Hey Sysadmin,
I need some ideas around “IDS/IPS”.
- What are people using for passing security audits?
- What about for AWS / Azure?
- Can they cover devices on/off prem (work from home, etc)
- What is a figure that your management team actually approved?
You must log in or # to comment.
Not professional sysadmin. I run my homelab and handles a few servers at work. I don’t use IDS. So may be irrelevant.
- WAF to stop HTTP parameter pollution and request smuggling
- Fail2ban on SSH and move ssh away from port 22
- Setup LAN recursive resolver and disallowed outbound raw DNS
For me, a lot more emphasis is on defending the application
- Setup systemd unit hardening
- Use Landlock LSM to whitelist directories (modifying source needed). Stops directory traversal and command execution
- TLS or
stunnel
between application and database - Point DNS to local resolver
- LD_PRELOAD hardened allocator
I’m currently looking into the Linux port of pledge to further reduce post exploit attack surface. But the project is not mature enough for production, yet.