Suricata to protect WebServer

mic · January 12, 2021, 12:44:31 PM

Hi,

we have many Web Server with e-commerce (Magento, Prestashop, etc...) and some Windows Servers that must be reachable via RDP on non standar Port (Port forward vs 3389) and we want to test OPNsense to use it as our new firewall. The Web Servers have to be reachable via FTP and SSH from well known IPs (for ssh we will use non standar port). Of course the most important feature for us is Suricata as IPS/IDS. Naturally we will use ET Pro Telemetry, now the questions are:

which are the rules to enable to protect our Servers?
And what about false positive?
Is it enough to enable Suricata only on the WAN Interface?

We will use OPNsense as VM under Proxmox (KVM), could you give me some advice on how to optimize the OPNSense configuration?
Does Sensei help me?

Thank you to all

errored out · February 02, 2021, 12:07:50 PM

The rules you should use can really only be figured out by you. Not to sound brash, we don't know your needs / requirements for your services. I understand RDP / SSH / FTP, however, I'm sure many here are not that familiar with e-commerce needs.

With that said, I would look into the basic, sslblacklists, compromised, bot, attack response, , exploit, games, ftp, malware, shellcode, smtp.

I would focus on the rules that applied to my network. In your case, RDP, SSH, FTP, Webserver, file_transfer and then add the malicious rules to block all the other stuff that does not specifically relate to the services you are using.

siga75 · February 03, 2021, 12:48:21 PM

Quote from: mic on January 12, 2021, 12:44:31 PM
Hi,

we have many Web Server with e-commerce (Magento, Prestashop, etc...) and some Windows Servers that must be reachable via RDP on non standar Port (Port forward vs 3389) and we want to test OPNsense to use it as our new firewall. The Web Servers have to be reachable via FTP and SSH from well known IPs (for ssh we will use non standar port). Of course the most important feature for us is Suricata as IPS/IDS. Naturally we will use ET Pro Telemetry, now the questions are:

which are the rules to enable to protect our Servers?
And what about false positive?
Is it enough to enable Suricata only on the WAN Interface?
We will use OPNsense as VM under Proxmox (KVM), could you give me some advice on how to optimize the OPNSense configuration?
Does Sensei help me?

Thank you to all

A web server should only expose web service (better with a reverse proxy to protect it), really bad idea to allow ssh. And FTP, really?

If you need SSH access you should evaulate to use a jump server reachable with VPN

lfirewall1243 · February 16, 2021, 10:07:25 PM

Quote from: siga75 on February 03, 2021, 12:48:21 PM
Quote from: mic on January 12, 2021, 12:44:31 PM
Hi,

we have many Web Server with e-commerce (Magento, Prestashop, etc...) and some Windows Servers that must be reachable via RDP on non standar Port (Port forward vs 3389) and we want to test OPNsense to use it as our new firewall. The Web Servers have to be reachable via FTP and SSH from well known IPs (for ssh we will use non standar port). Of course the most important feature for us is Suricata as IPS/IDS. Naturally we will use ET Pro Telemetry, now the questions are:

which are the rules to enable to protect our Servers?
And what about false positive?
Is it enough to enable Suricata only on the WAN Interface?
We will use OPNsense as VM under Proxmox (KVM), could you give me some advice on how to optimize the OPNSense configuration?
Does Sensei help me?

Thank you to all

A web server should only expose web service (better with a reverse proxy to protect it), really bad idea to allow ssh. And FTP, really?

If you need SSH access you should evaulate to use a jump server reachable with VPN

And RDP :/

First you need a basic network security before enable stuff like IDS...

Suricata to protect WebServer

mic

January 12, 2021, 12:44:31 PM

errored out

February 02, 2021, 12:07:50 PM #1

siga75

February 03, 2021, 12:48:21 PM #2

lfirewall1243

February 16, 2021, 10:07:25 PM #3