This topic could fall under Networking and Firewalls but since it deals with cyber security I’ll put it here. I am considering creating a DMZ that will be exposed to the Internet. I have a pfSense 3100, Unifi 8-port, VLAN and a few VM hosts. This is a home environment not a small office.
All of my hosts are Ubuntu hardened. I wrote documentation for the server hardening process specific to Ubuntu. Which includes but not limited to disabling services not needed, adding or removing packages, hardening the authentication process and file and FS permissions, adding some open-source security packages, and logging and audit which includes fail2ban.
I’m confident that the hosts are hardened from a security POV. Not completely unhackable but fairly hard to access. I’ve even locked myself out of SSH due to the wrong password. It really is quite annoying when I do it.
What I’m looking for is the other parts to this. And that is software for network monitoring, TI, network protection. Preferably, free open-source tools that are comparable to the things you could get while spending an arm and a leg for the ones that are meant for medium-large networks or businesses. But certainly for network monitoring, I don’t need to be paying $1,638 for SolarWinds Network Monitoring solution.
For example, networking monitoring I know there’s Nagios, Zabbix (highly difficult learning curve), Cacti, and ntopNG. For other security tools, like IDS there’s snort and suricata. And for IPS, I recently just found CrowdSec which looks promising. Unfortunately, it’s only integrated for OPNSense and not pfSense. And I’m not sure if there’s a way to protect against DDOS but I’m still researching.
So, I’m curious on the open-source tools, what you would use to help protect your network and mitigate attacks without breaking the bank.
I am not security expert just sharing what I did in my home network and I think did good (feel free comment if you think what I did is bad idea).
What I did is I am using pfsense, then setup haproxy and snort in it. So the servers I have exposed in the internet are all behind haproxy (even did this on the lan side) then I configured snort to watch the exit interface going to the servers. In this way all communication goes to haproxy and then encryption is stripped off while passing to the servers then snort can freely read the traffic and identify if there is any malicious payload. It can then block that traffic.
Also this is not really pure security but I specifically identify where the traffic I am allowing to get into my network by enabling geo blocking and only allow few traffic to come in. Since the domain I have setup is for personal/family use, I made the possibility of anyone discovering my domain and IP address a bit smaller.
Tool such as Suricata and Snort are good, but still limited to know attack patterns for protecting you from inbound traffic targeting those server. There is a write up here on how to setup Crowdsec with pfsense and that will offer additional blocking of bad IP addresses.
Is it good to use both Snort and Suricata or one or the other? I know both do the same thing but Suricata does have additional features that Snort doesn’t do.
Tom, thanks for the Crowdsec link, I’ll check that out.
Is Snort still a single threaded process, or has it moved to multithreads like Suricata? With 4 threads on my firewall I decided that Suricata was best for me.
It’s a good basic set up but what is your use-case? Snort when configured properly is a good measure for IDS. But Snort itself shouldn’t be the only thing, if you are looking for security. But it also depends on your use-case. Since HAProxy is most commonly used for load balancing. I assume the reason you setup HAProxy is because you have a web or blog frontend and or an application? While HAProxy is good, it is limited and, when set up on a single device you create a SPOF. If you’re using it for a reverse proxy you might be better at looking into using Nginx. Because HAProxy does not support UDP except for syslog. However, again based on your use-case HAProxy might be fine for you. Like I said, it’s a good basic set up you have. And every set up is dependent on the use-case. If you have any questions feel free to ask.
I am using this to allow me to access some servers from home. If it goes down that’s totally fine it won’t be the end of the world. Also gives me opportunity to learn more about pfsense and its packages
There are no, “right” or “wrong” ways for SSH authentication. There are however, SSH Best Practices when it comes to security. As long as you follow those best practices. They should be sufficient for the needs based on the individual and or organizational needs and use-cases. Yes, you can configure for Key based login. But you can also configure for key + password for SSH. There are additional measures you can implement to ensure tighter security. But it depends on your needs and requirements.
I think this is a good write up but, instead of creating an alias and setting up a cron and all that jazz. I would recommend creating an IPv4 custom list to point your URL to for all the automation in pfblockerng.
pfBlockerNG is great but doesn’t download the list more often than one time every hour.
I haven’t looked into how to modify pfBlockerNG to allow more regular updates but i have made a post on the pfBlockerNG reddit requesting crowdsec support.
There is a post somewhere (can’t remember where) that a user walked through some terminal commands to make it update the list every 10 or 5 minutes.
A native package would of course be best and probably something that will get some work because it looks like a good method to handle some things. Have to wait and see what happens.
A multi-purpose device is never as good as dedicated devices for said functions.
Security Onion has been a go-to platform for teams of mine in the past, and with it being free, I highly recommend it for any home setup. The newest version is even more plug and play than the earlier versions. SIEM, NIDS, HIDS, and some tools that integrate them together. All of which you can choose to include during installation.