Code-Memo

Intrusion detection (Fail2Ban, auditd)

Fail2Ban (log-based banning)

Fail2Ban monitors logs (e.g., SSH auth failures) and temporarily bans IPs via firewall rules.

Common commands:

sudo systemctl status fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd

Typical configuration locations:

• /etc/fail2ban/jail.conf (defaults)
• /etc/fail2ban/jail.d/*.conf or /etc/fail2ban/jail.local (your overrides)

auditd (Linux audit framework)

auditd records security-relevant events (syscalls, file access, policy changes).

Status:

sudo systemctl status auditd
sudo auditctl -s

Search audit logs:

sudo ausearch -ts today
sudo ausearch -m avc -ts recent   # SELinux AVC denials

Practical tips

• Start small: alert on repeated SSH failures, privilege escalation, and config changes
• Ship logs off-host (central logging) for stronger forensics

Related

• SSH hardening
• Log management