Network Separation for IoT Servers Phone Laptop Gaming OH MY!

 Let’s talk about ‘IoT’, ‘Servers’ and ‘Other’ stuff on your home network.

Keep your network components separated.  Let me say that again but re-worded.  Keep the devices on your network away from each other.

I’m not talking about VLAN’s here.  Yes, that’s one way to do the trick but for a home user that can be a bit out of reach.  We’ve seen the meme where the super-tech guy doesn’t want any tech in their house because it “could be listening” and if the toaster makes an odd noise they’ll throw it out the window.  Not this guy.  I’m all about not getting out of my bed to flip the light switch that’s 8 feet away from me.  I’ll grab my phone and trigger it to turn off.  This of course comes with a security risk.

Now that you know the basis of what I’m talking about, let’s jump right into the meat and potatoes of this post.

1. Put your IoT devices onto their own access point.  Yes.  Physical access point.  VLAN hopping is real and again, VLAN’s can be out of reach for your mom & pop.

2. Put your servers into their own network also.  The servers are probably ok behind a router and then a VLAN/etc. but remember that we’re talking about home setup or mom & pops house.  It’s not too far fetched these days to apply the same principle of putting your servers behind their own router.

3. Put your phones/laptop/etc onto their own device also.

4. Put gaming devices on their own WiFi.  I have a personal preference here for the last one about putting my gaming devices on their own WiFi network.  I have no evidence to back-up the “speed gains” but it gives me a warm & fuzzy that they’re not competing with other devices as much.

How do you make this happen?  There is a cheap route and an expensive route.  They both come with trade-offs in security though.

- The cheap route:

Go to your local thrift store and find a couple of old routers.  The trade-off here is that the firmware is probably going to be way out of date and have it’s own potential threat vectors.  The upside is that if an IoT device is compromised, it probably doesn’t matter if the router for it has a couple of issues.  We’re separating that network completely anyway.  I’m not advocating for opening some security issues but it might be possible to flash it with DD-WRT to get it a bit more up-to-date.  Just pull up the compatibility list while you’re in the store to see if it’s on the compatibility list.  Another downside to this route is that the hardware could only be 10/100 Mbps.  That’s ok for your IoT network, but not so great for other stuff you may be working with.  Whatever you do, just configure your router to disable the 5Ghz network if possible.  Every IoT device I’ve worked with has utilized 2.4Ghz.  Thus by disabling the 5Ghz band, you’re not sending out junk wireless signal for other access points to compete with.  What about the other hardware that I want 1Gbps or faster?  Well, the next option then.

- The less-cheap route:

Buy an off-the-shelf router or re-use what you have for your gaming and/or other devices network.  Sometimes, you can even use this same router with a “DMZ” component for your server network.  A DMZ is basically just another subnet that you’ve locked down to allow specific access to.  Fancy word, basic security.  This router will probably still get security and/or firmware updates from the vendor so it’s a good chance that it’s ok to leave as is, as long as you’re actually applying those updates.  If it’s reached end-of-life, check the HCL (hardware compatibility list) for DD-WRT because you might find you can squeak out a few more years with what you’ve got.

- The server network:

When it comes to your servers, this probably depends on the size of your home network.  I have a router/access point that I use for my server network but then disable the WiFi of it.  This way I’m not sending out useless signals.  Also, nothing in my server network utilizes wifi… but maybe I could experiment with this.  Another angle is that it reduces the attack vector of your server network as not wireless exploits could be used against it if you’ve disabled it.

Why do all this for your home network though?  With the increase in IoT devices and so many phones, laptops, gaming consoles, fridges, etc. making their way onto our networks, it’ll be better to have a secure approach to utilizing them instead of it being a problem later if something gets compromised.  Security comes with additional steps such as port-forwarding from the phone/laptop network into the server network but once it’s setup, you don’t really have to think about it again until a new server is setup.  A little bit of work early on makes me sleep easier at night and if we all do something similar to this, we could greatly reduce our attack footprint.

One final note that’s not needed but potentially a good idea.  Each router could be a different brand.  That way if a flaw is found in TP-Link, your Linksys isn’t impacted.  Again it introduces a layer of vendor confusion learning new setups for various devices but might help prevent an attack.  Also could just be dumb because one second-hand device I snagged is limited to only 16 ports forwarded.  odd

NConf 1.3.0 Install on Ubuntu 22.04.5 LTS

This is how I got NConf working on my Nagios server.  Components:

• Ubuntu 22.04.5 LTS  Server (minimized install)
• Nagios 4
• NConf 1.3.0
• Full package list at the bottom.
• It'll setup Apache for HTTPS with auto re-write from 80 to 443
• Also it will turn on your firewall with prior rules allowing SSH/HTTP/HTTPS

Make a backup of your Nagios server if you've already got one setup. 

