Projects

Threat Hunting - Security Onion in Proxmox (Homelab)

• 4 min read
Threat Hunting - Security Onion in Proxmox (Homelab)

Introduction

Let's dive into network security! We're setting up Security Onion on our Proxmox server, with a focus on monitoring all the action within our pfSense LAN, where our virtual machines and containers reside. To make this happen, we'll tap into the capabilities of an OVS Switch, allowing us to perform Port Mirroring on LAN interface.

Software Versions

The following software was used in this post.

  • Proxmox - 8.0.4
  • Open vSwitch - 3.1.0-2
  • Security Onion - 2.4.20

Network Diagram

The following diagram shows the network topology that we are going to be setting up. The goal is to mirror all the traffic from LAN segment (vmbr2) on pfSense to the capture port on Security Onion VM interface enp0s19 for analysis.

Network Diagram

Things to note:

  • vmbr0 - Proxmox Management Bridge Interface
  • vmbr1 - pfSense WAN Bridge Interface
  • vmbr2 - pfsense LAN Bridge Interface
  • tap118i1 - Security Onion Capture Port (Listen for Port Mirror Traffic)
All the traffic passes through Proxmox --> pfSense WAN (vmbr0) --> pfSense LAN --> All VMs and Containers

Security Onion VM Configuration

This is the Security Onion VM Configuration

Port Mirror Configuration

How this will work is, essentially whenever a VM is created with network interfaces Proxmox automatically assigns them a tap<vmid>i1 interface (in our case tap118i1) and this is the interface inside the VM. We will configure port mirror on this tap118i1 interface from the bridge vmbr2 as it is carrying all the traffic (pfSense LAN bridge carries all the traffic along with VLAN tagged traffic).

Proxmox Network Configuration

This is the Proxmox VE Network Configuration. Here we are creating 3 bridges - vmbr0 vmbr1 vmbr2 vmbr2` is our pfSense LAN Bridge Interface and we need to mirror this.

auto lo
iface lo inet loopback

auto enp3s0
iface enp3s0 inet manual
        ovs_type OVSPort
        ovs_bridge vmbr0

auto enp5s0f0
iface enp5s0f0 inet manual
        ovs_type OVSPort
        ovs_bridge vmbr1

auto enp5s0f1
iface enp5s0f1 inet manual
        ovs_type OVSPort
        ovs_bridge vmbr2

auto vmbr0
iface vmbr0 inet static
        address 192.168.2.100/24
        gateway 192.168.2.1
        ovs_type OVSBridge
        ovs_ports enp3s0

auto vmbr1
iface vmbr1 inet manual
        ovs_type OVSBridge
        ovs_ports enp5s0f0

auto vmbr2
iface vmbr2 inet manual
        ovs_type OVSBridge
        ovs_ports enp5s0f1
        ovs_bridge_stp off
        ovs_bridge_fd 0
        ovs_vlan_mode trunk
        ovs_bridge_vlans 2:4094

/etc/network/interfaces

OVS SPAN Create

We will now create an openvswitch span that mirrors the bridge interface to the tap interface -

sudo ovs-vsctl -- --id=@p get port tap118i1 -- --id=@m create mirror name=span1 select-all=true output-port=@p -- set bridge vmbr2 mirrors=@m

Note: This is not persistent and only lasts until the VM is powered on.

Persistent Port Mirror

We will use a hookscript to make the port mirror persistent across reboots (Proxmox Host as well as Security Onion VM).
The following hookscript named port-mirror.sh starts and stops a port-mirror when the Security Onion VM boots-up, reboots or shutsdown.

#!/bin/bash

VM_ID=$1
EXECUTION_PHASE=$2
VM_BRIDGE="vmbr0"
LOGGING="/root/scripts/port-mirror.log"

function create_mirror {
  date >> "$LOGGING"
  echo "Creating mirror on $VM_BRIDGE for $VM_ID..." >> "$LOGGING"
  ovs-vsctl -- --id=@tap"$VM_ID"i1 get Port tap"$VM_ID"i1 \
  -- --id=@"$VM_ID"m create Mirror name="$VM_ID"-mirror select-all=true output-port=@tap"$VM_ID"i1 \
  -- set Bridge "$VM_BRIDGE" mirrors=@"$VM_ID"m >> "$LOGGING"
  echo "####################" >> "$LOGGING"
}

function clear_mirror {
  date >> "$LOGGING"
  echo "Clearing mirror on $VM_BRIDGE for $VM_ID..." >> "$LOGGING"
  ovs-vsctl -- --id=@"$VM_ID"m get Mirror "$VM_ID"-mirror \
  -- remove Bridge "$VM_BRIDGE" mirrors @"$VM_ID"m >> "$LOGGING"
  echo "####################" >> "$LOGGING"
}

function show_mirrors {
  date >> "$LOGGING"
  echo "Show existing mirrors..." >> "$LOGGING"
  ovs-vsctl list Mirror >> "$LOGGING"
  echo "####################" >> "$LOGGING"
}

if [[ "$EXECUTION_PHASE" == "post-start" ]]; then
  clear_mirror
  create_mirror
  show_mirrors
elif [[ "$EXECUTION_PHASE" == "pre-stop" ]]; then
  clear_mirror
  show_mirrors
fi

/var/lib/vz/snippets/port-mirror.sh

Don't forget to make the hook script executable -

chmod +x /var/lib/vz/snippets/port-mirror.sh

Also apply the hook script to the Security Onion VM -

qm set 118 --hookscript local:snippets/port-mirror.sh

Once this is done, you will start seeing traffic mirrored to the capture port of the Security Onion VM for analysis.

Conclusion

So there you have it! We've set up Security Onion on our Proxmox server, and it's all about keeping an eye on what's cooking in our pfSense LAN, where our virtual gang hangs out. Thanks to the magic of the OVS Switch, we're doing Port Mirroring, which is like peeking behind the scenes.

This setup lets us see what's happening in our network and beef up security. And don't worry, this Port Mirroring thing sticks around even after the system takes a nap or gets a reboot.

So, with Security Onion on the watch, we're ready to tackle any security surprises and keep our digital den safe and sound.

Credits

https://blog.zanshindojo.org/securityonion-proxmox-port-mirroring/
https://codingpackets.com/blog/proxmox-vm-bridge-port-mirror/

Tagged in: Projects

Written by Murali R

Related Posts