this post was submitted on 01 Jun 2026
71 points (100.0% liked)

Selfhosted

60093 readers
795 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, your post is exempt from this rule as long as you continue to engage in comments.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
71
Internal network monitoring (lemmy.world)
submitted 3 weeks ago* (last edited 3 weeks ago) by ueiqkkwhuwjw@lemmy.world to c/selfhosted@lemmy.world
21 comments fedilink hide all child comments
 

How do you monitor your homelab network for internal attackers? E.g. you have a publicly available service and theres a vulnerability that you miss or you pull a bad update and suddenly someone has access to your VM/machine/container. How could you increase the chances of automatically detecting that?

The built in IDS in opnsense seems pretty useless, and doesn't really help detect if e.g. someone is trying to exploit services between your vlans (I could be using it wrong though).

Crowdsec in opnsense is nice but it seems to also be primarily for protecting from malicious actors coming from the WAN.

I've heard about the opnsense zenarmor plugin but you have to agree to a privacy policy to use it?

Another option I guess would be collecting firewall logs and making custom notifications for things that you think would be suspicious on your network.

I also know update cooldowns and not exposing anything could largely solve this too, but the monitoring and alerting question really interests me.

you are viewing a single comment's thread
view the rest of the comments
[–] non_burglar@lemmy.world 2 points 3 weeks ago (1 children)

The mirrored traffic will retain their VLAN tags and Suricata can parse these tags.

I'm not sure how far down this path you've gone, but suricata will not automatically correlate primitives into actual alerts from different vlans without transforms, which are cpu-intensive for what they do.

You may want to pull your tap/span/mirror from a point where they converge, like internal side of network egress.

[–] irmadlad@lemmy.world 1 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

but suricata will not automatically correlate primitives into actual alerts from different vlans without transforms, which are cpu-intensive for what they do.

It is possible to offload the correlation to a downstream SIEM or log aggregator like Wazuh or ELK. Again, it's something I'm currently trying to spool up on. I know it can be done, I'm just trying different things until I do get it right. I appreciate any input.

[–] non_burglar@lemmy.world 2 points 3 weeks ago (1 children)

Oh, yeah, absolutely. Suricata was created not long after snort, in the days when an ids did the gathering and the correlation.

You're totally right, the way most people and orgs do it today is to ship ids logs to a siem for the correlation, overall easier to manage. ELK is the go-to for most, not sure about wazuh, I've only seen it in the homelab space, but it might work.

There is a distro (not totally open source) called SELKS, which sets up suricata, elastic and some other tooling (kibana) in a commonly-used setup. I deploy it a lot because it saves time with the non-security setup with dB's and such. Pretty easy to point syslog to it and you can see alerts right away and start tuning.

I'm envious of your position, I learned a lot setting this stuff up.

[–] irmadlad@lemmy.world 1 points 3 weeks ago* (last edited 3 weeks ago)

There is a distro (not totally open source) called SELKS, which sets up suricata, elastic and some other tooling (kibana) in a commonly-used setup.

I did not know about SELKS. I will definitely check it out. Thank you for the tip.