How do you monitor your homelab network for internal attackers? E.g. you have a publicly available service and theres a vulnerability that you miss or you pull a bad update and suddenly someone has access to your VM/machine/container. How could you increase the chances of automatically detecting that?

The built in IDS in opnsense seems pretty useless, and doesn’t really help detect if e.g. someone is trying to exploit services between your vlans (I could be using it wrong though).

Crowdsec in opnsense is nice but it seems to also be primarily for protecting from malicious actors coming from the WAN.

I’ve heard about the opnsense zenarmor plugin but you have to agree to a privacy policy to use it?

Another option I guess would be collecting firewall logs and making custom notifications for things that you think would be suspicious on your network.

I also know update cooldowns and not exposing anything could largely solve this too, but the monitoring and alerting question really interests me.

According to the release:

Adds experimental PostgreSQL support

The code was written by Cursor and Claude

14,997 added lines of code, and 10,202 lines removed

reviewed and heavily tested over 2-3 weeks

This makes me uneasy, especially as ntfy is an internet facing service. I am now looking for alternatives.

Am I overreacting or do you all share the same concern?