Even though I was running a fairly standard setup it makes sense to improve upon it, so I went and did a little research.
This time I decided to go with a tweaked combination of fail2ban, psad, fwsnort and AIDE running on the host, which now does a bit more active monitoring regarding what the LXC containers do. I ran Snort in the past (back when this was running on a Windows NT box1), so the whole thing’s familiar enough.
So far everything’s good, despite the Ubuntu kernel’s apparent tendency to blow up when the
iptables ruleset reaches around 17K auto-generated entries from the latest bleeding-edge definitions. That I’m not at all happy with, since it’s extremely irritating to have the machine reboot when you’re applying rulesets, and the extra
iptables logging crud makes it harder to check simple things.
So I’ve set things up to remove alerts for stuff that will never happen here (like mail server exploits, database server attacks, etc.). But the downside is that it all takes a fair amount of fine tuning, and that’s simply not the best use of my time right now.