System Intrusion Detection#

The VOSS Automate platform provides an optional service that can be enabled in order to detect and prevent SYN flood denial-of-service network attacks.

When the service is active, source IP addresses of such attacks are detected and communication from these addresses is blocked for 10 minutes. However, if the attacks persist after this period, the addresses are re-blocked.

Log files are also created to provide service details

Important

The service commands only apply to the node on which the commands are executed. In order to run commands across a cluster, the cluster command prefix is required, for example, to enable the service cluster-wide:

cluster run all system intrusion-detection profile enable synflood

See: Remote Execution in Clusters

Start the service#

To check the logging level and if the service is running:

platform@VOSS:~$ system intrusion-detection logging get-level
    level: NOTICE

platform@VOSS:~$ system intrusion-detection profile show
    synflood:
        enabled: false

When running app status, the intrusion-detection service will show as running:

services v25.2 (2025-07-01 14:11)
   |-logs                running
   |-scheduler           running
   |-intrusion-detection running

A profile must be enabled:

system intrusion-detection profile enable synflood

Refer to the command details below.

Manage the service#

The following commands are available to manage this service:

  • system intrusion-detection logging get-level

    Get the log level for the intrusion detection system. Refer to the log level values below.

  • system intrusion-detection logging set-level <level>

    Set the log level for the intrusion detection system. Changing the level requires a service restart. A message shows when the log level has been set. Permitted values are (case-insensitive):

    DEBUG, INFO, NOTICE, WARNING, ERROR, CRITICAL

    Level

    Description

    DEBUG

    Verbose debug messages for troubleshooting.

    INFO

    Standard informational messages about regular activity and significant events.

    NOTICE

    Normal but notable messages. This is the default level.

    WARNING

    Warning messages about potential issues or warnings.

    ERROR

    Only error events get logged.

    CRITICAL

    Only critical messages get logged.

  • system intrusion-detection profile disable <profile>

    Disable intrusion detection for a profile, for example, synflood.

  • system intrusion-detection profile enable <profile>

    Enable intrusion detection for a profile e.g. synflood.

    Note

    Currently, only the synflood profile is available.

  • system intrusion-detection profile show

    Display the configuration of intrusion detection profiles

Stop the service#

Note

Blocked IP addresses become available after service restart, but will be blocked if SYN flood attacks presist.

Log files#

Log files can be inspected using the log view <log_file> command, for example: log view platform/fail2ban.log`.

  • process/services.intrusion-detection.log

    Shows service logs with process information, for example: start/stop/status/log-level updates

  • platform/fail2ban.log

    Internal fail2ban service logs, providing details on each logging event with: a timestamp, log level, process ID, component, and log message.

    Example output:

    2025-07-01 13:50:01,133 fail2ban.actions        [1239]: NOTICE  [ssh] Unban 172.90.123.113
2025-07-01 14:15:00,952 fail2ban.filter         [1239]: INFO    [ssh] Found 67.89.123.45
2025-07-01 17:00:13,171 fail2ban.actions        [1239]: NOTICE  [ssh] Ban 90.123.171.90