As title says, i’m curious about the worst case scenario in which an attacker tries to hit my system.
The system configuration is the following: i have some services (important ones) accessible only trough VPN, like SSH (key-based auth only), Pihole…Others are publicly accessible, like Immich, Jellyfin (and so on…).Public ones are accessible via reverse proxy (Caddy) and protected by CrowdSec (which bans IPs outside my country and those failing auth 3 times).
What could happen if an attacker finds out a vulnerability on some public service? Would he be only able to access service’s files (like an appropriate login), or delete/encrypt data (as some cases of blackmail) or even pull out and steal my data?
I’m wondering this because i want to know if CrowdSec+Docker (to preserve permissions on the system) is enough to secure a server.
Worst case is largely depending on what they actually are able to gain access to.
Worst case worst case? They managed to get your PII and sell it on the dark web, ransomware all your files, demand a ransom which you of course pay because you have it recoverable files and like 90% of the people in the world don’t have backups, and then they don’t give you the decryption key like they usually don’t.
Another scenario is they are able to get your PII, sell it, you don’t notice it, but they also leave a back door or two in your infrastructure that you don’t notice for foo length of time and they exfiltrate data on a continuing basis. This happens to businesses on a very very regular occasion. It’s more valuable to get a trickle of data over time than a fire hose all at once.
An added scenario to the second one is that they use your infrastructure to infect/attack others.