I’m in doubt what is best practice - whether to use both HaaS and Sentinel Minipots together (isn’t it overkill?), or use only HaaS and Sentinel without Minipots.
According to documentation (Threat Detection - Turris Documentation): “On you router you can notably enable Firewall monitoring, deploy Minipots or use HaaS.”
From this statement I’d suppose that it’d be sufficient to deploy HaaS only (with other Sentinel functionalities enabled) - but wouldn’t Sentinel in such a case miss some data?
If this is really the case, it’d be good if on Packages List of reForis there would be warning if both “Minipots” and “SSH Honeypot” options are checked.
I run all of them.
HAAS sniffs on port 22, minipots on 21,23,25,80,587.
sentinel configures firewall blocklists from IPs what your and others’ minipots detect.
There is no reason to think about it complicatedly … by enabling everything mentioned, you are contributing to the analysis of attacks and thus to your protection by means of an adaptive firewall.
Of course, it is possible not to allow any tracking processes
You can use both HaaS and Sentinel minipots and it is not overkill.
Sentinel Minipots currently has implementations for protocols such as HTTP, Telnet, SMTP and FTP.
Honeypot as a Service uses SSH (port 22).
Hmmm. I don’t like the sentences as well. I will let it fix it. Thanks for letting us know.