Do a backup.

Perform the backup.

Backup the server!

None of this should break anything but you're introducing OLD CODE with possible SECURITY FLAWS.  If you decide you don't want that risk, you can revert to your backup.

That said, put your dang Nagios server behind a firewall/etc if you're going to do this.  Don't come complaining to me that you go hacked because you followed this and put your Nagios server directly onto the internet with a public IP.

Also a side note.  Apparently you can automatically transfer the config to your Nagios server via SCP or you could even do a SMB mount I suppose.  From a security perspective, you could give NConf it's own server in a locked down environment, then the only thing it can do is send those configs over to Nagios for use.  That's a whole different discussion though.

Ok, moving on...

This is a bash script tested on a fresh install of Ubuntu Server Minimized.  Nothing special.  Nothing extra installed.  etc etc etc.

##########################################

#!/bin/bash
set -e
clear
echo "=== Installing NConf on Ubuntu 22.04 ==="

# === SECURITY WARNING ===
echo -e "\033[1;31mWARNING:\033[0m NConf is old, unmaintained software."
echo -e "\033[1;31mIt may contain security vulnerabilities and should NOT be exposed to the internet.\033[0m"
echo -e "\033[1;31mUse this only in a secured, isolated environment for legacy Nagios configurations.\033[0m"
echo

read -p "Do you still want to continue the installation? (y/N): " confirm
if [[ ! "$confirm" =~ ^[Yy]$ ]]; then
    echo -e "\033[1;33mInstallation aborted by user.\033[0m"
    exit 1
fi

echo ""
read -rp "Enter NConf database username: " NCONF_DB_USER
read -srp "Enter password for user '$NCONF_DB_USER': " NCONF_DB_PASS
echo ""
read -rp "Enter WebUI username (ex: admin): " NCONF_UI_USER
read -srp "Enter WebWI password: " NCONF_UI_PASS
echo ""

# --- Function to check and install a dependency ---
check_install() {
    pkg=$1
    if ! dpkg -s "$pkg" &>/dev/null; then
        echo "Installing missing dependency: $pkg"
        sudo apt install -y "$pkg"
    else
        echo "Dependency already installed: $pkg"
    fi
}

# --- Update and ensure dependencies ---
sudo apt update -y

for pkg in software-properties-common curl ufw unzip wget apache2 mariadb-server mariadb-client; do
    check_install "$pkg"
done

# PHP 5.6 modules
sudo add-apt-repository ppa:ondrej/php -y
sudo apt update -y
for pkg in php5.6 php5.6-cli php5.6-mysql php5.6-ldap php5.6-gd php5.6-xml php5.6-mbstring libapache2-mod-php5.6; do
    check_install "$pkg"
done

# --- Start services ---
sudo systemctl enable --now mariadb apache2

# --- MariaDB setup ---
sudo mysql_secure_installation

sudo mysql -u root <<EOF
CREATE DATABASE IF NOT EXISTS nconf CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL PRIVILEGES ON nconf.* TO '${NCONF_DB_USER}'@'localhost' IDENTIFIED BY '${NCONF_DB_PASS}';
FLUSH PRIVILEGES;
EOF

# --- Fetch and verify NConf ---
cd /var/www/html
NCONF_TGZ="nconf-1.3.0-0.tgz"
NCONF_URL="https://sourceforge.net/projects/nconf/files/nconf/1.3.0-0/$NCONF_TGZ"

echo "Downloading NConf..."
wget -q --show-progress -O "$NCONF_TGZ" "$NCONF_URL" || { echo "ERROR: Download failed!"; exit 1; }

if [[ ! -f "$NCONF_TGZ" ]]; then
    echo "ERROR: NConf tarball not found after download!"
    exit 1
fi

echo "Extracting NConf..."
tar -xf "$NCONF_TGZ" || { echo "ERROR: Extraction failed!"; exit 1; }

if [[ ! -d "nconf" ]]; then
    echo "ERROR: Extraction did not create expected 'nconf' directory!"
    exit 1
fi

sudo chown -R www-data:www-data /var/www/html/nconf
sudo mkdir -p /var/www/html/nconf/cfg_files
sudo chmod -R 775 /var/www/html/nconf/{config,output,static_cfg,temp,cfg_files}

echo "NConf successfully downloaded and extracted."

