Why do I need intrusion detection if I already hardened the system?

Prevention is never perfect. A zero-day, a stolen credential, or a misconfiguration can still let an attacker in. Detection tells you when prevention has failed so you can respond before the damage spreads.

Where should I store the AIDE database?

Store the baseline database offline or on read-only media. If an attacker can rewrite the database after tampering with files, the integrity check becomes worthless because it will simply match the altered state.

Does fail2ban replace a firewall?

No. fail2ban dynamically bans abusive IPs based on log patterns, but it complements a properly configured firewall and SSH hardening rather than replacing them. Use all three together.

Intrusion Detection on Linux with AIDE and fail2ban

Good prevention reduces your attack surface, but it never reaches zero. Credentials leak, software has zero-days, and a single misconfiguration can open a door. Intrusion detection is the layer that tells you when prevention has failed, ideally before an attacker establishes persistence. This article covers three complementary tools: AIDE for file integrity monitoring, fail2ban for brute-force protection, and rootkit scanners for spotting known compromises.

Why Detection Matters in Defense in Depth

Hardening efforts like strict filesystem permissions and tight network firewall rules make a breach harder, but a determined attacker only needs one gap. Detection assumes that gap exists. It shifts the question from "can they get in?" to "will I know when they do?" The faster you detect, the smaller the blast radius. Pair detection with centralized logging and auditing so alerts reach a human or a SIEM instead of dying on the compromised host.

File Integrity Monitoring with AIDE

AIDE (Advanced Intrusion Detection Environment) records cryptographic hashes and metadata of critical files, then compares the live system against that baseline to flag tampering.

sudo apt update
sudo apt install aide aide-common

# Build the initial baseline database
sudo aideinit
# On non-Debian systems:
# sudo aide --init

aideinit writes a new database, usually to /var/lib/aide/aide.db.new. Activate it by moving it into place:

sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Critical point: an attacker who roots the box can rewrite this database so future checks always pass. Copy the baseline to offline or read-only storage and verify against that copy:

# Copy to read-only / external media after every legitimate update
sudo cp /var/lib/aide/aide.db /mnt/readonly/aide.db

Run checks on a schedule. A systemd timer or cron entry keeps it automatic:

# /etc/cron.daily/aide-check
sudo aide --check

Reading the report, AIDE lists added, removed, and changed entries with which attributes differ (hash, size, mtime, permissions). After legitimate changes such as a package upgrade, refresh the baseline so future reports stay signal-rich:

sudo aide --update
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Brute-Force Protection with fail2ban

fail2ban scans service logs and bans IP addresses that exceed a failure threshold, blunting SSH and other brute-force attacks.

sudo apt install fail2ban

Never edit the shipped jail.conf; create /etc/fail2ban/jail.local:

[DEFAULT]
bantime  = 1h
findtime = 10m
maxretry = 5
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24

[sshd]
enabled = true

maxretry failures within findtime trigger a ban lasting bantime. ignoreip whitelists trusted networks so you never lock yourself out. Reload and inspect:

sudo systemctl restart fail2ban
sudo fail2ban-client status sshd

To release an IP you banned by mistake:

sudo fail2ban-client set sshd unbanip 203.0.113.10

fail2ban complements your network firewall and your SSH access and authentication hardening; it reacts to abusive behavior the static rules cannot anticipate.

Rootkit Scanners

Rootkit scanners look for known backdoors, altered binaries, and suspicious kernel modules. Run rkhunter:

sudo apt install rkhunter
sudo rkhunter --update
sudo rkhunter --propupd   # bless current file properties as known-good
sudo rkhunter --check

Run --propupd only on a system you trust to be clean, otherwise you bless a compromise. chkrootkit offers a second opinion:

sudo apt install chkrootkit
sudo chkrootkit

Expect false positives from both tools; investigate warnings against package state and recent admin activity before assuming compromise.

Tying It Into Alerting

Detection is only useful if someone reads the output. Feed AIDE reports, fail2ban actions, and scanner results into auditd and centralized logging so alerts trigger email or SIEM notifications. A daily integrity report nobody reads is no better than no report at all.

Verify Your Setup

# AIDE baseline exists and a check runs clean
sudo aide --check && echo "AIDE OK"

# fail2ban is active and the sshd jail is enabled
sudo fail2ban-client status sshd

# rootkit scanners installed
rkhunter --version && chkrootkit -V

If AIDE reports only expected changes, the sshd jail shows banned IPs accumulating, and your scanners run without unexplained alerts, your detection layer is working.