Article Index



Intrusion Detection

Intrusion detection, or monitoring a network or system for malicious activity or policy violations, is a critical part of maintaining a secure Linux server. The information gathered through intrusion detection provides administrators with valuable insight into the types of attacks that could potentially threaten their servers, which is critically important information for setting up preventative defenses. In this section, we’ll begin by examining some great open-source intrusion detection system (IDS) tools and honeypots that can help Linux server administrators proactively identify and respond to threats to their systems - preventing data theft and system compromise. We’ll then explore the importance of monitoring logs and take a look at how Logwatch can be used for this purpose.

Top Open-Source IDS Tools & Honeypots


Snort is the leader in free and open-source network intrusion detection systems (NIDS). The popular tool has three modes that can be used to analyze real-time traffic: intrusion detection mode, packet sniffer mode and packet logger mode. The intrusion detection mode is based on a set of rules that the user can either create or download from the Snort community. Snort can be used for port scanning, OS fingerprinting and detecting attacks using signature-based and anomaly-based techniques. Snort is easy to install and supported by a large, vibrant community. 

Snort can be downloaded snort downloads.

Learn how to install and use Snort for intrusion detection in this LinuxHint tutorial.


In the realm of host-based intrusion detection systems (HIDS), OSSEC dominates. This full-featured open-source IDS tool is highly effective and extensible. OSSEC’s client/server based management and logging architecture secures sensitive information against tampering and theft by delivering alerts and logs to a centralized server where analysis and notification can occur even in the event that the host system is compromised or taken offline. A convenient benefit of this client/server design is the ability to centrally manage agents from a single server. OSSEC is very lightweight and is backed by a strong, supportive community.

OSSEC can be downloaded ossec downloads.

Learn how to install and use OSSEC for intrusion detection in this LinuxHint tutorial.


Suricata is a modern NIDS that employs signature-based, anomaly-based and policy driven intrusion detection methods. It features multi-threading capabilities, GPU acceleration and multiple model statistical anomaly detection. Suricata can examine HTTP requests, TLS/SSL certificates and DNS transactions. Suricata is compatible with Snort's data structure, enabling users to implement Snort policies in Suricata. 

Suricata can be downloaded suricata-ids downloads.

Learn how to configure and use Suricata for threat detection in this InfoSec Institute tutorial.


Cowrie is a medium interaction ssh and telnet honeypot that logs brute force attacks and shell interaction. The open-source honeypot emulates a Unix system in Python and functions as a proxy to log malicious activity. Cowrie features JSON logging for easy processing in log management solutions.

Monitoring Logs 

Monitoring logs is an essential part of verifying the security of a server, and must be done on a regular basis to ensure that your systems remain secure. Critical log categories that should be monitored for all Linux servers include application logs, event logs, service logs and system logs. Many Linux distributions offer tools for automating this ongoing task. 

The Logwatch application, for instance, sends a daily email report of all of the logs on a server - providing administrators with valuable information including potential malicious activity, SSH attempts and IPs causing errors, as well as the number of emails that have been sent. In a large corporate environment it is common practice to send Logwatch emails (along with other mail directed to the root user) to a single company email list. Administrators in the company then subscribe to this email list to stay informed of any notifications regarding suspicious activity detected in any of the company’s server’s logs.


Logwatch can be downloaded logwatch downloads.

Learn how to install and use Logwatch in this TechRepublic tutorial.

Fail2ban is another excellent application for monitoring logs and detecting intrusion attempts. This intrusion prevention software framework secures servers against brute-force attacks by reacting to intrusion attempts by either installing firewall rules to reject potentially-malicious IP addresses for a certain amount of time or by blocking access to a specific port.

Fail2ban can be downloaded fail2ban downloads.

Learn how to install, configure and test Fail2ban in this How-To Geek tutorial.

For information on log files locations and how you can view and monitor logs from the command line, check out this Ubuntu tutorial.