As title says, i’m curious about the worst case scenario in which an attacker tries to hit my system.
The system configuration is the following: i have some services (important ones) accessible only trough VPN, like SSH (key-based auth only), Pihole…Others are publicly accessible, like Immich, Jellyfin (and so on…).Public ones are accessible via reverse proxy (Caddy) and protected by CrowdSec (which bans IPs outside my country and those failing auth 3 times).
What could happen if an attacker finds out a vulnerability on some public service? Would he be only able to access service’s files (like an appropriate login), or delete/encrypt data (as some cases of blackmail) or even pull out and steal my data?
I’m wondering this because i want to know if CrowdSec+Docker (to preserve permissions on the system) is enough to secure a server.
Worst case is that you lose everything. The only way to protect that is an out of band pull type of backup. One that you servers can not get to or see, but can see your servers. Best at another location as well to protect against fire.
The answer is, as always, it depends.
Some exploits allow the attacker access to the application (in which case they can do whatever the application allows them to do).
Some exploits allow the attacker to get shell access (in which case they can do anything the permissions of the user allow them to do).
Some exploits allow the attacker to get a root shell (in which case they can do almost anything).
Root exploits are much less common, and typically require much more skill, than application exploits. Getting root almost always requires exploiting an application, and then getting shell first.
This is why security people talk about “defence in depth”.
If your application is exploited, what can you do to make it as hard as possible for the attacker to get a shell. If they get a shell, what can you do to make it as hard as possible for them to get root. If they get root, what can you do to restrict the amount of damage they can do. If they do damage, how do you know what they’ve done and what can you do to repair it.
When people are relying on VPNs for security, they are building what security people refer to as the “crunchy on the outside, chewy on the inside” model. There’s no defence in depth, once the attacker is in … you’re screwed.
In a homelab, part of the fun is that we get to decide how much of this we can be bothered with. :-)
In nation state attack at least your government may be on your side.
Probably worst case for an individual is that your network is used to store or transmit illegal content. Even if a law enforcement analyst tracking a person spreading this illegal content (CSAM) knows you are basically innocent, it’s much more likely you get caught up some other way with local law enforcement or similar.
Initially, it may be hard to prove it’s not you because you are dealing with someone who is not an IT person first. This may spiral to losing your job or reputation should you do something like teach or run a club.
Regular attacks against google and the like pivot through 20+ machines. Many compromised machines will never be encrypted because the attacker needs to sit undetected for as long as possible.
Worst case is largely depending on what they actually are able to gain access to.
Worst case worst case? They managed to get your PII and sell it on the dark web, ransomware all your files, demand a ransom which you of course pay because you have it recoverable files and like 90% of the people in the world don’t have backups, and then they don’t give you the decryption key like they usually don’t.
Another scenario is they are able to get your PII, sell it, you don’t notice it, but they also leave a back door or two in your infrastructure that you don’t notice for foo length of time and they exfiltrate data on a continuing basis. This happens to businesses on a very very regular occasion. It’s more valuable to get a trickle of data over time than a fire hose all at once.
An added scenario to the second one is that they use your infrastructure to infect/attack others.
it would be better if you could have two servers (could be virtual) one for public facing applications in DMZ and other for internal stuff in separate network.
What is your worst case, if someone gains access to your stuff? We can’t answer that. That doesn’t necessarily depend on your applications, but more in the data behind them.
Can be everything. From nothing to financial ruin through identity theft.
Depends on the vulnerability
You are doing it wrong: SSH with key authentication is the most secure piece, and could even be public. Immich and Jellyfin surely have zero days and should be behind VPN
Could you elaborate more on immich and jellyfin? I suppose you’re referring to a brute force attack. Isn’t a geoip block + 3 fail attempt to be banned secure enough?
I’m referring to ZERO DAYs. OpenSSH is a serious security product. Those web apps are written by random people and probably riddled with vulnerabilities not known to public.
Here is the rule. Only a trusted vpn and ssh key authentication can be public.
Sorry for the misunderstanding. Perfectly right. Thanks for that
you lost your data and the confidence in your own ability to take care of „it“. life will go on - or not. it all depends on the data and context.
Nothing.
Attacker gains full or even partial control of your system(s) through a vulnerability, does some illegal stuff, swat team shows up and kills all the house inhabitants during the raid as there was a perceived threat.
Is that bad enough? I’m sure I can come up with something worse if needed.