User Tools

Site Tools



This shows you the differences between two versions of the page.

Link to this comparison view

ids [2017/03/23 09:22] (current)
Line 1: Line 1:
 +===== Intrusion Detection System =====
 +==== What does an IDS do? ====
 +An Intrusion Detection System monitors a network, detecting malicious activity and blocking the bad attempts for a fixed period of time.
 +==== How much does this cost? Who built the platform? ====
 +Our IDS platform is included at no additional cost and protects our locations as a whole.
 +The platform itself was built in-house over the years. ​
 +==== What does it protect against? ====
 +The current revision of our platform best effort monitors for the following network wide activities:
 +^ The '​naughty'​ list ^^^
 +^ Activity ^ Port ^ Note ^
 +^ Daemons, etc ^^^
 +| SSH account brute forcing | 22 | Common. 20+ blocks a day |
 +| FTP account brute forcing | 21 | Not very common. 1 - 5 blocks a day |
 +| NetBIOS exploits (Windows) | 445 | "God dammit Gates!"​. 250+ a day |
 +| Mail Server brute forces | 25, 110 | Fairly common. 5+ a day |
 +^ Abused protocols ^^^
 +| NTP Amplification | 123 | Extremely common |
 +| DNS Amplification | 53 | Extremely common |
 +Remember, this is is a best effort platform. Our IDS does not monitor for directed attacks (read: someone decides they want to brute you directly). We always recommend you change your SSH port when possible and **always** keep your applications up-to-date.
 +==== Can I be excluded from the IDS? ==== 
 +Previously we used to allow users to opt-out but after countless people getting compromised after requesting such, we've revised this policy.
 +==== Does the IDS protect from bot spam? ====
 +Kind of. As of right now our IDS monitors for HTTP connections which will stop some bot spam.
 +We're currently considering importing [[http://​|]]'​s blacklist into our IDS platform. If you wish to voice your opinion/​concerns about this, just email [[|]] or [[https://​​billing/​client/​plugin/​support_manager/​client_tickets/​add/​2/​|log a ticket]].
 +==== Does this IDS sniff my traffic? ====
 +For the most part, **no**.
 +Our IDS works off of a cluster of traps set-up throughout our deployments. When one of them is tripped
 +by exploit scanners, the offending IP is nullrouted for a set amount of time.
 +For NTP & DNS amplification,​ we monitor for specific packets at the node side and block them
 +before they ever get to your virtual server.
 +Here's a thread with more information about NTP/DNS amplification attacks at [[https://​​topic/​3564-howto-stop-ntp-amplification-attacks-from-reaching-your-nodes/​]].
ids.txt ยท Last modified: 2017/03/23 09:22 (external edit)