated with the latest firmware.
• operating system - your OS may have vulnerabilities. It's good that you're only accepting traffic on port 80, but still keep it patched and keep an eye on vulnerabilities as they are discovered.
• web server - this is a big one, as it's responsible for handling the incoming requests. Exploiting a vulnerability here can allow someone to take over your computer. Consider locking down access here by using http auth. It won't prevent people who really want to get through, but it will block search engines and many script kiddies, in case you have an issue with the app itself.
• web app - I won't mention common attacks here (sql injection, xss, csrf, ...) because that would take up a book, but remember that if other people than your clients see your app, you may be exposing data you intended to be private, and depending on what your app does / how it's coded / what platform it runs on, you could be exposing your computer to some royal pwnage. Locking it down behind a firewall (router) and simple auth is a good start, and probably enough for your needs, but keep an eye on your access and system logs, and change the http auth passwords regularly (since you're giving them to clients).
• (these just scratch the surface, as I'm sure you can point out many other attack vectors as well)

Other Ideas:

• only bring up the site for demos, and use different auth credentials for each demo. This way you don't have to care much about the password security, and you mitigate the risk of being attacked when don't expect it. (so shut off the forwarding when you're not giving a demo)
• get a cheap rackspace,ec2,linode or a free heroku test account for these demos. You still have to worry about security of the server and your apps, but if they are compromised you're not going to lose the personal data on your home computer.
• similar to the point above, if you must run on your home network, consider getting a cheap linux box just for hosting your sites, and put this on a separate network partition from your personal computers.
• ssl certs are always a good idea if your app is sending/receiving confidential data.