One of the common issues that Intrusion Detection will highlight (depending on your Alert Level), will be if there is lots of Multiple Failed Logins happening on the Server. This typically happens for core services such as FTP (Port 21), SSH (Port 22) or RDP (Port 3389) where those ports are open and accessible to the world and you will likely see a large number of notifications in a very short time.

An example of a Failed Logins Notification can be seen below, in this case it was for the FTP Service;

Memset Penetration Patrol.
2019 Nov 06 16:18:34

Received From: (demoserver1) 1.2.3.4->/var/log/secure
Rule: 2502 fired (level 10) -> "User missed the password more than one time"
Portion of the log(s):

Nov  6 16:18:32 demoserver1 sshd[9999]: PAM 2 more authentication failures; logname= uid=0
euid=0 tty=ssh ruser= rhost=49.88.112.117  user=admin
TEXT


How to prevent these Failed Login Alerts

The failed login alerts that you are seeing are caused by having a common Service publicly accessible, it essentially means anyone with internet access could try and login to the server.

As such there are lots of hackers and groups out there that will scan for publicly facing common services, (e.g. FTP, SSH, RDP etc) and will try and brute force access to these services by guessing usernames and passwords to gain access, this is what you are seeing here with these Intrusion Detection Notifications.

One of the other things that you can do to minimise the Failed Logins would be to restrict access to these services to a specific list of IPs you want to allow access of the server too, for example your office(s) and any other regular users, provided they are all static IPs this will mean that only these IPs will be allowed access, and none others.

As such any failed logins would (likely) be someone accidentally typing the wrong username and password or a compromised device on the network trying to brute force access.

This can all be done within the Firewall linked to the servers, you can create a unique rule group (either from scratch or by modifying/cloning an existing one) that lists these IPs as the ones allowed for RDP (on port 3389) and apply that to your servers, so that only 1 rule set needs to be updated at a time. Our documentation for the Firewall Editor can be found here.

Alternatively, you can amend your Intrusion Detection level to a higher one, so that these types of alerts don't notify you (although this is not solving the problem that is causing this issue), this can be done from with your Control Panel.