IDS/malware solution

[Rickb]

After the webminar this morning on VMware/Broadcom cluster of changes. We are now actively looks for new platform to get off VMware asap.

We have been testing Proxmox after the announcement in the beginning of the year and we are finding that Proxmox should be able to give us what we need but the one item is going to be the loss of NSX which has advanced router and the IDS system. Does anyone have any input on a IDS system for Proxmox as we might be able to work around the router needs but the IDS is important to use?

Thx!

 

[Dunuin]

PVE is based on Debian 12 userland with custom Ubuntu LTS kernel. So the open source IDS software with Debian support should work for the PVE host too. Something like wazuh, suricata and so on.

 

[liberodark]

You can add easily suricata for IDS : https://pve.proxmox.com/wiki/Firewall#_tips_and_tricks

 

[spirit]

I'm using suricata in production, works fine.

Also, you can also use crowdsec
https://www.crowdsec.net/

to improve firewall (parsing pve-firewall for dynamic blacklist, block port scan..) or even add a crowsec agent in your vms for layer7 inspection and block at pve-firewall level.

 

[liberodark]

Me too have crowdsec too.

 

[Rickb]

Thanks everyone. I am looking into these.

Couple of follow up questions.

Do both Suricata and Crowdsec have to be installed on each Proxmox host of the cluster(s)?
Do both only protect at the vm level after you enable on the vm manually?
Seems like crowdsec might do a better job at blocking (IDP)?