# --- Apache config ---
sudo tee /etc/apache2/sites-available/nconf.conf > /dev/null <<'APACHECONF'
<VirtualHost *:80>
    ServerName nconf.local
    Redirect / https://nconf.local/
</VirtualHost>

<VirtualHost *:443>
    ServerName nconf.local
    DocumentRoot /var/www/html/nconf
    <Directory /var/www/html/nconf>
        AllowOverride All
        Options Indexes FollowSymLinks
        Require all granted
        AuthType Basic
        AuthName "NConf Access"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Directory>
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/nconf-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/private/nconf-selfsigned.key
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    ErrorLog ${APACHE_LOG_DIR}/nconf-error.log
    CustomLog ${APACHE_LOG_DIR}/nconf-access.log combined
</VirtualHost>
APACHECONF

# --- SSL + htpasswd ---
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/ssl/private/nconf-selfsigned.key \
  -out /etc/ssl/certs/nconf-selfsigned.crt \
  -subj "/C=US/ST=State/L=City/O=Org/OU=IT/CN=nconf.local"

sudo htpasswd -b -c /etc/apache2/.htpasswd $NCONF_UI_USER $NCONF_UI_PASS

# --- Perl fix for ExportNagios.pm ---
sudo sed -i.bak 's/%{\$srv->\[2\]}/\${\$srv->[2]}/g' /var/www/html/nconf/bin/lib/NConf/ExportNagios.pm

# --- Update PHP configuration dynamically ---
PHP_VER=$(ls /etc/php | grep -Eo '^[0-9]+\.[0-9]+' | sort -r | head -1)
sudo sed -i 's/^short_open_tag.*/short_open_tag = On/; s/^register_globals.*/register_globals = Off/; s/^magic_quotes_gpc.*/magic_quotes_gpc = Off/' /etc/php/$PHP_VER/apache2/php.ini

# --- Enable Apache modules and restart ---
sudo a2enmod rewrite ssl headers
sudo a2ensite nconf.conf
sudo systemctl restart apache2

# --- Firewall setup ---
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw --force enable

# --- Import NConf schema ---
mysql -u "$NCONF_DB_USER" -p"$NCONF_DB_PASS" nconf < /var/www/html/nconf/INSTALL/create_database.sql

# --- PHP autoload fix ---
sudo tee /var/www/html/nconf/include/includeAllClasses.php > /dev/null <<'EOF'
<?php
spl_autoload_register(function ($class_name) {
    $class_path = NCONFDIR.'/include/classes/class.'.$class_name.'.php';
    if (!empty($class_name) && file_exists($class_path)) {
        require_once($class_path);
        NConf_DEBUG::set("class $class_name", 'DEBUG', 'Autoload');
    }
});
?>
EOF

sudo perl -pi.bak -e 's/foreach my \$def_srv_deps_param \(keys\(\$\{\$srv->\[2\]\}\)\)/foreach my \$def_srv_deps_param (keys(%{$srv->[2]}))/; s/unless\(\$def_srv_deps_param && \${\$srv->\[2\]}->\{\$def_srv_deps_param\}\)/unless($def_srv_deps_param && $srv->[2]->{$def_srv_deps_param})/; s/\$fval\s*=\s*\${\$srv->\[2\]}->\{\$def_srv_deps_param\}/\$fval = $srv->[2]->{$def_srv_deps_param}/' /var/www/html/nconf/bin/lib/NConf/ExportNagios.pm

sudo rm -rf /var/www/html/nconf/temp/* && \
sudo mkdir -p /var/www/html/nconf/temp/test /var/www/html/nconf/temp/Default_collector && \
sudo chown -R www-data:www-data /var/www/html/nconf/temp && \
sudo chmod -R 775 /var/www/html/nconf/temp



DEPLOY_FILE="/var/www/html/nconf/config/deployment.ini"

# Backup existing file if it exists
[ -f "$DEPLOY_FILE" ] && sudo cp "$DEPLOY_FILE" "${DEPLOY_FILE}.old"

# Write the new deployment.ini
sudo tee "$DEPLOY_FILE" > /dev/null <<'EOF'
[extract config]
type        = local
source_file = "/var/www/html/nconf/output/NagiosConfig.tgz"
target_file = "/var/www/html/nconf/cfg_files/"
action      = extract
EOF



