Linux implements a simple and effective IDS system

Article title: Linux provides a simple and effective IDS system. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
In fact, when talking about IDS, I think the administrators and friends must be familiar with it. but I still want to briefly talk about the definition of IDS, which is more conducive to everyone's understanding of the subsequent applications. This article is based on redhat7.3, why? I hope you have read my first article "talking about linux Security". let's implement IDS based on the system we have built.
IDS is short for the intrusion monitoring system. its main function is to collect clues about intrusion and report to you. of course, it does not ensure its accuracy, this depends on the analysis capability of the software. now there are a lot of paid and free IDS applications, among which snort is strong. what everyone knows is Tripwire, it is also an intrusion monitoring system, but it is used to monitor whether your files have been modified. today I will introduce you to this system. it does not have a very prosperous function and is simple and practical, it can effectively prevent many attacks and respond to illegal port scans. After configuration, it is even possible to scan the port of the person who scans you back, and block all connections to your host.
　　
1. Theoretical Introduction
　　
To put it bluntly, this software is the IDS application that portsentry detects attacks.
　　
Ftp: // 194.199.20.114/linux/redhat/6.2/en/powertools/i386/i386/portsentry-0.99.1-1.i386.rpm
After downloading the SDK, it is installed.
Rpm? Ivh portsentry-0.99.1-1.i386.rpm
　　
Let's talk about how hard portsentry is. he can do the following.
1. discard all data packets returned to the host using the route command
2. automatically update/etc/hosts. deny to block xinetd-based connections and simply block a host.
3. automatically use the firewall ipchian and ipfwadm to block connections. this is equivalent to adding a powerful rule, which is more practical and safe.
4. the additional log connection can record the observed scanning logs to the log. This function is very useful. you can do nothing, but you can not generate any logs, in this way, let's see who else gets your baby server.
5. Custom operations may be performed on machines that scan your host, such as anti-scanning.
With so many advantages, let's implement it on the machine. after the installation is complete, you can
/Usr/psionic/portsentry
See some files
Host scripts ignored by ignore. csh
Portsentry execution program
Portsentry. conf main configuration file
Host ignored by portsentry. ignore
Portsentry. history is generated only when the host is running or blocked, and detailed blocking information is recorded.
Now let's start configuring and implement our functions.
Vi portsentry. conf
This file seems to have several chapters. now I will introduce their configurations separately.
As a matter of fact, we can see that there are basically a number of configuration files. the configuration files are well written and I will not translate them one by one here. it is much better than E, let's talk about some important configurations.
Port Configurations
You can customize the ports that you want to monitor. if you have special ports, you can monitor them by adding them. use commas to separate them.
　　
Advanced Stealth Scan Detection Options
Monitoring range,
ADVANCED_PORTS_TCP = "1024"
ADVANCED_PORTS_UDP = "1024"
Indicates that the monitored port is in the range below 1024. if you want to monitor a port such as 65423, set this number to a greater value.
　　
Configuration Files
Is the configuration file location, generally do not need to modify
　　
Ignore Options
Ignored port settings
　　
Dropping Routes
Discard route scheme
Generally, this can be used.
KILL_ROUTE = "/sbin/route add-host $ TARGET $ reject"
Others can be determined based on the operating system or based on the actual situation.
You can also write a piece of iptalbes code, followed
　　
TCP Wrappers
This is how I simply add hosts. deny to block the host that initiates the scan.
KILL_HOSTS_DENY = "ALL: $ TARGET $: DENY"
Close the original sentence. if we open the above sentence, we use redhat.
　　
External Command
Extended Commands can execute many custom operations, such as nmap scanning your host and anti-scanning him. let's talk about it later.
　　
Port Banner Section
In theory, you can give a warning to the person listening to your service. modify PORT_BANNER = to write something scary, but I don't know what it will do.
　　
After setting, use portsentry? Stcp to start, this can prevent SYN and other hidden scans, you can find a machine to use nmap and other scanners to scan to see if the log is recorded? Is your host added to/etc/hosts. deny.
　　
Note that some scanning software may be suspended after portsentry is implemented ~~~ However, I don't think so, but it can prevent a little bit,
Second, it is said that portsentry has enabled your Nic in the hybrid mode, but I have observed that the NIC has not changed to the hybrid mode. However, I would like to remind you that the hybrid mode may reduce the system response, it depends on your own balance.
I personally think that the portsentry software is implemented on the server, so you don't have to make any response. you just need to record it. check it regularly. I think what you can do is remove the route, or nmap can scan the intruded host to enable it to automatically scan your host.
In
External command
Join
KILL_RUN_CMD = "/usr/bin/nmap? O $ TARGET $ ">/var/log/scanIP. log
Then, you can view the host information in/var/log/scanIP. log. You scan him.
Remember to run it. I forgot to tell you several running parameters.
-Tcp: a simple listener for tcp
-Udp basic simple listening for udp
-Stcp recommends that you use this parameter to listen for tcp scans with spoofing, such as SYN and FIN scans.
-Atcp disables all connections specified in portsentry. conf. you must manually configure valid hosts.
-Sudp is similar to stcp, but udp
-Adup is similar to atcp, but udp