Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
ids [2021/04/24 15:24] cubebuilder created |
— (current) | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== Intrusion Detection System ===== | ||
| - | ==== What does an IDS do? ==== | ||
| - | |||
| - | An Intrusion Detection System monitors a network, detecting malicious activity and blocking the bad attempts for a fixed period of time. | ||
| - | |||
| - | ==== How much does this cost? Who built the platform? ==== | ||
| - | |||
| - | Our IDS platform is included at no additional cost and protects our locations as a whole. | ||
| - | |||
| - | The platform itself was built in-house over the years. | ||
| - | |||
| - | ==== What does it protect against? ==== | ||
| - | |||
| - | The current revision of our platform best effort monitors for the following network wide activities: | ||
| - | |||
| - | ^ The ' | ||
| - | ^ Activity ^ Port ^ Note ^ | ||
| - | ^ Daemons, etc ^^^ | ||
| - | | SSH account brute forcing | 22 | Common. 20+ blocks a day | | ||
| - | | FTP account brute forcing | 21 | Not very common. 1 - 5 blocks a day | | ||
| - | | NetBIOS exploits (Windows) | 445 | "God dammit Gates!" | ||
| - | | Mail Server brute forces | 25, 110 | Fairly common. 5+ a day | | ||
| - | ^ Abused protocols ^^^ | ||
| - | | NTP Amplification | 123 | Extremely common | | ||
| - | | DNS Amplification | 53 | Extremely common | | ||
| - | |||
| - | Remember, this is is a best effort platform. Our IDS does not monitor for directed attacks (read: someone decides they want to brute you directly). We always recommend you change your SSH port when possible and **always** keep your applications up-to-date. | ||
| - | ==== Can I be excluded from the IDS? ==== | ||
| - | |||
| - | No. | ||
| - | |||
| - | Previously we used to allow users to opt-out but after countless people getting compromised after requesting such, we've revised this policy. | ||
| - | ==== Does the IDS protect from bot spam? ==== | ||
| - | |||
| - | Kind of. As of right now our IDS monitors for HTTP connections which will stop some bot spam. | ||
| - | |||
| - | We're currently considering importing [[http:// | ||
| - | |||
| - | ==== Does this IDS sniff my traffic? ==== | ||
| - | |||
| - | For the most part, **no**. | ||
| - | |||
| - | Our IDS works off of a cluster of traps setup throughout our deployments. When one of them is tripped | ||
| - | by exploit scanners, the offending IP is nullrouted for a set amount of time. | ||
| - | |||
| - | For NTP & DNS amplification, | ||
| - | before they ever get to your virtual server. | ||
| - | |||
| - | We've publicly discussed, and shared, how we handle NTP amplification at [[https:// | ||