Build the intrusion detection system under Linux--lids System Management Command--vlock

Build the intrusion detection system under Linux--lids System Management Command--vlock

Http://blog.chinaunix.net/uid-306663-id-2440200.html

Composition of the Lids
Two user-state tools and some files, and a kernel patch
/sbin/directory holds LIDSADM commands and lidsconf commands

/etc/lids/lids.conf #ACLS配置文件
/etc/lids/lids.cap #LIDS capabilities (feature) profile
/ETC/LIDS/LIDS.PW #LIDS密码文件
/etc/lids/lids.net # Lids Message Warning profile

First, what is lids

Lids is all called Linux intrusion Detection system, is a Linux kernel patch pattern based intrusion detection systems, it is a host-based intrusion detection system. It is integrated in the Linux kernel to further enhance the security of the Linux kernel, providing a secure mode, reference mode, and mandatory access control mode for the Linux kernel.

(1), the main functions of lids:

1, protection: Protect the hard disk on any type of important files and directories, such as/bin,/sbin,/usr/bin,/usr/sbin,/ETC/RC.D and other directories and their files, as well as sensitive files in the system, such as passwd and shadow files,Prevents unauthorized persons ( including root) and unauthorized programs from entering, and no one, including root, can change, the file can be hidden. Protect important processes from being terminated, and anyone, including root, cannot kill processes, and can hide specific processes. Prevent illegal program Raw IO operation, protect hard disk, including MBR protection and so on.

2, Detection: integrated in the core of the port scanner, lids can detect the scan and report to the system administrator. Lids can also detect any process that violates the rules on the system.

3, Response: Security warning from the kernel, when someone violates the rules, lids will display a warning message on the console and log illegal activity details to the lids protected system log file. Lids can also send log messages to your mailbox. Lids can also close the session with the user immediately.

(2), the necessity of applying lids on Linux.

With the further development of Linux, many small and medium-sized enterprises are now migrating their important services to Linux. With the strong security and low cost of Linux systems, the various enterprise services built on Linux systems provide these SMEs with greater development and competitiveness. However, in the current network environment, with the continuous improvement of hacker technology, as well as the increasing number of hackers, coupled with the continuous development of hacker tools, network attacks more and more incidents. The security of Linux system is being tested again and again, and the security flaw of Linux system is becoming more and more emergent. How to ensure the security of the server data exposed to the network is an urgent problem for the small and medium-sized enterprises that LIUNX systems provide enterprise-related business in the network. While the network firewall can block most network attacks, once this attack penetrates the firewall, the critical data on the system is at risk of complete control. Therefore, it is necessary to lay out the lids on the Linux system. It can ensure that the important directories and files on the Linux system are not copied, deleted, important services are not deleted or stopped, can not modify the system login method and so on, for the Linux system data security to provide a full range of protection, but also as a backup protection of firewalls exist.

Ii. acquiring and installing lids patch kits and Lids kits

Lids is based on open source, and users are safe and free to use. Can be downloaded directly to the Lids official website (www.lids.org), including lids's kernel patch and Lids toolkit. However, be sure to ensure that the downloaded lids patch package is consistent with the kernel version of the Linux system you are currently using, the Lids Toolkit can download the latest version, and now the latest version is: The latest version of the Lids-2.2.7.2.tar.gz,lids patch pack is:Lids-2.2.3rc-2.6.21.patch. Hit Patch

1, apply lids Kernel patch package.

Now take the latest version of the lids kernel as an example. Save the downloaded lids Kernel patch to/USR/SRC and enter character mode with the root user's permission. Now assume that the kernel is under/usr/src/linux:

# Cd/usr/src/linux

# Patch P1 </usr/src/lids-2.2.3rc-2.6.21.patch

Reconfigure this kernel:

# Makemenuconfig

Select all the items related to lids. In this way, not only for the less familiar users can save a lot of unnecessary trouble, at the same time, it is not very large, and will not affect how much system performance.

After you choose, recompile the kernel:

# make

# make Install

A kernel that joins the lids is recompiled, but the lids should be set accordingly.to work with the new kernel that joins the lids, reboot the system (because lids is a kernel patch and recompile the kernel after choosing it). )。

2, install lids kit.

Now also as an example of its latest version, the download of the Lids Toolkit saved to the/home/user name (username is the user name of the login on your system) in the directory, installed as follows:

# cd/home/User Name

# TAR-ZXVF Lids-2.2.7.2.tar.gz

# CD lids-2.2.7.2

#./configure

# make

# make Install

This installs both the Lidsadm and lidsconf tools into the/sbin/directory, creating a/etc/lids directory and generating a default configuration file in this directory. The default configuration file should be updated with the "lidsadm–u" command before using lids.

