Need help?

Our experts will login to your server within 30 minutes to fix urgent issues.

Customer support or server support, make your own solution using our support configuration wizard.

Intrusion Detection System (IDS)- A Hacker Alarm On Your Server

Now a days so many people are getting their own dedicated servers, but they are completely clueless about security of the server. Usually they leave it to the company where they purchase it or hire someone. Hence server security became a great concern to the web hosting companies. Hence, the need of server security precautions will arise.


Hire Bobcares Linux Server Administrators
Get super reliable servers and delighted customers

See how we do it!




A standard protection method that most organizations (both large and small) utilize to protect their establishment from theft is a common burglar alarm. Given this fact, it is amazing that how many of these organizations install a protection system to guard their networks from attack and theft of valuable company information. An intrusion detection system (IDS) is essentially a “BURGLAR ALARM” or a “HACKER ALARM” system for your network. It enables you to monitor your network for intrusive activity. When intrusive activity occurs, your IDS generates an alarm to let you know that your network is possibly under attack.


IDS monitors the network’s local host devices and network traffic for signs of attempted attacks and network security breaches. They can be deployed on an individual host or on a part of the network. Their primary purpose is to examine the local or network traffic for intrusions and report these intrusions to the security administrator. Firewall and IDS systems provide a good layer of protection against an intruder. An IDS collects information from a variety of system and network sources, and analyzes the information for signs of intrusion (attacks coming from outside the local network) and misuse (attacks originating inside the network). IDS keeps a record of which files were changed and alerts you if anything is new or altered. This is critical because hackers usually try to replace binary applications like ps, top, netstat and others. This means when you run this new version of ps or top to see the running processes, it actually HIDES their hacker software. Even though the hacker software is running, it won’t show up.


Benefits of IDS


Intrusion Detection Systems can perform a variety of functions like:


  • Monitoring and analysis of user and system activity
  • Auditing of system configurations and vulnerabilities
  • Assessing the integrity of critical system and data files
  • Recognition of activity patterns reflecting known attacks
  • Statistical analysis for abnormal activity patterns
  • Operating system audit trail management, with recognition of user activity reflecting policy violations

The combination of these features allows system or network administrators to more easily handle the monitoring, audit, and assessment of their systems and networks to find signs of outside intrusions or local misuse of computer systems.


The common IDS system includes Tripwire, Snort and AIDE.



Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.Snort has the ability to perform real time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.



Open Source Tripwire functions as a host-based intrusion detection system. Rather than attempting to detect intrusions at the network interface level (as in network intrusion detection systems), Open Source Tripwire detects changes to file system objects. Tripwire constantly and automatically, keeps your critical system files and reports under control if they have been destroyed or modified by a cracker (or by mistake). It allows the system administrator to know immediately what was compromised and how fix it. when Tripwire is run for the first time it stores checksums, exact sizes and other data of all the selected files in a database. The successive runs check whether if all the file still matches the information in the database and reports all the changes. Cryptographic hashes are employed to detect changes in a file without storing the entire contents of the file in the database.



AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker. Normally AIDE take a “snapshot” of the current state of system, register hashes, modified time and other data regarding the files defined by the administrator. Then it is used to build a database that is saved and stored in an external device. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies. It can read databases from older or newer versions.
When the administrator wants to run an integrity test, he places the previously built database in an accessible place and commands Aide to compare the database against the real status of the system. Aide will detect changes and report it to the administrator.

When the administrator wants to run an integrity test, he places the previously built database in an accessible place and commands Aide to compare the database against the real status of the system. Should a change have happened to the computer between the snapshot creation and the test, Aide will detect it and report it to the administrator.


Networks are very vulnerable and easy to attack, hence firewall alone cannot provide the complete protection. An Intrusion Detection System (IDS) provides an additional layer of protection to a firewall. Firewall and IDS systems provide a good layer of protection against an intruder. Thus the server security improves to a better limit.


The above is a very rough outline of IDS, if you have any questions, we would be happy to talk to you! 🙂

Blog written and edited by :

Prajith Kumar P works as a Junior Software Engineer in Bobcares. He joined Bobcares in June 2012. He loves playing soccer and watching movies in his free time.




Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.