# --- Verification ---
echo -e "\n=== Verifying NConf setup ==="

echo -e "\n--- Checking MariaDB ---"
sudo systemctl is-active --quiet mariadb && echo "MariaDB is running ✔" || echo "MariaDB not running ❌"

echo -e "\n--- Testing NConf database access ---"
mysql -u "$NCONF_DB_USER" -p"$NCONF_DB_PASS" -e "SHOW TABLES;" nconf >/dev/null && echo "NConf DB accessible ✔" || echo "NConf DB access failed ❌"

echo -e "\n--- Checking Apache ---"
sudo systemctl is-active --quiet apache2 && echo "Apache is running ✔" || echo "Apache not running ❌"

echo -e "\n--- Checking PHP ---"
php -v | head -n 1

echo -e "\n--- Testing NConf web ---"
curl -skI https://localhost/nconf/ | grep -q "200\|302" && echo "NConf web responds ✔" || echo "NConf not responding ❌"

echo -e "\n--- Checking permissions ---"
for dir in config output static_cfg temp; do
  test -w /var/www/html/nconf/$dir && echo "$dir writable ✔" || echo "$dir not writable ❌"
done

echo -e "\n=== Installation complete ==="
echo -e "\nAccess NConf at: https://<server-ip>/nconf/"
echo "DBNAME = nconf"
echo "DBUSER = $NCONF_DB_USER"
echo "DBPASS = $NCONF_DB_PASS"
echo -e "\nRemember to set your Nagios binary path inside the NConf web GUI."
echo -e "\nAlso you'll need to set your nagios.cfg to point to /var/www/html/nconf/cfg_files/"

##########################################

A couple things:

1. At the end of the web ui config, you'll get "copy config file (deployment.ini) FAILED".  That's ok.  The script did it for us.

2. After config, permissions will need set for config output per our config:
chown www-data:www-data /var/www/html/nconf/cfg_files/

3. When you go to 'Generate Nagios config', you'll probably get:
Error: Cannot open main configuration file '/var/www/html/nconf/temp/test/Default_collector.cfg' for reading!
- To fix this, edit the config file as shown:
nano +1273 /var/www/html/nconf/bin/lib/NConf/ExportNagios.pm

foreach my $def_srv_deps_param (keys(%{$srv->[2]})){
# OLD --> foreach my $def_srv_deps_param (keys(${$srv->[2]})){
unless($def_srv_deps_param && $srv->[2]->{$def_srv_deps_param}) { next }
# OLD --> unless($def_srv_deps_param && ${$srv->[2]}->{$def_srv_deps_param}){next}
$fattr = $def_srv_deps_param;
# OLD --> $fval = ${$srv->[2]}->{$def_srv_deps_param};
$fval = $srv->[2]->{$def_srv_deps_param};

##########################################

Package	Version	Ubuntu/Source
apache2	2.4.52-1	ubuntu4.16
apache2-bin	2.4.52-1	ubuntu4.16
apache2-data	2.4.52-1	ubuntu4.16
apache2-utils	2.4.52-1	ubuntu4.16
curl	7.81.0-1	ubuntu1.21
libapache2-mod-php5.6	5.6.40-86+	ubuntu22.04.1+deb.sury.org+1
libcurl3-gnutls	7.81.0-1	ubuntu1.21
libcurl4	7.81.0-1	ubuntu1.21
libxmlsec1-openssl	1.2.33-1build2
mariadb-client	1:10.6.22-0	ubuntu0.22.04.1
mariadb-client-10.6	1:10.6.22-0	ubuntu0.22.04.1
mariadb-client-core-10.6	1:10.6.22-0	ubuntu0.22.04.1
mariadb-server	1:10.6.22-0	ubuntu0.22.04.1
mariadb-server-10.6	1:10.6.22-0	ubuntu0.22.04.1
mariadb-server-core-10.6	1:10.6.22-0	ubuntu0.22.04.1
needrestart	3.5-5	ubuntu2.4
openssl	3.0.2-0	ubuntu1.20
php5.6	5.6.40-86+	ubuntu22.04.1+deb.sury.org+1
php5.6-cli	5.6.40-86+	ubuntu22.04.1+deb.sury.org+1
php5.6-common	5.6.40-86+	ubuntu22.04.1+deb.sury.org+1
php5.6-gd	5.6.40-86+	ubuntu22.04.1+deb.sury.org+1
php5.6-json	5.6.40-86+	ubuntu22.04.1+deb.sury.org+1
php5.6-ldap	5.6.40-86+	ubuntu22.04.1+deb.sury.org+1
php5.6-mbstring	5.6.40-86+	ubuntu22.04.1+deb.sury.org+1
php5.6-mysql	5.6.40-86+	ubuntu22.04.1+deb.sury.org+1
php5.6-opcache	5.6.40-86+	ubuntu22.04.1+deb.sury.org+1
php5.6-readline	5.6.40-86+	ubuntu22.04.1+deb.sury.org+1
php5.6-xml	5.6.40-86+	ubuntu22.04.1+deb.sury.org+1
python3-openssl	21.0.0-1
software-properties-common	0.99.22.9
tar	1.34+dfsg-1	ubuntu0.1.22.04.2
ufw	0.36.1-4	ubuntu0.1
unzip	6.0-26	ubuntu3.2
wget	1.21.2-2	ubuntu1.1