This post originated from an RSS feed registered with .NET Buzz by Peter van Ooijen. Original Post: Setting up a simple internet server (pt3) Accept incoming traffic (Sometimes default is not... Feed Title: Peter's Gekko Feed URL: /error.htm?aspxerrorpath=/blogs/peter.van.ooijen/rss.aspx Feed Description: My weblog cotains tips tricks and opinions on ASP.NET, tablet PC's and tech in general. Latest .NET Buzz Posts Latest .NET Buzz Posts by Peter van Ooijen Latest Posts From Peter's Gekko

In two previous post I described my first steps in setting up my own internet server.

• Part 1 described choosing the hardware and orchestrating all network traffic bound for the internet.
• Part 2 described setting up Active Directory as a central hub of configuration

To conclude this story will focus on handling incoming traffic, which is after all the main reason to set up my own server. The main concern is safety. I want people to visit my website en to be able to sent me mail. But I don't want my server to be a prey of a hostile takeover or used as spamming machine for others. I don't believe I can secure my site against every imaginable form of attack. But I am sure I can make it as difficult as possible for any intruder by setting up several lines of defense at several places between the cable coming in and the server's hard drive.

The first hurdle incoming traffic has to take is the router built into the DSL modem. The router does Network Address Translation (NAT); it translates the sender address in outgoing IP packets and will redirect any responses to the request to the original requester. As a result the router drops all packets which were not a response to a request originated in this router. So by default all incoming traffic is blocked. There are several ways to accept incoming traffic. The way to do this will depend on the brand, check your manual for the details. The easiest way is to redirect all incoming traffic to one of the connections on the router. The bad thing is that this will redirect traffic on all ports. In my case I only want to accept web surfing over HTTP and sending mail using SMTP. The good thing is that instead of redirecting all traffic you can select individual ports. In my case the router will only redirect traffic on port 80 (HTTP) and port 25 (SMTP). All other (potential malicious) traffic will not even reach my server. In case I need a web-enabled app which needs other ports it's a matter of opening just that specific port.

The server itself has a second firewall. As my server is running server2003 I'm using ISA server 2004 (What's in a name..). Getting its base configuration setup is a matter of wizards and more wizards. ISA server has one for every kind of server you can imagine, and even more. Its user interface is very nice and gives a good overview how a firewall works.

A firewall is a list of rules against which an incoming data packet is tested. Each rule states

• The result when the rule is met. This set of rules gives a packet 4 chances to get allowance. When the first four fail the fifth will just discard the packet.
• The protocol of the packet. This sets only tests for SMTP (mail) and HTTP (web browsing) packets.
• The direction of the traffic. External packets only make a chance when they fall in the SMTP or HTTP protocol.
• The destination. Mail packets are only allowed to the mail server
• An extra condition. This allows for specific users to get more rights. In my case this is not interesting but this allows for endless configuration (and vulnerability) scenarios.

These rules overlap with those on the router; the HTTP and SMTP check is made twice. To compromise my server an attacker has to get through both firewalls. As these are totally different in hard- and soft-ware it's quite unlikely that a technique to breach one will also breach the second. The attacker needs to breach both to get in; so using two firewalls does make that a lot harder.

The wizards will set up the basic rule, after that you can fine tune every rule with very rich dialogs. As a developer I'm easily lost in the many configuration possibilities, some of them are completely new to me. The good UI of ISA server has not only helped me setting up my firewall but has also learned me more about internet traffic than most of the documentation.

As a mail server I'm using Exchange 2003. Most of the configuration is done in Active Directory. Each domain user has its own mailbox. A mailbox can accept mail sent to a large number of email addresses. Take mine:

These addresses fall in multiple domains. By default Exchange will only accept email for the domain which the mail server is part of. As seen in the ISA server firewall overview the server will listen for incoming mail on an IP address, which can stand for any domain (see later). In case someone tries to send me email on another domain I will receive relaying errors, much like the kind described here. If you want your server to accept email sent to the non default domain this has to be set this in the recipient policies of the Exchange System Manager

As a last check make sure to run Microsoft Baseline Security Analyzer which does a good job in a load of checks. Having passed that the server should be ready to accept and handle incoming traffic.

Throwing the switch was somewhat more complicated than I had anticipated. It all boils down to associating the IP address of my DSL modem with the domain names (Gekko-Software.nl, petersgekko.net, petersgekko.com) in the internet's name servers. This is a two stage thing. The first one is registering the name of the domain with an official registar. This can be your ISP but you can also do it yourself on a site like Stargate.com The second step is coupling your IP address to the domain(s). Again this can be done by your ISP or you can do it yourself at a place like zonedit.com. What happens after changing the address is a little time of utter chaos. In the forest of nameservers of the web it's impossible to see the individual trees and these trees don't update instantaneously. Give things 24 hours to settle and when it's really important to keep a domain in the air (I had some serious problems with my default Gekko-Software.nl domain) make sure you have professional help nearby. Again I have to praise xs4all for their professional and dedicated service. To direct the incoming mail to your own server is independent from the other traffic. It's a matter of entering the qualified name of the mail server in a so called DNS MX (Mail eXchange) record. The name of the mail server (sturisoma.petersgekko.net) contains the name of a registered domain (petersgekko.net). So the direction the mail will take is fully dependent on a domain name, not an IP address .

When the server is up you should test it for security breaches A very nice site is DNSgoodies, here you can do all crucial tests on one web page. Server 2003 and Exchange 2003 are supposed to be secure by default. Nevertheless my tests for an open relay failed. Which would make my server a potential source of spam. This warning was pretty real, within a couple of hours some spam started to accumulate in the queues. I'm not sure whether it was actually delivered but the fact that a server will show up as an open relay is enough to get blacklisted and cleaning up the mess by hand is something you don't want to do. Setting this right took some effort. Google hits on the subject tell you how to disable relaying, but that will point to the default setting already present. What really helped was switching on recipient filtering, nicely described heree. This will discard any mail sent to someone who is not in my Active Directory and blocks the open relay. That's exactly what I want. Having applied the setting DNSgoodies congratulated me and my mail queues are clean again.

That's about it. I'm not an ITpro guy but it looks like I managed to get everything up and running nevertheless. And it's humming along sweetly, over here everybody is content. But feel free to comment on anything which could be done better.