BBS security tips?

[Jew]

What dangers are there in me freely giving out my IP address?

None at all. Every domain must be looked up and turned into an IP address before it can be used anyway. Domains are almost purely for human use; computers don't need them. Think of it like a phone book. If you tell someone your name (your domain) he can't call you (go to your website) until he looks up your phone number (IP address) in the phone book (DNS system.)

By the way, do you have a static IP address? Many DSL and cable providers charge you extra for an unchanging IP address.

How bad is the security risk to the rest of my computer and LAN?

Ah, now there's the real question. How is your router set up? I have a router set up on my DSL line and it does NAT (network address translation.) That means that my router has the external IP address and any web browsing I do from my computer looks like it's coming from the router. The trick is that you can't connect directly to my computer from the outside, because the router is in the way. That protects my computer from potential threats.

But in your case, you're clearly able to connect to your computer from the outside. That either means you have an external IP address mapped directly to the PC, or you've set up some sort of port forwarding via the router. In either case, your computer is now directly connected to the internet and is a target for attack.

If you're running Windows, make sure to keep your antispyware and antivirus programs up-to-date, and run a software firewall all the time. Make sure you don't have any other servers running, like FTP or telnet or SQL Server. Make regular weekly backups of your data.

If you have other computers on the network there are additional precautions you must take. Basically, the computer you run the server on is now a untrusted public server. Assume that someone is going to crack it, and make sure that if someone cracks that server that he doesn't automatically get access to the rest of the machines on the network. That means you should not give your server access to any other computers on your network. Don't leave unprotected network shares on the LAN that can be accessed from your server. E.g., if you have a desktop PC and a server PC, and the desktop's C: drive is shared without any password, then anyone who cracks the server has also cracked the desktop. So make sure that doesn't happen.

Oh, and keep the BBS software up-to-date.

[Jew]

Hmm. Sounds like you've got all your bases covered. I don't know enough about DoS attacks to say with certainty, but my guess is if someone DoSed you it would take down your router as easily as it would take down your PC. I could be wrong.

Your port forwarding looks pretty good. If you're experimenting with PHP you might want to set up an internal website on port 8080 or something, although what you're doing looks fairly safe to me. I'm not a security expert, though, so don't hold me to that.

If you're a paranoid sort I can point you to Tripwire, a program that alerts you if any system files are changed. We used this on a Linux server I worked on a few years ago, but I was not involved in setting it up so I can't help you there. I personally never bother about Tripwire at home. A standard Linux install behind a router with a few ports forwarded is safe enough to give me peace of mind.

[labrat]

If your member base and visitors are low in volume you should be ok. However if you start to get a few decent hit counts you draw some attention. My advice is to run snort in concert with tripwire and run weekly scans for rootkits. Although that might sound a little paranoid good habits should be encouraged, espically where security is concerned.