Enterprise Linux open-source system Host Intrusion Detection and defense (1)

In the construction of the actual intrusion detection and defense system, some enterprises mainly use the network to discover and block network threats. Some mainly use host defense to prevent host intrusion. If we build on one of them, there will be deviations. We recommend that you integrate multiple aspects of information and conduct comprehensive defense in depth so as to achieve good results.

In open-source systems, such as Linux operating systems, three intrusion detection systems are provided from the application to the kernel layer to defend against networks and hosts, they are network intrusion detection system Snort, Host Intrusion Detection System LIDS, and distributed Intrusion Detection System SnortCenter. Among them, Snort focuses on network-level intrusion detection; LIDS focuses on host-level intrusion detection and defense; snortCenter is a distributed detection mechanism to improve the real-time and accuracy of Intrusion Detection in a distributed environment.

In the actual application process of an enterprise, the special functions of LIDS are often ignored. In fact, as a host intrusion detection mechanism rooted in the kernel layer, it is an indispensable security mechanism for open-source systems as hosts, especially servers. This article describes in detail how to use it for level-by-level security defense.

Introduction

LIDS is a Linux intrusion detection and protection system. It is a Linux kernel patch and security management tool that enhances kernel security, it implements the reference listening mode and Mandatory Access Control mode in the kernel. Unlike the Snort intrusion detection system described earlier in this article, it belongs to the network IDS category, while LIDs belongs to the Host IDS category.

Generally, the main functions of LIDS include the following:

Important system resource protection: protects important files and directories of any type on the hard disk, such as/bin,/sbin,/usr/bin,/usr/sbin,/etc/rc. d and other directories and files under it, as well as sensitive files in the system, such as passwd and shadow files, to prevent unauthorized users including root users) and unauthorized programs. Protection of important processes is not terminated. No one, including the root user, can kill the processes and hide specific processes. Protects hard disks, including MBR protection, by preventing illegal I/O operations.

Intrusion Detection: LIDS can detect any process on the system that violates rules.

Intrusion Response: A security warning from the kernel. When someone violates the rules, LIDS will display a warning on the console and record illegal activity details to the System log File protected by LIDS. LIDS can also send log information to the user's mailbox. In addition, LIDS can immediately close the session with the user.