An Intrusion Detection System monitors a network, detecting malicious activity and blocking the bad attempts for a fixed period of time.
Our IDS platform is included at no additional cost and protects our locations as a whole.
The platform itself was built in-house over the years.
The current revision of our platform best effort monitors for the following network wide activities:
|The 'naughty' list|
|SSH account brute forcing||22||Common. 20+ blocks a day|
|FTP account brute forcing||21||Not very common. 1 - 5 blocks a day|
|NetBIOS exploits (Windows)||445||“God dammit Gates!”. 250+ a day|
|Mail Server brute forces||25, 110||Fairly common. 5+ a day|
|NTP Amplification||123||Extremely common|
|DNS Amplification||53||Extremely common|
Remember, this is is a best effort platform. Our IDS does not monitor for directed attacks (read: someone decides they want to brute you directly). We always recommend you change your SSH port when possible and always keep your applications up-to-date.
Previously we used to allow users to opt-out but after countless people getting compromised after requesting such, we've revised this policy.
Kind of. As of right now our IDS monitors for HTTP connections which will stop some bot spam.
For the most part, no.
Our IDS works off of a cluster of traps setup throughout our deployments. When one of them is tripped by exploit scanners, the offending IP is nullrouted for a set amount of time.
For NTP & DNS amplification, we monitor for specific packets at the node side and block them before they ever get to your virtual server.
We've publicly discussed, and shared, how we handle NTP amplification at https://vpsboard.com/topic/3564-howto-stop-ntp-amplification-attacks-from-reaching-your-nodes/.