Last Updated on May 27, 2022
An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations.
IDS types range in scope from single computers to large networks. The most common classifications are network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). A system that monitors important operating system files is an example of an HIDS, while a system that detects malicious traffic on a network is an example of an NIDS.
Here’s our verdict on the finest HIDS. We only feature open source software here.
Let’s explore the 10 HIDS. For each application we have compiled its own portal page, a full description with an in-depth analysis of its features, together with links to relevant resources.
| Host-Based Intrusion Detection Systems | |
|---|---|
| Fail2Ban | Ban hosts that cause multiple authentication errors |
| Wazuh | Platform used for threat prevention, detection, and response |
| OSSEC | Full platform to monitor and control your systems. |
| Sagan | Multi-threads, high performance log analysis engine |
| Tripwire | Security and data integrity tool |
| Logwatch | Powerful and versatile log parser and analyzer |
| AIDE | Advanced Intrusion Detection Environment |
| Samhain | File integrity checking and log file monitoring/analysis and more |
| rkhunter | Scans for rootkits, backdoors and possible local exploits |
| chkrootkit | Locally checks for signs of a rootkit |
If you’re looking for software-based NIDS, we recommend the best free and open source solutions in this separate article. NIDS can protect hundreds of computer systems from one network location. This helps make them a cost effective solution and easier to deploy than a HID.
 Read our complete collection of recommended free and open source software. Our curated compilation covers all categories of software. The software collection forms part of our series of informative articles for Linux enthusiasts. There are hundreds of in-depth reviews, open source alternatives to proprietary software from large corporations like Google, Microsoft, Apple, Adobe, IBM, Cisco, Oracle, and Autodesk. There are also fun things to try, hardware, free programming books and tutorials, and much more. |
While Samhain is difficult to install, it’s technically superior to Tripwire OSS, AIDE, and OSSEC. (Tripwire went closed source.) Fail2ban is NOT a HIDS solution, it’s an application firewall. If you’re exposing ssh and internal network infrastructure to the outside world, then you have bigger security attack surface problems that cannot be solved by rate-limiting ssh.