25 marzo 2026 · 9 min lettura
Intelligenza Artificialeduck.ai promette chat AI senza tracciamento: nessun log, nessun IP, accordi con Anthropic e OpenAI. Ma DuckDuckGo ha già tradito questa fiducia una volta.
Self-HostingLa cloud sovranità europea è sovereignty washing: i datacenter sono in UE, le chiavi restano a Seattle. Gaia-X è fallito, NIS2 stringe. Il homelab risponde.
Self-HostingIscriviti alla newsletter per ricevere i migliori articoli direttamente nella tua inbox.
900k siti WordPress esposti a RCE critico, 500k a file read su wp-config.php. Se ospiti WordPress in homelab o su VPS, ecco cosa fare nei prossimi 30 minuti.
365,930 network events in 48 hours. That's how much traffic flows through my homelab every two days. TCP flows, TLS handshakes, DNS queries, SSH attempts, WordPress scans. Buried in that noise: 571 real alerts and 4 Remote Code Execution attempts.
Most homelabbers install Suricata, stare at the logs for a week, then give up. Too much noise, too many false positives, zero context. I decided to fix this differently: I built AIWALL, a network defense system that uses an LLM to analyze alerts, a Raspberry Pi 5 as an active gateway, and a multi-source correlator that cross-references Suricata, DNS sinkholes, and reverse proxy logs. Fully self-hosted, zero recurring cost.
It works. It's been running in production for weeks. Here's how I built it and what I learned.
AIWALL isn't a single daemon on a server. It's a distributed system across three nodes, each with a specific role.
Internet
|
v
[ Cloudflare Tunnel ] --> [ Reverse Proxy ] --> Web apps on LAN
|
v
+-----------------------------------------------------------+
| RPi 5 - GATEWAY |
| Suricata IPS + DNS sinkhole (Blocky) |
| API agent + nftables ban/rate-limit |
+-----------------------------------------------------------+
|
v
+-----------------------------------------------------------+
| Proxmox Host - PASSIVE SENSOR |
| Suricata IDS (2 interfaces) + CrowdSec |
+-----------------------------------------------------------+
|
v
+-----------------------------------------------------------+
| LXC Container - ORCHESTRATOR (the brain) |
| Scoring engine + LLM (Groq) + Correlator + Telegram bot |
| Alert store (SQLite) + Prometheus metrics + Dashboard |
+-----------------------------------------------------------+
|
v
[ Monitoring: Grafana + Loki + Prometheus ]The Raspberry Pi 5 is the physical network gateway. All traffic passes through it. Suricata runs in IPS mode, combining passive analysis with active dropping of malicious packets. On the same machine, Blocky acts as a DNS sinkhole blocking 280,000 domains across malware, phishing, tracking, and advertising categories.
The Proxmox host acts as a passive sensor. Suricata IDS monitors two network interfaces: one for LAN traffic, one for the VPN overlay (Tailscale). CrowdSec analyzes logs and maintains a community blocklist of over 5,000 known malicious IPs updated in real time.
The orchestrator container is the brain. Over 9,000 lines of Python that read Suricata EVE events, score them with a deterministic engine, correlate alerts from different sources, invoke an LLM when needed, and send Telegram notifications with inline buttons to ban or ignore. All running on an LXC container with 1 GB of RAM.
This is AIWALL's most important architectural principle. The risk score is deterministic. The LLM is an advisor, not a decision-maker. I've seen too many projects delegate alert classification to a language model and end up with hallucinated false positives or, worse, real threats downgraded because the model lacked context.
Every Suricata alert has a severity level. The scoring engine assigns base weights per severity, then applies context multipliers:
The result is a score from 0 to 100. The LLM is only invoked when the score exceeds a configurable threshold. In the last 48 hours, out of 148 completed analyses, the LLM was called only 18 times. The vast majority of traffic is handled by the deterministic scoring alone. That means fewer API calls, lower latency, less noise.
When the score crosses the threshold, AIWALL sends the alert batch to Groq running llama-3.3-70b-versatile. Why Groq? Three reasons: it's free (free tier), it's fast (0.85 second average response time in my system), and the 70B model is capable enough for security analysis without being overkill.