(Note: If there is an error message that the GCC LIDSTEXT.h file does not exist when compiling the Lids toolkit, you should modify the makefile file in the installation directory of the Lids Toolkit by adding the Cflags option in the-i/usr/src/linux/ Include ", and then you can recompile it. ）

3, Lidsadm and lidsconf command tool explanation.

(1), Lidsadm tools and their options:

Lidsadm is a Lids management tool unit that you can use to manage lids in your system, including enabling or deactivating lids, storing lidsadm into the kernel, and viewing lids status.

Use the following command to list all available options:

# lidsadm-h

It returns the following information:

......

Lidsadm-[s/i]--[+/-] [Lids_flag] [...]

Lidsadm-v

Lidsadm-h

Command parameters:

-S: Indicates that the password should be submitted when switching certain protection options;

-I: Do not submit a password when switching certain protection options;

-V: Displays the version;

-V: View the current lids status;

-H: Lists all options.

The available features are listed only as part of it (availabe capabilities):

Cap_chown:chown/chgrp

Cap_net_broadcast: Listening to Radio

Cap_net_admin: interface, firewall, router change

Cap_ipc_lock: Lock Shared memory

Cap_sys_module: Inserting and removing kernel modules

Cap_hidden: Hide Process

Cap_sys_resource: Setting Resource limits

Cap_kill_protected: Kill the protection process

Cap_protected: Protection process for single-user mode

Available flags (Available flags):

Lids: Disable or activate local lids

Lids_clobal: Completely disable or activate lids

Reload_conf: Reload configuration file

(2), lidsconf Tools and their options:

Lidsconf configures the Access Control List (ACLS) and sets the password for lids.

Enter the following command to display all available options:

# lidsconf-h

It returns the following information:

......

Lidsconf-a [-S subject]-O object [-d] [-t from-to] [-I level]-j Accept

lidsconf-d [-S file] [-o file]

Lidsconf-e

Lidsconf-u

Lidsconf-l

Lidsconf-p

Lidsconf-v

Lidsconf-[h/h]

Command parameters:

-A: Adds a specified option to an existing ACL

-D: Delete a specified option

-E: Remove all options

-U: Update dev/inode serial number

-L: List all options

-P: Generate password encrypted with Ripemd-160

-V: Show version

-H: Display Help

-H: Show more help

Child-to-image (subject):

-S [--subject]: Specifies a sub-image, can be any program, but must be a file;

Target (object):

-o[object]: Can be a file, directory, or feature (capabilities) and socket name.

Action:

-j: It has the following in a parameter:

DENY: No Access

READONLY: Read-only

APPEND: Increase

Write: Writable

Grant: Pair-to-image grant capability

Ignore: Ignore all permissions on the set for the pair image

Disable: Disable some extension features

Other options:

-D: Executable domain for the target

-I: Inheritance level

-T: Specifies what can be done from a certain period to a certain time period

-E: Extended list

III. Application of Lids

1. Enable and set lids.

First of all, in order to make lids set ACLs play a role, should be in the system boot lids encapsulated into the kernel. So each time the system boots to the last stage (boot the last kernel module), this setting sets the global functionality according to the contents of the/etc/lids/lids.cap file on your system, which is saved by your settings ACLs. Set the package kernel to include the following in your/etc/rc.d/rc.local file:

/sbin/lidsadm–i

Before you start applying lids, if you do not ask you to set a password when you install the command, you should also set a password for it to enter Terminal session mode, using the following command:

# lidsconf-p

You will be prompted to enter a password, two times after entering the password, the system will save the password you set to the/ETC/LIDS/LIDS.PW file, this password has been encrypted by Ripemd-160. Once you've set a password, you'll need to submit it if you want to modify ACLs, capabilities, or when you start a lids session. You can also use this command again in the future to modify the password you have set, and after the modification is completed with the following command to re-update the lids configuration file: (Note: You will not be prompted to enter the old password when changing the password.) ）

Lidsadm-s--+reload_conf

It is important to note that after you have made any changes to lids, you should use the above command to re-update the lids configuration file, which will reload the following configuration files:

/etc/lids/lids.conf #ACLS配置文件

/etc/lids/lids.cap #LIDS capabilities (feature) profile

/ETC/LIDS/LIDS.PW #LIDS密码文件

/etc/lids/lids.net # Lids Message Warning profile

Then restart the system service to make the app changes take effect.

2, through the lids to protect the system.

