How do you monitor your homelab network for internal attackers? E.g. you have a publicly available service and theres a vulnerability that you miss or you pull a bad update and suddenly someone has access to your VM/machine/container. How could you increase the chances of automatically detecting that?
The built in IDS in opnsense seems pretty useless, and doesn’t really help detect if e.g. someone is trying to exploit services between your vlans (I could be using it wrong though).
Crowdsec in opnsense is nice but it seems to also be primarily for protecting from malicious actors coming from the WAN.
I’ve heard about the opnsense zenarmor plugin but you have to agree to a privacy policy to use it?
Another option I guess would be collecting firewall logs and making custom notifications for things that you think would be suspicious on your network.
I also know update cooldowns and not exposing anything could largely solve this too, but the monitoring and alerting question really interests me.
I’m in the process of building a monitoring system with grafana stack.
Right now I have monitoring panels for some common metrics and logs. I am yet to set up alerts.
The idea being that if something goes wrong some metric will grow up unexpectedly, for instance network traffic. And I would get a notification.
What I’m still considering is what would I consider abnormal behavior, so I could set up the thresholds.
Yeah that’s kind of what I was originally thinking to do too.