.. _system-intrusion-detection: System Intrusion Detection -------------------------- .. _25.2|EKB-24245: .. index:: system;system intrusion-detection The VOSS Automate platform provides an optional service that can be enabled in order to detect and prevent SYN flood denial-of-service network attacks. When the service is active, source IP addresses of such attacks are detected and communication from these addresses is blocked for *10 minutes*. However, if the attacks persist after this period, the addresses are re-blocked. Log files are also created to provide service details .. important:: The service commands only apply to the node on which the commands are executed. In order to run commands across a cluster, the ``cluster`` command prefix is required, for example, to enable the service cluster-wide: :: cluster run all system intrusion-detection profile enable synflood See: :ref:`remote_execution_in_clusters` Start the service .................... To check the logging level and if the service is running: :: platform@VOSS:~$ system intrusion-detection logging get-level level: NOTICE platform@VOSS:~$ system intrusion-detection profile show synflood: enabled: false When running ``app status``, the ``intrusion-detection`` service will show as ``running``: :: services v25.2 (2025-07-01 14:11) |-logs running |-scheduler running |-intrusion-detection running A profile must be enabled: ``system intrusion-detection profile enable synflood`` Refer to the command details below. Manage the service ................... The following commands are available to manage this service: * ``system intrusion-detection logging get-level`` Get the log level for the intrusion detection system. Refer to the log level values below. * ``system intrusion-detection logging set-level `` Set the log level for the intrusion detection system. Changing the level requires a service restart. A message shows when the log level has been set. Permitted values are (case-insensitive): DEBUG, INFO, NOTICE, WARNING, ERROR, CRITICAL ======== =============================================================================== Level Description ======== =============================================================================== DEBUG Verbose debug messages for troubleshooting. INFO Standard informational messages about regular activity and significant events. NOTICE Normal but notable messages. This is the *default level*. WARNING Warning messages about potential issues or warnings. ERROR Only error events get logged. CRITICAL Only critical messages get logged. ======== =============================================================================== * ``system intrusion-detection profile disable `` Disable intrusion detection for a profile, for example, ``synflood``. * ``system intrusion-detection profile enable `` Enable intrusion detection for a profile e.g. ``synflood``. .. note:: Currently, only the ``synflood`` profile is available. * ``system intrusion-detection profile show`` Display the configuration of intrusion detection profiles Stop the service ................ .. note:: Blocked IP addresses become available after service restart, but will be blocked if SYN flood attacks presist. Log files .......... Log files can be inspected using the ``log view `` command, for example: `log view platform/fail2ban.log``. * ``process/services.intrusion-detection.log`` Shows service logs with process information, for example: start/stop/status/log-level updates * ``platform/fail2ban.log`` Internal fail2ban service logs, providing details on each logging event with: a timestamp, log level, process ID, component, and log message. Example output: :: 2025-07-01 13:50:01,133 fail2ban.actions [1239]: NOTICE [ssh] Unban 172.90.123.113 2025-07-01 14:15:00,952 fail2ban.filter [1239]: INFO [ssh] Found 67.89.123.45 2025-07-01 17:00:13,171 fail2ban.actions [1239]: NOTICE [ssh] Ban 90.123.171.90