The first thing to understand is that in a Linux system protected by lids, you can modify data that has been added to the protection through a lids free session terminal mode, and all lids setup work can be done in this free session terminal. Open a lids terminal session using the following command:

# Lidsadm-s---Lids

After entering the password as prompted, a lids free session terminal is established, in which you can enable or disable lids and exit this terminal. At this point, any data in the Linux system is not protected by lids. After you have finished modifying the file or data, you should re-enable lids with the following command:

# lidsadm-s--+lids

It is also clear that in a system that adds a lids kernel, a file called/etc/lids/lids.cap contains all the feature descriptions in the list. Before each feature item, enable this feature by using the "+" sign, use the "-" sign to disable this feature and you must reload the configuration file after the setup is complete.

Let's set up the important data to be protected by using these feature items.

(1), protect the file as read-only.

# lidsconf-a-o/some/file-j READONLY

This command guarantees that no one can modify or delete this file once lids is enabled. If you are in the Lids free session terminal mode, you can modify the/some/file specified file as long as this partition is not mounted as read-only. Use actual file paths instead of/some/file when applied.

(2), protect a directory as read-only.

# lidsconf-a-o/some/directory-j READONLY

This command ensures that, once lids is enabled, no one can list or delete this directory and its contents. If you are in the free session terminal mode, you can modify the/some/directory directory as long as the partition is not mounted as read-only. For example, you can set the Protect/etc/directory as read-only:

Lidsconf-a-o/etc-j READONLY

The note here is: when you set the/etc directory as read-only, when you want to mount the file system, you should delete the/etc/mtab file and then use one of its symbols to connect the/proc/mounts. At the same time, you must modify your initialization script and use the "-n" option to set any mount and Umount commands. This option tells Mount and Umount not to update the/etc/mtab file. For example, you find a line in your initialization script: Mount-av-t Nonfs,nproc, you should change it to: mount-av-n-t Nonfs,nproc.



(3), hide files or directories that no one can see.

# lidsconf-a-o/some/file_or_directory-j DENY

This setting will use no one or even the root user to access it, and if it is a directory, then files and directories in this directory will be hidden and the file system is the same.

(4), specify specific programs to access some very sensitive files in read-only mode.

For example, to access the/etc/shadow file when the system is logged in, I can specify that some programs can use it for system authentication, such as login, SSH, Su, and Vlock. For example, you can only allow login to access the/etc/shadow file in read-only mode:

# lidsconf-a-s/bin/login-o/etc/shadow-j READONLY

(5), starting a service as the root user runs on the specified port.

The service runs on the specified port (1024 or less) and requires cap_net_bind_service functionality. If you disable this feature in the/etc/lids/lids.cap file, you cannot start any of the services running on the specified port as the root user. You can grant this function to a program:

# lidsconf-a-s/usr/local/bin/apache-o cap_net_bind_service 80-j GRANT

Or, enable this service when Lids_global is disabled.

(6), when the lids is enabled, ensure that the X Windows system can work.

X server must use the Cap_sys_rawio feature to work when lids is enabled.

# lidsconf-a-s/path/to/your/x-server-o cap_sys_rawio-j GRANT

(7), enable SSH and SCP.

By default, SSH and SCP create a remote connection via the specified port, which requires cap_net_bind_service functionality, so you can grant Cap_net_bin_service functionality to SSH:

# lidsconf-a-s/usr/bin/ssh-o cap_net_bin_service 22-j GRANT

(8), set the limit access time

For example, only allow users to log on from 8:00 to 6:00 for a period of time:

# lidsconf-a-s/bin/login-o/etc/shadow-t 0800-1800-j READONLY

You can also use the "-t" option! , that is, all time except for the specified time can do some work.

(9), send security alerts over the network.

In the/etc/lids/lids.net file, specify the receiving mailbox that sends security alerts over the network. It is important to note that when you specify e-mail, you cannot have any spaces before or after the e-mail address. At the same time, it must reload its configuration file after it has been modified.

This article I have sent to the Webmaster World magazine published, posted here just want to probably have more friends need this content.

Linux command: System Management--vlock
Http://www.jb51.net/linux/vlock.htm
Vlock (Virtual Console lock)

Function Description: Lock the virtual terminal.

Syntax: Vlock [-ACHV]

Additional Note: Execute Vlock instruction can lock virtual terminal, avoid others to use.

Parameters
-A or--all locks all end-stage jobs, and if you use this parameter in a full-screen terminal, the keyboard
The function of switching terminals is closed.
-C or--current locks the current terminal stage job, which is a preset value.
-H or--help online Help.
-V or--version displays version information.

Build the intrusion detection system under Linux--lids System Management Command--vlock