Hello all,
I maybe have a stupid question, but still...
I have the following setup:
1 Dedicated Server with 2 Public IPs from Hetzner with Proxmox 8.0 installed on it.
1st IP is for Proxmox itself, the 2nd IP is used by my 1st VM - OPNSense, which is acting as a router and firewall for all my other VMs.
My Proxmox network interface file looks like this:
iface lo inet loopback
iface eno1 inet manual
up sysctl -w net.ipv4.ip_forward=1
up sysctl -w net.ipv4.conf.eno1.send_redirects=0
auto vmbr0
iface vmbr0 inet static
address 141.xxx.xxx.xxx/32 # This is the Proxmox IP
gateway 140.xxx.xxx.xxx # This is the gateway from Hetzner for the IP
bridge-ports eno1
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 10-200
pointopoint 140.xxx.xxx.xxx # This is the gateway from Hetzner for the IP
On my OPNSense VM, I set the 2nd IP I have from Hetzner for its WAN Interface - 145.xxx.xxx.xxx.
I have configured several VLANs and Sucirata in IPS mode and it is working perfectly fine, however, I noticed a lot of bad network activity tailored to the WAN interface:
2024-10-22T11:32:28.094453+0300 2001972 blocked WAN 194.32.122.14 42590 145.xxx.xxx.xxx 3389 ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)
2024-10-22T11:32:28.055106+0300 2009582 blocked WAN 194.180.49.119 55424 145.xxx.xxx.xxx 33175 ET SCAN NMAP -sS window 1024
2024-10-22T11:32:25.827215+0300 2400023 blocked WAN 154.213.187.163 58417 145.xxx.xxx.xxx 60224 ET DROP Spamhaus DROP Listed Traffic Inbound group 24
2024-10-22T11:32:24.536273+0300 2009582 blocked WAN 194.180.49.119 55424 145.xxx.xxx.xxx 58717 ET SCAN NMAP -sS window 1024
2024-10-22T11:32:13.208456+0300 2402000 blocked WAN 198.235.24.31 55788 145.xxx.xxx.xxx 465 ET DROP Dshield Block Listed Source group 1
2024-10-22T11:32:13.208456+0300 2402000 blocked WAN 198.235.24.31 55788 145.xxx.xxx.xxx 465 ET DROP Dshield Block Listed Source group 1
2024-10-22T11:32:12.125541+0300 2009582 blocked WAN 194.180.49.119 55424 145.xxx.xxx.xxx 3476 ET SCAN NMAP -sS window 1024
2024-10-22T11:31:39.683582+0300 2400023 blocked WAN 154.213.187.163 58417 145.xxx.xxx.xxx 18005 ET DROP Spamhaus DROP Listed Traffic Inbound group 24
2024-10-22T11:31:34.554092+0300 2002750 blocked WAN 103.102.230.2 58577 145.xxx.xxx.xxx 8728 ET DELETED Reserved IP Space Traffic - Bogon Nets 2
2024-10-22T11:31:33.274163+0300 2400008 blocked WAN 83.222.191.90 40288 145.xxx.xxx.xxx 3334 ET DROP Spamhaus DROP Listed Traffic Inbound group 9
2024-10-22T11:31:31.330289+0300 2402000 blocked WAN 198.235.24.215 50047 145.xxx.xxx.xxx 20547 ET DROP Dshield Block Listed Source group 1
2024-10-22T11:31:25.145955+0300 2002750 blocked WAN 185.152.240.151 15747 145.xxx.xxx.xxx 2293 ET DELETED Reserved IP Space Traffic - Bogon Nets 2
2024-10-22T11:31:24.315465+0300 2002750 blocked WAN 104.209.35.240 56081 145.xxx.xxx.xxx 138 ET DELETED Reserved IP Space Traffic - Bogon Nets 2
2024-10-22T11:31:24.315465+0300 2002750 blocked WAN 104.209.35.240 56081 145.xxx.xxx.xxx 138 ET DELETED Reserved IP Space Traffic - Bogon Nets 2
2024-10-22T11:31:19.149139+0300 2009582 blocked WAN 194.180.49.119 55424 145.xxx.xxx.xxx 787 ET SCAN NMAP -sS window 1024
2024-10-22T11:31:16.032934+0300 2009582 blocked WAN 194.180.49.119 55424 145.xxx.xxx.xxx 7436 ET SCAN NMAP -sS window 1024
2024-10-22T11:31:14.933197+0300 2400023 blocked WAN 154.213.187.163 58417 145.xxx.xxx.xxx 25063 ET DROP Spamhaus DROP Listed Traffic Inbound group 24
2024-10-22T11:31:03.269797+0300 2002750 blocked WAN 103.167.5.30 56695 145.xxx.xxx.xxx 445 ET DELETED Reserved IP Space Traffic - Bogon Nets 2
As you can see Suricata blocked everything, which is great, but this makes me wonder...
Do I need IPS in the Proxmox itself to protect the server itself, as the VMs are already protected by OPNSense (Suricata + Firewall Rules)?
I have firewall rules in the Proxmox blocking by default any incoming traffic and allowing only port 8006 and SSH from 2 places (home IP and a VPN of mine).
I am asking because, my OPNSense firewall's setup is similar - block everything by default and explicitly allow certain traffic.
However, Sucirata still blocks some Nmap port scanning attempts and other strange stuff.
So the question I have is - Am I going to benefit if I set up Suricata on the Proxmox server?