The LLM receives three layers of context: the current batch of filtered alerts, a 30-minute history window to spot evolving patterns, and a 6-hour IP tracker to identify multi-phase attacks — the same IP scanning SSH ports first, then attempting an HTTP exploit.
The response is structured JSON: risk level, summary, suspicious IPs, identified patterns, and an actionable recommendation. If the JSON doesn't parse, AIWALL degrades gracefully — logs the error and moves on. Zero LLM errors in production so far.
A standalone Suricata alert tells you little. A Suricata alert + a DNS malware block from the same IP within minutes tells you a lot. That's what the multi-source correlator does.
AIWALL cross-references three sources: Suricata alerts (signature-based), DNS sinkhole blocks (reputation-based), and reverse proxy logs (pattern-based). When sources converge, the correlator generates composite alerts with elevated priority.
Three correlation types implemented:
In two days of production: 33 DNS_SURICATA_WEAK correlations and 6 total correlated events. The correlator identified patterns that no single source would have caught alone.
Every TLS client has a fingerprint — the JA3 hash — computed from the handshake parameters. Cobalt Strike, Metasploit, Sliver, Empire: each has a known JA3. AIWALL maintains a database of 25 known malicious hashes and matches them in real time against every TLS handshake captured by Suricata.
Most IDS solutions only watch external traffic. But lateral movement — an attacker moving between internal nodes after compromising a service — happens entirely within the LAN. AIWALL has a dedicated module for this.
The internal monitor works in two phases. During the learn phase, it observes all LAN traffic and builds a baseline: which containers talk to which, on which ports, how often. Over 120 flows in the current baseline, tens of thousands of internal flows processed. In the enforce phase, any connection outside the baseline is flagged as anomalous — potential lateral movement. The system can alert, limit, or block anomalous traffic based on configuration.
An IDS that only sends notifications is an IDS you'll ignore after three days. AIWALL has a full-featured Telegram bot with commands, inline buttons, and an approval system for blocking actions.
When a critical alert fires, the bot sends a notification with three buttons: [Ban], [Rate-Limit], and [Ignore]. Hit Ban and the IP is blocked on the gateway in real time. The system supports both human approval mode and fully automatic mode, configurable per risk level.
The bot supports 15 commands: real-time status, top suspicious IPs, per-IP alert history, daily stats, manual ban/unban. I manage my homelab security from my phone while standing in line at the grocery store.
The reverse proxy log reader caught in the last 48 hours: 36 WordPress scan attempts (path traversal to wp-admin, wp-login, xmlrpc.php) and 4 Remote Code Execution attempts. Automated scanners try everything regardless of the actual stack.
On the DNS front, the sinkhole blocked nearly 100 requests across telemetry, beacons, advertising, and other categories. One potential DNS tunneling attempt detected. The numbers seem low? That's because it's working: 280,000 domains already blocked at the DNS level means most malicious traffic never even reaches Suricata.
AIWALL exposes over 50 Prometheus metrics. Real-time risk score, LLM latency, events by type, alerts by severity, correlations, internal anomalies, Telegram bot health, web attacks, DNS blocks. Everything feeds into Grafana.
The numbers that matter after 48 hours in production:
Nothing. Or close to it.
A Darktrace deployment starts at $50,000/year. CrowdStrike Falcon Go costs $60/device/year. AIWALL isn't at their level — it doesn't have machine learning on petabytes of telemetry — but for a homelab with a dozen containers and several public domains, it gets the job done. For free.
AIWALL isn't a product. It's a project I built for my homelab that you can adapt to yours. You'll need:
If you build it, drop me a message — I want to know what you detect on your network.
I have a dozen containers, several public domains, and a $90 Raspberry Pi watching over all of it. In 48 hours it processed 365,930 events, caught 4 RCE attempts, correlated 33 suspicious patterns, and produced zero critical false positives. Does your homelab know who's knocking at the door?
Sources: Suricata IDS/IPS, CrowdSec, Groq Cloud, Blocky DNS, AbuseIPDB. Production data from the author's AIWALL system, March 2026.