If a personal home server is hacked. Are other PC's vulnerable?

[mxmaniac]

I want to experiment with a personal home server, primarily just for learning purposes. Maybe will set up a ftp server, web page (just for me personally), maybe run some NVR software to record from my IP cameras, etc.

Hoping to use some older hardware, maybe even a laptop, and run either some windows server software, or maybe a linux server distribution.

My biggest concern though is this PC will be on my regular wireless network that all my PC's and devices are on. If my little server PC project were to be hacked into or compromised somehow. Is there any risk of my other pc's connected to the same router (either wired or wirelessly) being compromised? Or would the hackers only gain access to the server, but be unable to go any further?

And if so, are there any good ways that I can completely isolate the server, so that I am not potentially making any of my personal PC's more vulnerable? I've heard chaining 2 routers together in the past to somehow seperate parts of a network, but don't know much about it or if its applicable.

 

[avos]

There are things you can do to isolate it somewhat on your network, but first you should decide what type of public access you require. Are we just talking ftp and web? Or are we talking opening up ssh, rdp, or other control services?

If you are really worried set up a vpn at your router and only access it through that.

Beyond that, depending what your router's capabilities are you can create vlans and place it on its own network. Make this a DMZ. Something that is in front of your firewall. To create this with limited routers just chain 2 together. The first router should have your server and the wan connection of the second router. The second routers has the private lan. Make sure they use different subnets. This is going to create a double NAT though.

If a computer is compromised just assume anything you can access from that machine is vulnerable. If you can access network shares from the server then they are vulnerable. If you can get to your routers management page from it, that is vulnerable. And so on.

 

[Gillbot]

double NAT?
http://graemenoble.id.au/post/48695277030/double-nat-explained-and-possible-solutions

 

[JackMDS]

Use two Routers put the public computer on the one that connect directly to the Modem Put your Private Network on the second one.

http://www.ezlan.net/shield.html

 

[SecurityTheatre]

Agreed. An attacker can easily use a tool like ettercap to snoop traffic on your internal network.

They could use something like Responder.py to attack NBT name resolution to steal your credentials.

Having a knowlegable attacker on your local LAN is probably bad news. Sure it's unlikely, but it is some risk.

 

[ch33zw1z]

Put the server on the DMZ in your router configuration.

 

[Enigma102083]

Put the server on the DMZ in your router configuration.

:| Exposing the box directly to the Internet....

 

[ch33zw1z]

:| Exposing the box directly to the Internet....

yup. open target, they'll ignore the rest

 

[mxmaniac]

Thanks for the info. Seems the general consensus leans towards the dual router / double nat setup, so I will read up more on how to do that, and plan to set it up.

Can anyone help explain, in somewhat newbie terms just how a hacker would potentially compromise my network if they first compromised the server? Trying to get a better overall understanding. This is assuming it is without the double nat, only my current single nat for this example.

For my home network, currently I do not have any sort of file sharing, print sharing, or anything else like that. Each device simply communicates back and forth with the wireless router, nothing else shared between them. So say I have a server running, if the server gets hacked, I realize they could do anything they want to the server itself, and also easily gain access to my router's login page, however since my password is very good and not likely brute forceable, is there really much else they could do? Since I have no sort of shared folders with other pc's and they can't get into the router, is that as far as it goes, or are there other vulnerabilities I'm not aware of.

Then say there was some vulnerability in my router firmware (currently dd-wrt), that allowed them to gain access to my router. How much damage could they actully do at that point? I realize they could totally screw with my settings, causing me to have to reset and redo everything. Or I realize they could potentially route spam or bad traffic through my network. But would that be it? Would my personal pc's be completely safe from being accessed? Or is there some risk to them as well?

 

[Mushkins]

Thanks for the info. Seems the general consensus leans towards the dual router / double nat setup, so I will read up more on how to do that, and plan to set it up.

Can anyone help explain, in somewhat newbie terms just how a hacker would potentially compromise my network if they first compromised the server? Trying to get a better overall understanding. This is assuming it is without the double nat, only my current single nat for this example.

For my home network, currently I do not have any sort of file sharing, print sharing, or anything else like that. Each device simply communicates back and forth with the wireless router, nothing else shared between them. So say I have a server running, if the server gets hacked, I realize they could do anything they want to the server itself, and also easily gain access to my router's login page, however since my password is very good and not likely brute forceable, is there really much else they could do? Since I have no sort of shared folders with other pc's and they can't get into the router, is that as far as it goes, or are there other vulnerabilities I'm not aware of.

Then say there was some vulnerability in my router firmware (currently dd-wrt), that allowed them to gain access to my router. How much damage could they actully do at that point? I realize they could totally screw with my settings, causing me to have to reset and redo everything. Or I realize they could potentially route spam or bad traffic through my network. But would that be it? Would my personal pc's be completely safe from being accessed? Or is there some risk to them as well?

Simply put, if they have access to that server, even if there's no file sharing/print sharing/whatever configured, you're hosed. That server is still on the same network as all your other PCs. All it takes is a Java vulnerability, or a windows security flaw, or you turning Remote Desktop Access on, or any number of other things for them to breach those PCs as well. Aside from doing all sorts of malicious things to the server itself, using it for malware distribution, infecting it so if you ever *do* connect those PCs to it with any sort of file sharing it will spread viruses to those PCs, loading it with kiddie porn and anonymously tipping off the police, the list goes on. They can also install software on your server to simply sniff all the traffic on the network to steal credentials and monitor what you do. If you want to get extreme about it, they could log your traffic patterns to deduce when you're most likely not at home to help them plan an home invasion/robbery.

As for getting into your router, probably the most dangerous thing he could do is change your DNS settings to use malicious DNS servers. Now your connection to every website is routing you to a malware bomb instead hoping to breach whatever security you may have on those PCs. Or they could just redirect all popular site connections to fake versions designed to steal your login credentials (bank sites, social media, government logins, etc).

Once you're on someones network, it's not a matter of "if" you can do XYZ, but when.

 

[Lorne]

Cant stop determination.