On Thu, Mar 14, 2024 at 10:57 AM Michel Verdier <
mv524@free.fr> wrote:
On 2024-03-13, Jean-François Bachelet wrote:
> what solutions (free or not) do you debian servers pros use (for pro or
> private servers) ?
You could try suricata. Same as snort but with another community for
upgrading rules.
I use Suricata, it works well after configuring the suricata.yaml file. SNORT is no longer available in Debian Bookworm for some reason.
Using nftables instead of iptables also could reduce high trafic
impact. Especially using ingress filtering. I don't remember if fail2ban
uses nftables.
I heard Fail2Ban is a pain on Bookworm due to logging only using journald.
I use FirewallD, it works well. I use the drop zone to drop all inbound traffic by default and only allow specific ports.
You may want to check out PSAD. psad/stable 2.4.6-3 amd64 Port Scan Attack Detector. I am not sure how well it works with JournalD. It may require RSyslog like fail2ban.
--