Elasticsearch + Kibana + Filebeat in Docker, bridged via an elk network.
Filebeat uses the Suricata module to parse eve.json and auto-installs
Kibana dashboards on first run. ES heap capped at 1g; Kibana Node heap
at 512m — total stack ~2-2.5 GB RAM.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Individual SID exclusions weren't enough — there are many more rules for
these industrial SCADA protocols than initially identified. Switch to
regex-based disable patterns (re:modbus, re:dnp3) so suricata-update
strips all of them from the generated rules file.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Modbus protocol detection is disabled in the NixOS build; the 5 Modbus
SIDs (2250005-2250009) cause the config test to fail and crash-loop the
service. Disable them alongside the existing DNP3 exclusions.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Passive network monitoring via af-packet on eno1. Rulesets auto-updated
from ET/Open, abuse.ch, and other community sources via suricata-update.
Runs alongside fail2ban; IPS/blocking mode can be enabled later.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces bare enable flag with a dedicated service module covering:
- SSH brute force via journald
- Nginx Proxy Manager auth failures via Docker log files
- Jellyfin auth failures via journald
Includes incremental ban times (up to 1 week) and LAN ignore rules.
https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn
Replaces the incomplete nixpkgs NixOS module with the official
CrowdSec Docker image for the LAPI, while keeping the firewall
bouncer as a native systemd service. API key is read from
/var/lib/secrets/crowdsec-bouncer-key at start time so it
never enters the Nix store.
https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn
