"If you have only a single computer, then it's possible for you to spend your days giving it careful manual scrutiny for mischiefs and problems. Perhaps not entirely desirable, but possible. But in the real world we need good tools to monitor and warn us of mischiefs, so we can actually go outside and have a life every so often. Intrusion detection is one of those gnarly jobs that can make you paranoid and nervous--it seems the more you study it, the more difficult, scary, and unreliable it appears. But it's really not that bad, and Linux admins have a number of powerful tools to choose from. The best tactic is a layered approach that combines the oldies but goodies, like Snort and iptables, add some newfangled tools like psad and AppArmor or SELinux, throw in some nice analysis tools, and you're darn near state-of-the-art.
"The oldtime notion of intrusion detection was to be alerted when an intruder successfully gained root access. But in these modern times, and actually in olden times too, any user account on the machine could be used for mischief..."
