Kernel-based Intrusion Detection-general Linux technology-Linux programming and kernel information. The following is a detailed description. Kernel-based intrusion detection is a new and clever Linux intrusion detection system. The most important kernel-based intrusion detection system is LIDS.
What is LIDS? LIDS is a Linux kernel-based intrusion detection and prevention system.
The purpose of LIDS protection is to prevent Super User root from tampering with an important part of the system. The main feature of LIDS is to improve system security, prevent direct port connections or memory connections, prevent the use of the original disk, and protect system log files. LIDS will also stop some specific system operations, such as installing sniffer and modifying firewall configuration files.
LIDS document Engineering
LIDS is a little more complicated than installing PortSentry and LogCheck, but fortunately, there is a detailed installation and configuration manual on the LIDS homepage.
Install LIDS
First, before installation, we need most of the latest LIDS software packages (I am using 0.9) and appropriate kernel versions. I am using the 2.2.14-12 kernel downloaded from the Red Hat homepage because it contains some security patches. At the same time, you also need some source code of the kernel you are using.
Currently, LIDS is mainly applicable to kernels of version 2.2.14. I installed LIDS on Red Hat Linux 6.2 in the 2.2.14 kernel. Before installing LIDS, I downloaded the latest kernel version at ftp.redhat.com and installed the kernel according to http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel-upgrade.html.
The next thing is to upgrade the kernel source code. Here we do this:
Rpm-Uhv kernel-source-2.2.14-12.i386.rpm then is to compile and install the lidsadm program:
Generate a RipeMD-160 password which will be installed into the kernel later:
Lidsadm-P enter the password "anypass" to obtain the secret key "d502d92bfead11d1ef17887c9db07a78108859e8 ". Next, I copied the Redhat configuration file to my structure, under the/usr/src/linux directory:
Cd/usr/src/linux/configs/
Cp kernel-2.2.12-i686.config ..
Run the following command to install LIDS:
Cd/usr/src
Patch-p0 at the same time, we should note that there are some minor differences between the kernel provided by Red Hat and the standard 2.2.14 kernel released by Linus, because it contains some modified drivers. The same lids-0.9-2.2.14-redhat.patch file is also slightly different from the standard LIDS-0.9-2.2.14.patch released by lids, but the latter may not be particularly suited to the Red Hat system.
Finally, configure, compile, and install the kernel:
Cd/usr/src/linuxmake menuconfig
Make dep; make clean
Make
Install; make modules; make modules_install
The following script shows the LIDS configuration options that I set during kernel Configuration:
Linux Intrusion Detection System support (EXPERIMENTAL) --- LIDS features
[] Hang up console when raising a securit alert
Security alert when execing unprotected programs before sealing
[] Do not execute unprotected programs before sealing LIDS
Enable init children lock feature
Try not to flood logs
(60) Authorised time between two identic logs (seconds)
Allow switching LIDS protections
The RipeMD-160 encrypted password: d502d92bfead11d1ef17887c9db07a78108859e8
(3) Number of attempts to submit password
(3) Time to wait after a fail (seconds)
Allow remote users to switch LIDS protections
[] Allow any program to switch LIDS protections
Allow reloading config. file
[] Hide some known processes
Port used Detector in kernel
[] Send security alerts through network
--- Special authorizations
[] Allow some known processes to access/dev/mem (xfree, etc .)
[] Allow some known processes to access raw disk devices
As you can see, if the UPS is not used and a server that requires remote access is running at the same time, it is configured according to the above file. However, in the actual application process, each person's system varies depending on the environment.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
