Hi guys! I 'm running my website from my Rasp Pi2 at home, and I was wondering if I can get so...

[G+_Darryl Gibbs]

Hi guys!  I'm running my website from my Rasp Pi2 at home, and I was wondering if I can get some assistance with hiding my IP.  Sorry that I'm not sure exactly how to phrase this question, but hopefully the 2 pictures below would help.

 

I noticed (by accident) that if I tried dragging a web link on my page (see pic1), that it shows the server IP address (i.e. my home IP), but if I did the same on G+, it shows the plus.google domain name (pic2).  

 

How could I do that for my own site?  Have the doman name in place of the actual IP?  Thanks!!

[G+_610GARAGE]

If I understand  you correctly, you would like to send people to your web server, without giving out the address of your house. If that is correct, then you can't, really.

 

People need to know your address to get to the pi server. Since you are running your pi at your house, there's no real practical way (that I know of anyway) to send people to your pi website without giving out your ip. This is why its generally not a good idea to run public web pages from your house.

 

The g+ url is just for tracking. So if someone goes to my website via g+, I would be able to figure out exactly what the clicked on by viewing the referral link. The g+ link, simply redirects the user to your ip address.

[G+_Darryl Gibbs]

610bob so the fact that I have an actual www.xxxx.com web address/domain won't help in hiding my IP?  I guess in a way its a good thing that the IP changes periodically and that I have to manually update it, should someone want to do something harmful

[G+_610GARAGE]

Darryl Gibbs You are correct. Computers go off of ip address (for the most part). A DNS changes a url to an ip address that your computer can use to find the server. If you open up a terminal or command prompt, and ping google.com, it will tell you the ip address that google resolves too. There is also various websites that will do this too.

[G+_Darryl Gibbs]

would a service like noip.com help mask my address?

[G+_Black Merc]

A VPN?? pi out to VPN cloud then out to the world? Or is that too complicated....

My current net is behind so many NAT layers that I have a hard time getting VOIP to work right And this is the only thing I could think has half A chance of success.

[G+_610GARAGE]

Darryl Gibbs  Probably not. From what I understand (I never used such a service) is that they simply forward a domain to a roaming ip address. So a domain name would point to there servers, then their servers would find your ip, and forward the traffic to you.

 

It would be possible to restrict certain traffic in this model, but I never heard of this being done. And you could run a traceroute and find your ip anyway. Plus, you pi would still respond on port 80, so a ddos attack would still be possible, and quite easy with a pi.

 

What you need is what Black Merc  said, a vpn. But anyone who wants to get to your website, would need to get the vpn software and login credentials. And from what I understand, you do wish to share your website. Correct?

[G+_Ben Reese]

Ha. The VPN idea isn't too far off. What you would need is a VPS that can host the VPN and act as the public IP then forward any web traffic into that IP across the VPN to your Pi. But, yeah... No way to hide your IP if you want to allow direct connections.

 

610bob?, wasn't that you that said you had a VPS acting as a VPN gateway for a mail server? This isn't really too much off from that.

 

And arguably there's no advantage to hiding your IP if you've got ports open. It's a whole lot easier to scan every public IP on the net than it is to scan every domain name. If you have ports open and something vulnerable on the receiving end, there's a good chance it's already been compromised.

[G+_610GARAGE]

Ben Reese No. I believe that was +Eddie foy.

[G+_Ben Reese]

Ah, maybe so. Thanks.

Eddie Foy?

[G+_Black Merc]

I was thinking that the internet side of the VPN service (having their own firewall) would could act as a proxy, shielding the Pi from direct attack being that the Pi is in the VPN tunnel.

[G+_Darryl Gibbs]

great. so basically I'm screwed then.  Host at home and be a target, or host elsewhere.  

 

well thanks for the help guys, I really appreciate it!

[G+_Black Merc]

The costs of being a public figure or hosting a public web 'face' from home. Everyone knows your face and name as a public figure, or everyone knows where your public web 'face' lives. Off-site hosting can be a buffer. Sorry this does not fix your pi to the world problem.

[G+_Jason Marsh]

Darryl Gibbs Host anywhere and be a target is more accurate. From there it's just a matter of whose network could be compromised if an attacker gains privileged access to your server, or whose network is burdened in the event of a DDoS.

 

Put your LAN behind another NAT beyond your server, and make sure no ports are open on your "internal" LAN. On your "outer" LAN, forward only port 80 to your server.

 

Have a look at Steve Gibson's treatment of NAT and double NAT at https://www.grc.com/nat/nat.htm AND https://www.grc.com/nat/nats.htm

[G+_610GARAGE]

Darryl Gibbs Is there a specific reason you want to run a webserver from your house? Web hosting is pretty cheap.

[G+_Darryl Gibbs]

Thanks Jason Marsh? and Black Merc?. That info. Is helpful.

 

610bob? it started out just as a project for the sake of learning, which then turned into an idea to host my site that I'm building to promote my teaching business. My expectations for traffic is extremely low, thus the idea to do it from home. Having said that, the security concerns are far higher as later this week that same pi is going to be my NAS amongst other things, and I cannot have my personal files open to the world!

 

Silly question, but all your advice about having open ports applies to allowing SSH access also, correct?

[G+_610GARAGE]

Darryl Gibbs More so. Someone could figure out your ssh password and get into your pi, then your network. If you want remote ssh, then use a vpn. 

[G+_Black Merc]

More secure---> Lan turtle + cloud from hak5.org podcast.

A private cloud, reverse shell and security keys. Security as tight as it gets!

[G+_Ben Reese]

Yeah, but SSH is typically considered secure. VPN is probably more secure, but a strong random password can't be figured out very easily. If you rent a VPS (like from Digital Ocean), your default connection will be by SSH.

[G+_Black Merc]

When I refer to security keys I'm thinking 265bit or higher cryto keys! Not some silly "strong random password".

[G+_Darryl Gibbs]

So this post was a rude Awakening!! I'll have to do some reading about how to access via a VPN. Thanks so much for this info. I didn't realize the risk I was taking was THIS great. Damn black hat hackers!

[G+_Ben Reese]

Black Merc, that's cool. Just don't discount the number of bits stored that can be stored in alphanumeric characters. Only 43 characters are needed for 256 bit equivalent if you're only using letters and numbers. Even fewer if you expand to special characters.

[G+_Black Merc]

Don't knock any hacker. Hackers are the reason that we know new cars are hackable, that the NSA is watching you, and Apple exists ( the first of which was built in a garage).

[G+_Darryl Gibbs]

Fair enough