Built a production SOC for my home/mobile infra. Sharing it.

#AEGIS is a unified threat intelligence platform running on a single Linux server:

→ DNS sinkhole (port 53, custom blocklists)
→ Suricata IDS in AF-packet passive mode + ClamAV on filestore
→ Zeek NSM (http, ssl, dns, conn, weird, notice)
→ ModSecurity WAF — OWASP CRS 4.22, full enforcement
→ Fail2Ban + auditd
→ Rust orchestrator aggregating all event sources into one REST/WS API

Auto-heal watchdog, anti-DDoS engine with dynamic iptables injection, real-time dashboard.

One thing I wanted to get right: the orchestrator never touches iptables with NFQUEUE — passive only. No inline mode that can brick SSH access.

https://aegis.centurialabs.pl

#infosec #SOC #homelab #Suricata #Zeek #Rust #threathunting