Hey there.
If I have the default deny all rules on my external interfaces, does IDS or CrowdSec offer any advantage on those interfaces? I vacillate every time I read something on this.
Thank you in advance,
Stan
If you have inbound port forwarding rules or IPv6 allow rules for publicly accessible services, Crowdsec or blocklists are worth considering, IMHO.
Not a fan of IDS/IPS in general, because I think it's a fundamentally flawed concept.
I stopped using Crowdsec because the free blocklists are really not worth the effort of configuring and maintaining the service. For a company I would consider it, but just a bit under 100$ per month for the most basic subscription is prohibitive for me as a private user. All the interesting blocklists are subscription only.
100$ per year like I pay for Proxmox and I would be in.
So I just use FireHOL and friends for inbound connections, now.
If you do not have inbound connections for public services at all, I don't see a reason to use any of these products/technologies.
Install AdGuard Home for some DNS based filtering for outbound and you are good to go.
Quote from: Patrick M. Hausen on March 15, 2025, 12:36:50 AMIf you have inbound port forwarding rules or IPv6 allow rules for publicly accessible services, Crowdsec or blocklists are worth considering, IMHO.
Not a fan of IDS/IPS in general, because I think it's a fundamentally flawed concept.
I stopped using Crowdsec because the free blocklists are really not worth the effort of configuring and maintaining the service. For a company I would consider it, but just a bit under 100$ per month for the most basic subscription is prohibitive for me as a private user. All the interesting blocklists are subscription only.
100$ per year like I pay for Proxmox and I would be in.
So I just use FireHOL and friends for inbound connections, now.
If you do not have inbound connections for public services at all, I don't see a reason to use any of these products/technologies.
Install AdGuard Home for some DNS based filtering for outbound and you are good to go.
Rock 'n Roll I have no inbound connection for anything on the public side.
Thank you!
-S
Quote from: Patrick M. Hausen on March 15, 2025, 12:36:50 AMNot a fan of IDS/IPS in general, because I think it's a fundamentally flawed concept.
What about an IDPS system would make it fundamentally flawed in concept?
Its less useful today due to TLS but if you can break the encryption (MITM) and pass that through to a IPS system that's the way to go.
"Enumerating badness" does not scale. The administrative burden of rulesets with thousands of entries is to high. But that's just me.
Also breaking TLS is a very bad idea, IMHO.
Quote from: Patrick M. Hausen on March 26, 2025, 04:40:06 AM"Enumerating badness" does not scale.
I love the way you put that :)
Unfortunately, creating block lists and adding signatures is a security-in-depth "thing" that is good to do—perhaps best practice is to do this additionally.
TLS is a bad idea but its done. Its one way(not the best way) to stop exfiltration and detect bad payloads that are encrypted.
Quote from: michmoor on March 26, 2025, 06:32:56 PMQuote from: Patrick M. Hausen on March 26, 2025, 04:40:06 AM"Enumerating badness" does not scale.
I love the way you put that :)
Unfortunately, creating block lists and adding signatures is a security-in-depth "thing" that is good to do—perhaps best practice is to do this additionally.
Breaking TLS is a bad idea but its done. Its one way(not the best way) to stop exfiltration and detect bad payloads that are encrypted.