I maybe have a stupid question, but still...
I have the following setup:
1 Dedicated Server with 2 Public IPs from Hetzner with Proxmox 8.0 installed on it.
1st IP is for Proxmox itself, the 2nd IP is used by my 1st VM - OPNSense, which is acting as a router and firewall for all my other VMs.
My Proxmox network interface file looks like this:
iface lo inet loopback
iface eno1 inet manual
up sysctl -w net.ipv4.ip_forward=1
up sysctl -w net.ipv4.conf.eno1.send_redirects=0
auto vmbr0
iface vmbr0 inet static
address 141.xxx.xxx.xxx/32 # This is the Proxmox IP
gateway 140.xxx.xxx.xxx # This is the gateway from Hetzner for the IP
bridge-ports eno1
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 10-200
pointopoint 140.xxx.xxx.xxx # This is the gateway from Hetzner for the IP
On my OPNSense VM, I set the 2nd IP I have from Hetzner for its WAN Interface - 145.xxx.xxx.xxx.
I have configured several VLANs and Sucirata in IPS mode and it is working perfectly fine, however, I noticed a lot of bad network activity tailored to the WAN interface:
2024-10-22T11:32:28.094453+0300 2001972 blocked WAN 194.32.122.14 42590 145.xxx.xxx.xxx 3389 ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)
2024-10-22T11:32:28.055106+0300 2009582 blocked WAN 194.180.49.119 55424 145.xxx.xxx.xxx 33175 ET SCAN NMAP -sS window 1024
2024-10-22T11:32:25.827215+0300 2400023 blocked WAN 154.213.187.163 58417 145.xxx.xxx.xxx 60224 ET DROP Spamhaus DROP Listed Traffic Inbound group 24
2024-10-22T11:32:24.536273+0300 2009582 blocked WAN 194.180.49.119 55424 145.xxx.xxx.xxx 58717 ET SCAN NMAP -sS window 1024
2024-10-22T11:32:13.208456+0300 2402000 blocked WAN 198.235.24.31 55788 145.xxx.xxx.xxx 465 ET DROP Dshield Block Listed Source group 1
2024-10-22T11:32:13.208456+0300 2402000 blocked WAN 198.235.24.31 55788 145.xxx.xxx.xxx 465 ET DROP Dshield Block Listed Source group 1
2024-10-22T11:32:12.125541+0300 2009582 blocked WAN 194.180.49.119 55424 145.xxx.xxx.xxx 3476 ET SCAN NMAP -sS window 1024
2024-10-22T11:31:39.683582+0300 2400023 blocked WAN 154.213.187.163 58417 145.xxx.xxx.xxx 18005 ET DROP Spamhaus DROP Listed Traffic Inbound group 24
2024-10-22T11:31:34.554092+0300 2002750 blocked WAN 103.102.230.2 58577 145.xxx.xxx.xxx 8728 ET DELETED Reserved IP Space Traffic - Bogon Nets 2
2024-10-22T11:31:33.274163+0300 2400008 blocked WAN 83.222.191.90 40288 145.xxx.xxx.xxx 3334 ET DROP Spamhaus DROP Listed Traffic Inbound group 9
2024-10-22T11:31:31.330289+0300 2402000 blocked WAN 198.235.24.215 50047 145.xxx.xxx.xxx 20547 ET DROP Dshield Block Listed Source group 1
2024-10-22T11:31:25.145955+0300 2002750 blocked WAN 185.152.240.151 15747 145.xxx.xxx.xxx 2293 ET DELETED Reserved IP Space Traffic - Bogon Nets 2
2024-10-22T11:31:24.315465+0300 2002750 blocked WAN 104.209.35.240 56081 145.xxx.xxx.xxx 138 ET DELETED Reserved IP Space Traffic - Bogon Nets 2
2024-10-22T11:31:24.315465+0300 2002750 blocked WAN 104.209.35.240 56081 145.xxx.xxx.xxx 138 ET DELETED Reserved IP Space Traffic - Bogon Nets 2
2024-10-22T11:31:19.149139+0300 2009582 blocked WAN 194.180.49.119 55424 145.xxx.xxx.xxx 787 ET SCAN NMAP -sS window 1024
2024-10-22T11:31:16.032934+0300 2009582 blocked WAN 194.180.49.119 55424 145.xxx.xxx.xxx 7436 ET SCAN NMAP -sS window 1024
2024-10-22T11:31:14.933197+0300 2400023 blocked WAN 154.213.187.163 58417 145.xxx.xxx.xxx 25063 ET DROP Spamhaus DROP Listed Traffic Inbound group 24
2024-10-22T11:31:03.269797+0300 2002750 blocked WAN 103.167.5.30 56695 145.xxx.xxx.xxx 445 ET DELETED Reserved IP Space Traffic - Bogon Nets 2
As you can see Suricata blocked everything, which is great, but this makes me wonder...
Do I need IPS in the Proxmox itself to protect the server itself, as the VMs are already protected by OPNSense (Suricata + Firewall Rules)?
I have firewall rules in the Proxmox blocking by default any incoming traffic and allowing only port 8006 and SSH from 2 places (home IP and a VPN of mine).
I am asking because, my OPNSense firewall's setup is similar - block everything by default and explicitly allow certain traffic.
However, Sucirata still blocks some Nmap port scanning attempts and other strange stuff.
So the question I have is - Am I going to benefit if I set up Suricata on the Proxmox server?
Last edited: