Text only | Text with Images

OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: labsy on September 26, 2023, 12:11:42 AM

Title: IPS/IDS for webhosting purpose?
Post by: labsy on September 26, 2023, 12:11:42 AM
Hi,

what direction is IDS/IPS protecting? From LAN to WAN or vice versa?
I mean, I am using OPNSense only to protect a dozen of web and mail servers behind (NAT-ed) and I am wondering, if there's any use of IDS/IPS at all in this case?

For example... rule ET POLICY Cleartext WordPress Login ... will it kick-in if attacker is comming from WAN, trying to hack one of Wordpress sites that I am hosting?
Title: Re: IPS/IDS for webhosting purpose?
Post by: bazbaz on October 26, 2023, 09:14:51 AM
yes, and you may enable suricata on internal (after NAT) interface
Title: Re: IPS/IDS for webhosting purpose?
Post by: Monviech (Cedrik) on October 26, 2023, 09:21:03 AM
Visualization:
https://forum.opnsense.org/index.php?topic=36326.0

If you enable Suricata in Inline IPS mode on LAN, the packets will be dropped at the moment they come IN the LAN interface and match a rule, and the moment they go OUT of the LAN interface and match a rule.

As @bazbaz said, enable it on internal interfaces, not on the wan.
Title: Re: IPS/IDS for webhosting purpose?
Post by: bimbar on October 26, 2023, 11:29:11 AM
Might be a better idea to use nginx for that.
Text only | Text with Images