Home » Questions » Computers [ Ask a new question ]

Personal wiki in my home network - how do I secure it?

Personal wiki in my home network - how do I secure it?

I'd like to dedicate a low-power Debian/Ubuntu box to set up a personal wiki (namely Instiki) on it. The information I'm looking to store in it will obviously be of a very confidential nature; anyone except me accessing it would be disaster. And my network administration and security skills are pretty weak. High requirements, low skills; not a good combination.

Asked by: Guest | Views: 66
Total answers/comments: 2
Guest [Entry]

"Here's the approach I'd take:

step 1 (local security)

read up on Instiki, make sure you harden the webserver it uses
choose good passwords for root, admin and personal accounts, keep them in a password manager, not on paper!
make sure only the web-server (no other, e.g. guest) users can read data locally [not sure how that aplies to rails]
learn how to encrypt local files (e.g. truecrypt)
learn how to make encrypted backups (no backup => no data)

step 2 (access restrictions)

make server accessible over https only (nobody reads your traffic in transit)
allow login to Ubuntu only via ssh [port 22] or local console
to securely access you home network from the wild internets, look into OpenVpn"
Guest [Entry]

"If I am going to be in control of the off-network browsers that I will be using to access resources at home, I use X.509 client certificate authentication over SSL. That way even if someone had my username and password, the web server will refuse to talk to them because they don't have my client cert.

This is a little bit trickier to set up, and if you're using a thin webserver built into some of the wiki products might be impossible. I use nginx as my webserver and my wiki (WikkaWiki) runs on php-fastcgi.

The problem is that you may have multiple sites you need to access, and due to the way that SSL works you can't have multiple virtual hosts on the same IP and port combination. You can address this by putting the sites all under one host and have a subdirectory for each (my.domain.com/wiki, my.domain.com/blog) or have separate domain names and use different ports.

In the latter case, you may run into problems sending traffic out of corporate networks to arbitrary ports that you're running SSL on (they block all but known traffic in an attempt to prevent people from opening up tunnels into their network using SSH)"