Skip to main content
Topic: Building a home IDS server (Read 433 times) previous topic - next topic

Building a home IDS server

So, a project that I've had been kicking around for a while is revamping my home network setup, in order to better utilize the experience I've picked up through work. I've slowly been collecting gear, and I'm planning on repurposing a 2 year old HTPC to supply most of the hardware for an IDS server. I was wondering if there was someone else who had been in this position before.

I plan on beefing up the proto-server with an extra stick of RAM and a large spinning disk for log storage. I don't have the money for a whole system build (would want to do it proper, buy better quality stuff), and barring a surplus PowerEdge falling off a truck by me, I'm gonna have to multi-purpose the box. Ideally, it wouldn't be multitasking for a majority of the time, but on occasion it will also need to run a lightweight VM for some other projects. For a network monitoring solution, I was planning on testing Bro in my environment. I am already a little familiar with its architecture, just not necessarily in its administration for this scenario. My max bandwidth (up or down) with my ISP is currently 300Mbs, and I plan on upgrading to gigabit in the future.

So, for people who have been through something like this, am I gonna run into bottlenecks on CPU during multitasking? This will all be running on a desktop CPU, and not necessarily a great one. I know DPI is very resource hungry, but the best I can do at this moment is to offset the RAM cost of the VM. I would consider the VMs performance as high priority when it is in use, so I can't really afford slowdowns there. When I blast my network with a gigabit of shitposting, am I at risk for knocking things over?

And for people who haven't, would anyone be interested in documentation of this process, for posterity or science or some shit?

Re: Building a home IDS server

Reply #1
I've built many pfsense machines. Basically its freebsd + software to turn your old PC into a router/firewall.

You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login

Are you wanting to do something like this? or an actual intrusion detection system? Never setup one of those. Anything doing deep packet inspection on the fly is gonna need to be fast. I would suggest not doing anything like traffic shaping, VPN's, and DPI until you get a beefy setup...otherwise things might get slow from time to time. Until then just play around with building your own router. I was planning to try You are not allowed to view links. Register or Login myself next :-)

If you have a properly secure firewall, You shouldn't have to worry about intrusions. Snag a raspberry pi for 50$ and throw one of these on your network, You are not allowed to view links. Register or Login - I love mine. It can also help reduce malware and what not due to the domains not resolving since they are blocked at network level via pihole.

Re: Building a home IDS server

Reply #2
I've never built anything like this but I would be interested in documentation if you do build it.

Re: Building a home IDS server

Reply #3
You are not allowed to view links. Register or Login
I've built many pfsense machines. Basically its freebsd + software to turn your old PC into a router/firewall.

You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login

Are you wanting to do something like this? or an actual intrusion detection system? Never setup one of those. Anything doing deep packet inspection on the fly is gonna need to be fast. I would suggest not doing anything like traffic shaping, VPN's, and DPI until you get a beefy setup...otherwise things might get slow from time to time. Until then just play around with building your own router. I was planning to try You are not allowed to view links. Register or Login myself next :-)

If you have a properly secure firewall, You shouldn't have to worry about intrusions. Snag a raspberry pi for 50$ and throw one of these on your network, You are not allowed to view links. Register or Login - I love mine. It can also help reduce malware and what not due to the domains not resolving since they are blocked at network level via pihole.
Luckily, the ERLite-3 I have comes fully loaded as far as firewall services go (have had an HA pair of pfsense boxes with working CARP failover at work that has caused nothing but trouble; wish I liked it better). I'm definitely wanting an IDS, since I've started running into situations with some of the classes I'm taking where it would make more sense to stand up a service inside of my LAN rather than rely on a debugger or an IDE's local server. I currently have OpenVPN set up on the router to allow a couple of my devices to access the LAN when I'm away from home. Also, in the future, it may make more sense for me to stand up a bastion rather than rely on my router's firmware updates. Ubiquiti has been legendary for me so far, so I hope I won't have to go that route.

As such, I have part of my home network exposed to the Internet, so it makes sense for me to have better visibility within this. Bro is the network monitor that works best out of the box, has neatly standardized syslog output that can be text or json, and plays well with SIEM and pseudo-SIEM stuff. Since all other networking infrastructure functions are covered by the ERLite-3, the only thing the box will be doing is DPI (and the VM, on occasion). That was my thought process with that. Intrusions are never a question of "if", it's "when" :P

You're the third person who has told me to get pi-hole this week. Guess I'll definitely need to do that! I heard that it can cause a lot of network gremlins until you track down whatever CDNs need to get whitelisted. Specifically, I've got a Roku that one of my coworkers said stopped working when he set up pi-hole, and he had to do some work to figure out what domains to allow through. I don't mind the legwork, just wondering how many devices it affected for you.

Okay, so lemme give some more info about the hardware I'll be using. I have an Arris modem that gets my WAN address from my ISP. From there, it goes directly to the Ubiquiti ERLite-3 router. I have 3 VLANs: 1 is for WAN, 1 is for LAN, 1 is for emergency management access (it's the last port and it has a secondary DHCP pool for it just in case I fuck up the LAN one). The router's weberface is only accessible on the LAN and emergency VLANs. The router has an OpenVPN portal set up for it that currently only accepts one keypair. The router has firewall services that limits most of the basic troublemakers, including disabling ICMP, disabling incoming unestablished TCP sessions, and disabling "weird" packets. The only ports I have open to WAN is for OpenVPN. Probably obvious, but the router NATs all traffic on the LAN VLAN to the WAN VLAN, so devices on the LAN are relatively masqued. On the LAN interface, I have a Netgear R7000 in WAP mode acting as both switch and WAP.

Here's the old specs for the server:
CPU: AMD A10-7860k
Motherboard: MSI - A68HI AC Mini ITX FM2+ Motherboard
Memory: Crucial - 8 GB (1 x 8 GB) DDR3-1600 Memory
Storage: Crucial - BX200 240 GB 2.5" Solid State Drive
Case: Cooler Master - Elite 130 Mini ITX Tower Case
Power Supply: Silverstone - 300 W 80+ Bronze Certified SFX Power Supply

I plan on doubling the RAM and getting a 4 TB spinning disk for storage. I have a PCIe gigabit Ethernet NIC and a Netgear 5 Port Managed switch that will allow me to TAP traffic from my LAN. Basically, the network path won't change much, I'll be putting the new switch between the WAP and the router, moving the stuff from the WAP to the switch, and then mirroring the connection between the router and the switch to that new NIC, which will be on the IDS server. I can do a draw.io if that wasn't clear, no worries.