So I have been revamping some of my homelab setup and doing a little bit of auditing along the way. While looking at my VPS, I noticed that it's frequently getting port scanned (and likely had exploits attempted), at least way more than it used to. The VPS has 1 Core and 1GB RAM with only WG and Fail2Ban. This setup is mostly designed so that I could maintain a static public IP since I've moved around a bit and have always lived in places where I'm NAT'd.
Right now, I have forwarded specific ports through WG to my homelab, and then my router routes it to the corresponding server internally. The VPS default firewall rule is to drop any inbound traffic that doesn't match one of the ports for my services. For example: Client -> VPS -> WG Tunnel -> Router -> VM3.1
With this setup, I feel like it's been mostly good, and everything feels good from the client side. However, I'd like to think more about security and generally hardening it a bit more. My internal router is a UniFi Dream Machine Pro with IDS/IPS enabled and has detected/blocked threats on occasion.
Ideally, I stop the threats at the front door, so the first thing I'd like to do is protect the entry point, or the VPS. Considering the specs, I'm unsure how much real-time detection and response it could realistically handle, so here I am wanting some thoughts, opinions, and ideas on moving forward.
I've been considering some kind of HIPS/HIDS/NIPS/NIDS on the VPS, but I have little to no experience with them in practice.
Some I've looked into:
- Suricata/Snort
- OSSEC
- CrowdSec
- Zenarmor
Please let me know what y'all think and know about these kinds of things! And feel free to bring light to where and how to secure other areas of my network.
