Hey Sysadmin,

I need some ideas around “IDS/IPS”.

  • What are people using for passing security audits?
  • What about for AWS / Azure?
  • Can they cover devices on/off prem (work from home, etc)
  • What is a figure that your management team actually approved?
  • clehaxze@reddthat.com
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Not professional sysadmin. I run my homelab and handles a few servers at work. I don’t use IDS. So may be irrelevant.

    • WAF to stop HTTP parameter pollution and request smuggling
    • Fail2ban on SSH and move ssh away from port 22
    • Setup LAN recursive resolver and disallowed outbound raw DNS

    For me, a lot more emphasis is on defending the application

    • Setup systemd unit hardening
    • Use Landlock LSM to whitelist directories (modifying source needed). Stops directory traversal and command execution
    • TLS or stunnel between application and database
    • Point DNS to local resolver
    • LD_PRELOAD hardened allocator

    I’m currently looking into the Linux port of pledge to further reduce post exploit attack surface. But the project is not mature enough for production, yet.