[-] maof97@alien.top 1 points 11 months ago

It’s completely free even the EDR and Threat Intel functionality. It blows my mind too. The only things that are not free are things like machine learning detection, ransomware and cloud (k8) protection and other enterprise stuff like SSO. Besides the prebuilt elastic rules (https://github.com/elastic/detection-rules) I implemented about 50 of custom rules for stuff like too many failed logins, unusual traffic flow (you can also send flows from your FW to Elastic), user account creation, network reconnaissance, unusual geo-ip location etc.

The stack is based on the „pfELK“ docker compose file (meaning it integrates automatically with Pfsense/OPNsense logs) that I further modified to automatically include the fleet server and threat intel agent and stuff: https://github.com/maof97/pfelk-docker

[-] maof97@alien.top 1 points 11 months ago

I don’t know how exotic hosting a SIEM and EDR (Elastic Security) solution for self hosting ist but I do that. Complete with custom alerts and all. Additionally I use Wazuh for vulnerability management and integrity monitoring on my assets. Also I run a SOAR-like script that enriches my alerts with other SIEM and external Threat Intel data.

[-] maof97@alien.top 1 points 11 months ago

Maybe offtopic but why don’t you use the Proxmox backup feature? For me it creates a weekly backup of all my VMs and LXC container and restoring is easy-peasy. You can also make use of the Proxmox Backup Server if you have one for offsite backups (or just copy the backup archives).

Also you may be interested in Uptime Kuma for easy uptime / health overview and alerting.

[-] maof97@alien.top 1 points 1 year ago

Yeah until you realize that e.g. docker compose doesn’t care about ufw rules and expose defined ports anyway (yes, through the firewall) and now you can argue that an inexperienced user doesn’t know this and thinks that the ufw will protect him and give him a false sense of security. You should always make sure to bind internal services to 127.0.0.1 only period. Anyway that doesn’t mean ufw is useless, but that it should only be used for filtering more than the default port allow rules because like this you have no security advantage (e.g. I use ufw on my Proxmox servers to block outgoing connection to the lan by default and then explicitly allow connection to server x if needed )

[-] maof97@alien.top 1 points 1 year ago

Hm good guide but some things like UFW are totally unnecessary for most users. See https://youtu.be/fKuqYQdqRIs?feature=shared&t=798

maof97

joined 1 year ago