How do you monitor your homelab network for internal attackers? E.g. you have a publicly available service and theres a vulnerability that you miss or you pull a bad update and suddenly someone has access to your VM/machine/container. How could you increase the chances of automatically detecting that?
The built in IDS in opnsense seems pretty useless, and doesn’t really help detect if e.g. someone is trying to exploit services between your vlans (I could be using it wrong though).
Crowdsec in opnsense is nice but it seems to also be primarily for protecting from malicious actors coming from the WAN.
I’ve heard about the opnsense zenarmor plugin but you have to agree to a privacy policy to use it?
Another option I guess would be collecting firewall logs and making custom notifications for things that you think would be suspicious on your network.
I also know update cooldowns and not exposing anything could largely solve this too, but the monitoring and alerting question really interests me.
Segment the network as much as feasible, forbid the communication between the segments via FW rules, and set an alert when those rules are triggered.
For example: your dmz should never initiate any type of communication with your lan segment, your lan segment should not try to access services outside ports 80/443, your dns should log all resolutions performed and it would be nice to have at least a black list.
None of them should have dns over tls, and for specific hosts and networks segments, new domains with very looong active but idle connections should trigger an alert.
My personal opinion is that for a homelab is not realistic to perform a dpi to check that there is not an active attack ongoing, neither from the raw processing power, either from the human effort side, your best chance is to alert when something unusual is happening and then adjust your rules of the are false positives
Thanks for your helpful answer.
Do you do all of that on a separate log sever? Or on your firewall? I haven’t found a good way to do that on opnsense that doesn’t feel hacky.