===== Intrusion Detection System =====

==== What does an IDS do? ====

An Intrusion Detection System monitors a network, detecting malicious activity and blocking the bad attempts for a fixed period of time.

==== How much does this cost? Who built the platform? ====

Our IDS platform is included at no additional cost and protects our locations as a whole.

The platform itself was built in-house over the years. 

==== What does it protect against? ====

The current revision of our platform best effort monitors for the following network wide activities:

^ The 'naughty' list ^^^
^ Activity ^ Port ^ Note ^
^ Daemons, etc ^^^
| SSH account brute forcing | 22 | Common. 20+ blocks a day |
| FTP account brute forcing | 21 | Not very common. 1 - 5 blocks a day |
| NetBIOS exploits (Windows) | 445 | "God dammit Gates!". 250+ a day |
| Mail Server brute forces | 25, 110 | Fairly common. 5+ a day |
^ Abused protocols ^^^
| NTP Amplification | 123 | Extremely common |
| DNS Amplification | 53 | Extremely common |

Remember, this is is a best effort platform. Our IDS does not monitor for directed attacks (read: someone decides they want to brute you directly). We always recommend you change your SSH port when possible and **always** keep your applications up-to-date.
==== Can I be excluded from the IDS? ==== 

No.

Previously we used to allow users to opt-out but after countless people getting compromised after requesting such, we've revised this policy.
==== Does the IDS protect from bot spam? ====

Kind of. As of right now our IDS monitors for HTTP connections which will stop some bot spam.

We're currently considering importing [[http://stopforumspam.com|stopformspam.com]]'s blacklist into our IDS platform. If you wish to voice your opinion/concerns about this, just email [[admin@eidolonhost.com|admin@eidolonhost.com]] or [[https://eidolonhost.com/billing/client/plugin/support_manager/client_tickets/add/2/|log a ticket]].

==== Does this IDS sniff my traffic? ====

For the most part, **no**.

Our IDS works off of a cluster of traps set-up throughout our deployments. When one of them is tripped
by exploit scanners, the offending IP is nullrouted for a set amount of time.

For NTP & DNS amplification, we monitor for specific packets at the node side and block them
before they ever get to your virtual server.

Here's a thread with more information about NTP/DNS amplification attacks at [[https://vpsboard.com/topic/3564-howto-stop-ntp-amplification-attacks-from-reaching-your-nodes/]].