Intrusion Systems

Intrusion Systems are separated into two categories:

  • Intrusion Detection System (IDS) πŸ›Ÿ: detect intrusions
  • Intrusion Prevention System (IPS) πŸ—Ό: detect and block intrusions. An IPS is expensive, but provides more security.

They identify/detect known and unknown attacks, and block/prevent them. It can be used either to alert or block an intrusion.

Companies will select one based on their security requirements, the cost, their network topology, and their maintenance capacity.

An IDS/IPS can operate at different levels:

  • Application-Based IDS/IPS πŸ–ΌοΈ: monitor an application, and detect/block suspicious activities (SQLi, buffer overflow)

  • Host-Based IDS/IPS (HIPS/HIDS) πŸ’»: monitor a host, analyze traffic, logs, and system activity to detect/block suspicious activities

  • Network-Based IDS/IPS (NIDS/NIPS) πŸ“Ά: usually on a switch/router, detect and block malicious traffic

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

$ sudo apt install fail2ban
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ sudo vim /etc/fail2ban/jail.local # nothing
$ sudo service fail2ban restart
  • Tripwire (integrity, database of expected states)
  • OSSEC (monitor log files, detect rootkits)
  • AIDE (integrity, permissions/file attributes changes)
  • NIDS are usually installed where traffic enters/exit