Hi everyone,

A friend of mine (actually, a co-worker) want to play a little game with me: we both want to set up a web server at home and try to hack each other. Since we are both web app developers, we think it would be a good exercise for us to learn both the defense and the attack of such servers.

We will install a VPN so we can do our stuff without alerting/disturbing anyone else. However, we plan to secure our servers as much as we can so having them face the internet (instead of using a VPN) wouldn't be a big worry for us.

Finally, we will give each other written permissions before we start doing anything.

My question is: If we wouldn't use a VPN and our server would be serving web pages on the internet, could our scans, brute force attacks, etc disturb other people?

Here I think more of our respective ISP (and possibly others?). What could we do to mitigate the risk of getting into troubles instead of using the VPN? Maybe it doesn't make any difference?

I want to add that I will use a VPN regardless of the answers and we both have no malicious intention whatsoever. We want to compete, that's all!! 

My only note would be that IF you bypass the VPN route, I wouldn't be doing your port scanning, etc, on the open network.  When done over VPN, it's all tunneled across the single port / connection of the VPN, whereas, if you port scan, openly, on your internet connection, many ISP's will disconnect you, and possibly terminate your service.  I know my home ISP has strict policies, forbidding port scanning, etc, and WILL close out my service if I perform those activities from home.  (Thus, the VPN to keep it looking "legit", when I test things from home.)

My ISP acts a little different. If I run NMAP against my work's firewall (usually after I make big changes to it), AT&T move the box out from behind the firewall, and leaves it wide open to everything. I've only had the one box, so I don't know if they do it to the whole network. I do know that the TV, DVR and surfing the web don't work right when they do it.

Their status message says there is a firewall behind their firewall. Please fix or set up a dmz.

i have done a couple of pentests from my home, and havent got into any trouble with my ISP. so it depends on the ISP. i'm sure there is an answer to this in the FAQ of your current ISP. i know mine is too busy capping newsgroup bandwith from the leechers so they are forgetting about us

With some ISPs, you never know what they are blocking at any given moment.  This tends to throw off your results. 

@hitmonkey

We did a similar thing to help a friend practice pentesting.
He started getting a lot of hostile scans on those web services, which ending up being quite annoying and chewed up bandwidth.

In the end we set up a VPN from where he could SSH into a local machine running BT4. From there he could attack the systems in peace and quiet.

i think there are more people on this board interesting in starting such a showdown (atleast i am). maybe its an idea to team up with other member and start a EH.net wide game?

@chrisj: I was thinking of using SSL certificates at both ends of the VPN connection for dual authentication. This way, I will know who is connected. But this only work amongst friends. A nickname in a forum isn't really a person you can trust...

Also, the goal is to have a very secure box. So even if it were wide open to the internet, it wouldn't be to bad (at least, for this box). But you are right, a VPN ending in a DMZ would be better.