Detecting malicious activity/traffic - what are you using?

Running 1.4 rolling as a firewall at home and while inbound is locked down, the news of xz/liblzma and possibility of a bad actor upstream got me looking at what I could do to police outbound activity.

This question isn’t about liblzma as I can see Bookworm is using a version that predates this but a broader question about what others are doing in VyOS to help monitor for any rogue activity?

I run ntopng and suricata directly on my edge box. I also send NetFlow from that box to Stealthwatch, which would be a paid product, but is very useful.

Common hardening will take you far along with keeping track of when new versions are released and as promptly as possible put them in use.

Hardening as in different vrf and netns to isolate mgmt from production or test traffic.

But also to NOT expose mgmt-services to anything other than the mgmt-networks again through dedicated interfaces, isolation through vrf and netns and put ACL’s in use.

Portscan yourself but you can also do “netstat -atunp” locally to find out to which IP-addresses and network interfaces various services are bound to.

And my favorite disable all junk that usually is enabled by default. Like disable LLDP unless you really need that and so on.

Here is an example on how to enable Suricata as IDS/IPS on VyOS:

The above is a few years old so Im guessing there might be better methods today (configwise).