How do you monitor your homelab network for internal attackers? E.g. you have a publicly available service and theres a vulnerability that you miss or you pull a bad update and suddenly someone has access to your VM/machine/container. How could you increase the chances of automatically detecting that?

The built in IDS in opnsense seems pretty useless, and doesn’t really help detect if e.g. someone is trying to exploit services between your vlans (I could be using it wrong though).

Crowdsec in opnsense is nice but it seems to also be primarily for protecting from malicious actors coming from the WAN.

I’ve heard about the opnsense zenarmor plugin but you have to agree to a privacy policy to use it?

Another option I guess would be collecting firewall logs and making custom notifications for things that you think would be suspicious on your network.

I also know update cooldowns and not exposing anything could largely solve this too, but the monitoring and alerting question really interests me.

  • irmadlad@lemmy.worldEnglish
    3·
    12 hours ago

    So, I have a standalone pFsense box running Suricata (IDS/IPS) on WAN & LAN, pfblockerng (filtering), unbound, ntopng (traffic analysis), and Tailscale as an overlay on the firewall. The servers are on their separate VLANs, IoT, phone, laptops and other devices are also isolated. On the server I run Cloudflare Tunnels/Zero Trust, UFW, Tailscale as an overlay, and Fail2Ban. Everything is ‘default deny until something complains’. I’ve never run oPensense so I can’t speak to their software, but pFsense has been rock solid for me for years. I utilize Lnav to review logs. It’s lean, easy to install, and it just works.

    To be quite honest about updates like Docker container updates, I wait until all the early adopters work out all the bugs for me and update when I feel comfortable. Updates to Ubuntu Jammy are usually straight forward and I can’t say I’ve had many issues over the years with Ubuntu Jammy updates. There may be a rare occasion, but nothing really stands out at this moment. The only issue I can think of here recently is when Docker updated but Portainer hadn’t caught up, but that was about a 30 minute fix.

    It took me a while to get everything lined out from the modem to the servers, but my track record makes me feel pretty comfortable with how I have everything set up. In fact, literally most of the time, I just enjoy the set up and scout for the next project.

    • non_burglar@lemmy.worldEnglish
      2·
      9 hours ago

      How did you monitor your vlans with suricata? I have enough trouble tuning a couple subnets, never mind tuning for correlation between 3 or 4. This assumes you have different subnets per vlan, of course.

      • irmadlad@lemmy.worldEnglish
        1·
        9 hours ago

        How did you monitor your vlans with suricata?

        At present I only monitor the VLAN serving the ‘computer room’ which includes the servers. It’s where all the ‘stuff’ happens so I figured I’d start with the most important. However I am in the process of learning how to SPAN (Switch Port Mirroring) where you configure your managed switch to copy traffic from specific VLAN port or all VLANs ports to a dedicated ‘monitoring port’ where a micro server is running Suricata. The mirrored traffic will retain their VLAN tags and Suricata can parse these tags.

        Those are the lofty plans. LOL I’m still fiddling around with it and Suricata because you have to actually set Suricata up to be able to do that. It doesn’t right out of the box.

        • non_burglar@lemmy.worldEnglish
          2·
          9 hours ago

          The mirrored traffic will retain their VLAN tags and Suricata can parse these tags.

          I’m not sure how far down this path you’ve gone, but suricata will not automatically correlate primitives into actual alerts from different vlans without transforms, which are cpu-intensive for what they do.

          You may want to pull your tap/span/mirror from a point where they converge, like internal side of network egress.

          • irmadlad@lemmy.worldEnglish
            1·
            8 hours ago

            but suricata will not automatically correlate primitives into actual alerts from different vlans without transforms, which are cpu-intensive for what they do.

            It is possible to offload the correlation to a downstream SIEM or log aggregator like Wazuh or ELK. Again, it’s something I’m currently trying to spool up on. I know it can be done, I’m just trying different things until I do get it right. I appreciate any input.

            • non_burglar@lemmy.worldEnglish
              2·
              7 hours ago

              Oh, yeah, absolutely. Suricata was created not long after snort, in the days when an ids did the gathering and the correlation.

              You’re totally right, the way most people and orgs do it today is to ship ids logs to a siem for the correlation, overall easier to manage. ELK is the go-to for most, not sure about wazuh, I’ve only seen it in the homelab space, but it might work.

              There is a distro (not totally open source) called SELKS, which sets up suricata, elastic and some other tooling (kibana) in a commonly-used setup. I deploy it a lot because it saves time with the non-security setup with dB’s and such. Pretty easy to point syslog to it and you can see alerts right away and start tuning.

              I’m envious of your position, I learned a lot setting this stuff up.

              • irmadlad@lemmy.worldEnglish
                1·
                6 hours ago

                There is a distro (not totally open source) called SELKS, which sets up suricata, elastic and some other tooling (kibana) in a commonly-used setup.

                I did not know about SELKS. I will definitely check it out. Thank you for the tip.