• 4 Posts
  • 225 Comments
Joined 3 years ago
cake
Cake day: July 20th, 2023

help-circle







  • My setup is “simple” and all these monitoring functions are performed in my opnsense box with the telegram plugin.

    Most of the alerts are pretty basic and are done into the FW level or the outbound basic logging. So opnsense with the basic tooling is just enough.

    I have in my todo to connect the logging system from opnsense to a proper Prometheus/grafana system to really have proper log of several days without having an impact on the FW but I never find the time to do it (lazyness problem)


  • Segment the network as much as feasible, forbid the communication between the segments via FW rules, and set an alert when those rules are triggered.

    For example: your dmz should never initiate any type of communication with your lan segment, your lan segment should not try to access services outside ports 80/443, your dns should log all resolutions performed and it would be nice to have at least a black list.

    None of them should have dns over tls, and for specific hosts and networks segments, new domains with very looong active but idle connections should trigger an alert.

    My personal opinion is that for a homelab is not realistic to perform a dpi to check that there is not an active attack ongoing, neither from the raw processing power, either from the human effort side, your best chance is to alert when something unusual is happening and then adjust your rules of the are false positives










  • The only thing I can tell is that it is totally worthless.

    Because you can not have an uga ipv6, then obviously you will have an ula served via dhcpv6 with ipv4 local address (double stack).

    And in this point you will realize that most computers implementation select which ip address to use following prio: ipv6 uga -> ipv4 -> ipv6 ula

    So even if you do all the things right, your clients will not use it because ipv4 is there and you cannot deselect it because I assume you still want connectivity

    Funny, right? :)



  • Yep, I checked that possibility too but it is like putting barriers into the see because :

    • DoH can also share the IP-PORT with some legits websites
    • there is not a proper way to scan the web to see if there is a proper service
    • the effort to setup one is orders of magnitude lower tan to track then and then to filter it properly

    Honestly is just the prey-predator competition. It won’t stop ever