IPS/IDS for webhosting purpose?

[labsy]

Hi,

what direction is IDS/IPS protecting? From LAN to WAN or vice versa?
I mean, I am using OPNSense only to protect a dozen of web and mail servers behind (NAT-ed) and I am wondering, if there's any use of IDS/IPS at all in this case?

For example... rule ET POLICY Cleartext WordPress Login ... will it kick-in if attacker is comming from WAN, trying to hack one of Wordpress sites that I am hosting?

[bazbaz]

yes, and you may enable suricata on internal (after NAT) interface

[Monviech (Cedrik)]

Visualization:
https://forum.opnsense.org/index.php?topic=36326.0

If you enable Suricata in Inline IPS mode on LAN, the packets will be dropped at the moment they come IN the LAN interface and match a rule, and the moment they go OUT of the LAN interface and match a rule.

As @bazbaz said, enable it on internal interfaces, not on the wan.

[bimbar]

Might be a better idea to use nginx for that.