Ports 80 & 443 open - Security risk?

henderson1977 · ‎31-07-2007

Hi all
I have opened ports 80 & 443 on my router to allow access to my test websites and the admin webpages (via SSL) on my QNAP TS-109 Pro respectively.
I am not sure whether opening ports 80 & 443 on my router may pose a security risk or not? On the "Shields Up!" website (https://www.grc.com/x/ne.dll?bh0bkyd2), a Common Ports scan advices that "the web is so insecure these days that new security "exploits" are being discovered almost daily. There are many known problems with Microsoft's Personal Web Server (PWS) and its Frontpage Extensions that many people run on their personal machines. So having port 80/443 "open" as it is here causes intruders to wonder how much information you might be willing to give away."
I have learned that Remote Replication requires ports 137-139 and 445 to be open but are blocked by most ISPs, because these ports are "used by Windows authentication" are "most easily exploited by hackers and malware". Therefore, I can understand why some ISPs would block these ports and, likewise, I personally would not want to open these ports on my router either.
I am still unsure about leaving ports 80 & 443 open on my router. Perhaps there are programs that monitor the activity on these (and other) ports that may offer a level of security and satisfy my uncertainty?
Any advice please?
Thanks
Scott

VileReynard · ‎01-09-2007

Quote from: henderson1977
I am still unsure about leaving ports 80 & 443 open on my router. Perhaps there are programs that monitor the activity on these (and other) ports that may offer a level of security and satisfy my uncertainty?

You say the problem is with Windows security holes.
The answer is obvious!
Don't allow any Windows PC to have access to the internet.

"In The Beginning Was The Word, And The Word Was Aardvark."

henderson1977 · ‎31-07-2007

thanks for the quick reply, axisofevil.
An obvious and somewhat agreeable answer. However, what is the best security practice for running a web server hosting multiple websites on a NAS that requires port 80 open plz?
Cheers
Scott

chillypenguin · ‎04-04-2007

If you are running a web server then port 80 needs to be open on your router, and directed to your web server. (Single port forwarding is gernerly more secure than putting the web server into a DMZ)
GRC is a bit scaremonger in that it makes any open port sound like a serious issue. When in fact its any open port that you are unaware was open and what's its for is the issue.
Chilly

zubel · ‎08-06-2007

The security that you need to be focusing on is the security of the NAS device itself.
While having port 80 and 443 open on your router could be considered a security risk, effectively it's only acting as a 'passthrough' to your NAS device.
You need to ensure that whichever http server you are running on the NAS is 'internet hardened'.
Which device is it, and is it the standard software installed on it, or have you upgraded the NAS device to include a custom OS such as Linux?
B.

henderson1977 · ‎31-07-2007

Thanks for the replies Chilly & Barry!
Barry, my NAS is a Linux-embedded QNAP TS-109 Pro running an Apache Web Server (http://www.qnap.com/pro_detail_feature.asp?p_id=79). have not installed any custom apps, just as it comes.
So if the open ports are not a security risk, should I be ok with an Apache Web Server? What, if any thing, can I do to increase security and reduce the risk of a hacker attack or virus infection please?
Cheers
Scott

Peter_Vaughan · ‎30-07-2007

If the QNAP is updatable then make sure you have the latest updates for it as they may be security fixes.
Other than that I can't see what else you can do to secure your webserver.

chillypenguin · ‎04-04-2007

One point to watch it is not advised to keep personal files on the same machine that you are using as a web server, as if the web server is compromised then the attacker may be able to read your persional files.
Chilly

henderson1977 · ‎31-07-2007

Hi Chilly
That will be a problem then, because like many others I store all of my personal/media files on my QNAP TS-109 Pro, that's what it's designed for afterall.
Therefore, would you say QNAP and other NAS manufacturers (e.g. Synology) have made a huge oversight on the security of their NAS products?
There must be a way to use the features of the NAS in a secure way? Surely?
Scott

Peter_Vaughan · ‎30-07-2007

I suspect it is designed for home use / local network access rather than as an internet facing web server.
However, can you not separate files stored for local access (as a network share) and the files that the web server has access too? If the box is designed to be a public facing web server it should be able to do that.
Even so, if the system was compromised the hacker may well have access to anything on the disk so I to would not put personal info on a system with public access.

henderson1977 · ‎31-07-2007

Hi Peter
The TS-109 Pro is an all-in-one NAS that acts as a web server, media server, iTunes server, MySQL / PHP, remote backups, data storage, etc... so all data is designed to live on this device.
QNAP's website confirms that the TS-109 Pro is an SMB/Corporate product (http://www.qnap.com/pro_detail_feature.asp?p_id=79) designed for professional users. Also, I have noticed that there are many businesses using this product. So, I'd be very disappointed if this product was not designed to be used as an external facing web server, as advertised. In fact, QNAP explain how to create a DDNS so that websites can be accessed externally.
So surely, the web server function is designed to act an external facing web server and not just a home user's intranet or 'test' website?

chillypenguin · ‎04-04-2007

Its best practice that personal/sensitive files are not stored on an internet web server.
I am sure that it will do both, just don't put files on a web server that you would not want others to see.
Its a little like my car which can exceed 70MPH, but it may not be safe too.
Chilly

henderson1977 · ‎31-07-2007

Hi Chilly
QNAP say we can store all our data securely on the device, run backups, host media files, run an Apache Web Server, blah, blah... all-in-one place... the NAS. My original query was whether I should be concerned about the warning Shields Up! gives when it detects that port 80 and 443 are open. But hearing the views of yourself, Peter and others, I am questioning QNAP's security model on their range of "all-in-one" NAS devices.
I didn't buy a 1TB drive to go in my NAS just for a 20MB Website and I'm sure others didn't either.
Hmm

VileReynard · ‎01-09-2007

If your website is only 20MB, why not use a laptop for your public web server?
My router has a web interface - so it includes a web server. One of the settings is to only allow a limited range of IP addresses to communicate with it. Obviously I have set this to only let my local PC's in!

"In The Beginning Was The Word, And The Word Was Aardvark."

henderson1977 · ‎31-07-2007

Hi axisofevil
I was using 20MB as an example to show how negligible my website(s) will be in comparison to the GBs of media files (vids, music, pics, etc...) I plan to store on it.
I shouldn't have to look for a solution, QNAP have designed the solution as an all-in-one NAS. My only concerns since buying it is whether the security could be tightened up or I should just learn to live like a sitting duck and hope the hackers don't choose me.
Cheers
Scott