I know what fail2ban does; it monitors the firewall logs and finds ip addresses that have too many failed logins to ssh; and then tells the firewall to drop packets from those addresses.
So is fail2ban an IPS?
Asked
Active
Viewed 690 times
1 Answers
1
IDS: Intrusion Detection System. IDS monitors a system for activity that would indicate unauthorized attempts to access that system, providing alerts for that activity but not changing the behavior of that system.
IPS: Intrusion Protection System. IPS monitors a system for activity that would indicate unauthorized attempts to access that system, reacting to that activity by changing the behavior of the system accordingly, beyond just alerts.
Using those definitions, fail2ban is absolutely an IPS because it changes the behavior of the system.
-
Do you have any references to back up your assertions? Especially that IPS monitors internal system events that might not be related to network events? – schroeder Aug 12 '21 at 07:25
-
I offer https://en.wikipedia.org/wiki/Fail2ban and https://en.wikipedia.org/wiki/Intrusion_detection_system – schroeder Aug 12 '21 at 07:43
-
Basically it can be considered as IDS or IPS depending on configuration (type of action used as a reaction on attempts), it can ban IP/user/whatever (thus changing the system behavior and so handles as a typical IPS), but can only notify/signal/mail/whatever about possible intrusion attempts (so could handle as a typical IDS) – sebres Aug 12 '21 at 11:23
-
@schroeder Thanks for all your comments and the edit. I should have provided supporting references, so thank you for adding those links in the comments. – JWAspin Aug 13 '21 at 13:04
-
@sebres technically, *every* IPS must also be an IDS. It can't prevent what it can't detect... – schroeder Aug 13 '21 at 13:08