Linux Intrusion Detection

Article Title: Linux Intrusion Detection. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
This article focuses on several host-based Intrusion Detection Systems for Linux. In particular, we will cover some elements of how to install these software packages, their usefulness, and when they can be used.
　　
System Security 101
　　
This article will show you some basic system security knowledge. In particular, I suppose many common security measures have been used to resist the intrusion from the Internet to hosts. These security measures are as follows:
　　
The firewall determines which TCP or UDP ports the system users from the Internet have access permissions. For example, through some simple Web Server firewall rule settings, we can determine that this machine is only open to users through port 80, which is used to provide http Services.
　　
The system does not need useless daemon. For example, a Web server generally only needs a running process to serve the Web page. Processes are not associated with services and web pages, such as RPC/Portmap service, NFS service, X Font Service, and DNS domain name service, other external or useless applications should be turned off or disabled. In the Red Hat Linux system, we usually use a running level editor for relevant settings, for example, you can use ntsysv or tksysv to disable the undesired daemon.
　　
You can edit and modify/etc/inetd. conf to shield unnecessary ports. As a typical default value, when we install a new Linux system, many ports are opened by default in/etc/inetd. conf. All systems should delete or comment out some lines by editing/etc/inetd. conf to disable unused ports. This is the most basic system security behavior.
　　
Lines of Defense ):
　　
Illustration 1: multi-layer system security
　　
In this section, we will discuss the system security of a multi-tier channel. When some of the security layers are damaged, many security layers can independently apply to provide some additional defense. Is a multi-layered system security model.
　　
Each layer in the chart provides additional data protection for the previous layer. For example, the first layer is the firewall. If the firewall does not block external intrusion attempts, the second layer-port daemon will provide additional protection. Further, the security system is the LIDS and LogCheck programs, which are also protected when intrusion attempts are not intercepted by Layer 2.
　　
Monitor current connection
　　
The first protection layer after the firewall is a software package used to monitor the connection attempts between the current host and the host. The port daemon package (http://www.psionic.com/abacus/portsentry/) provides some simple and useful ways to do this.
　　
Role of the PortSentry Program
　　
The main function of the port daemon monitors the activity of some special TCP/IP ports. PortSentry monitors and reports port activity, one of which may be selected, including rejecting further connection attempts. This is a very important protection measure, because hackers usually use some tools to detect system vulnerabilities and vulnerabilities before they intrude into a system. When detecting a detector or port scan, you can thoroughly cut off some potential hacker connection attempts and stop some further port scans with intrusion intentions.
　　
Install PortSentry
　　
For Red Hat users, the RPM package on the Red Hat ftp server contains this program. This site has its images all over the world. You can find the site closest to you on www.redhat.com. I am not sure about the program such as PortSentry in the software package in. deb format, but I can make sure there is such software. For other Linux users, installing the software using the original code is quite simple.
　　
Recommended Configuration
　　
PortSentry has many running modes, including different UDP and TCP private running modes. The Running Mechanism I selected is to bind PortSentry to TCP ports that are not used or that have potential intrusion. For example, I will continuously scan these ports on my web server 24 hours a day, port 143 (imap2), port 111 (portmap) and port 23 (telnet) all are TCP ports not used on my Internet system. You can run the following command:
　　
Portsentry-tcp
　　
Set PortSentry to the basic TCP running mode when your system starts. Make sure that the PortSentry configuration file portsentry. conf contains the TCP_PORTS configuration line to scan the port to be scanned.
　　
Response Options
　　
You can use the "Response Options" section in portsentry. conf to explain in detail what kind of Response is that PortSentry noticed some unexpected connections. Generally, I will use ipchains to interrupt further connections from the source of the connection. This can also be configured through the following line in portsentry. conf:
　　
KILL_ROUTE = "/sbin/ipchains-I input-s $ TARGET $-j DENY-l"
　　
When receiving a scan from a high port, you can delete the-l option in the preceding row to block these further connections, which can effectively maintain the system log space.
　　
Monitor System Logs
　　
Software such as firewall systems and PortSentry can effectively monitor or shield unexpected connections on some ports. This prevents the most typical "Scan-intrusion" attack method.
　　
When the system needs to run special services (such as Apache Web Server or a DNS Service), some hackers have cracked some attack points in the service, these programs will be unlucky not to keep all intruders away. Bind a DNS server that runs a program that is vulnerable to attacks. These ports will eventually be scanned by some hackers by a specific port of a wide range of machines, and tries to intrude into the system through this port. Unfortunately, the firewall or PortSentry program treats these intrusion attempts as normal and reasonable connections.
　　
System Log check)
　　
LogCheck is the software (http://www.psionic.com/abacus/logcheck/) used to scan system log files ). LogCheck scans System log Files (in Linux, system log files are under the/var/log/directory). In addition, when the system encounters some exceptions, logCheck sends an Email to the Administrator. Abnormal messages in system log files usually indicate that some hackers are attempting to intrude into the system or are intruding into the system.
　　
Install LogCheck
　　
LogCheck has four main configuration files. In the RPM version, these configuration files are under the/etc/logcheck directory. Generally, we only need to configure the logcheck. ignore and logcheck. violations. ignore files. After installing LogCheck, the program is generally as follows:
　　
Allow LogCheck to run once in normal running mode. This will produce a huge output file, but we can delete this file.
　　
After 24 hours, let LogCheck run again. This time we will find some new things at the entrance of the log file, and it is also a large file that can still be computed. Read this document carefully.
　　
There are some specific strings at the entrance of the file that we don't need to care about. If these strings are "insecure" fragments, we can add these string fragments to logcheck. violations. in the ignore file; or when they are "abnormal system events", we add these strings to logcheck. ignore.
　　
Every 12 to 12 weeks ~ Repeat these steps within 24 hours. In this phase, we repeatedly set the filtering rules for the. ignore file, and the last thing we do is what our system really cares about.
　　
Note that the RPM file specifies that LogCheck runs once every hour, but I only need to run once every day, unless it is in a specific system to be monitored. In this way, you can copy the/etc/cron. hourly/logcheck file to/etc/cron once a day.
　　
Kernel-based Intrusion Detection
　　
Kernel-based intrusion detection is a new and clever Linux intrusion detection system. Now the main kernel-based intrusion detection system is called LIDS, and can be downloaded from http://www.lids.org.
　　
What is LIDS?
　　
LIDS is a Linux kernel-based intrusion detection and prevention system.
　　
The purpose of LIDS protection is to prevent Super User root from tampering with an important part of the system. The main feature of LIDS is to improve system security, prevent direct port connections or memory connections, prevent the use of the original disk, and protect system log files. LIDS will also stop some specific system operations, such as installing sniffer and modifying firewall configuration files.
　　
LIDS document Engineering
　　
LIDS is a little more complicated than installing PortSentry and LogCheck, but fortunately, there is a detailed installation and configuration manual on the LIDS homepage.
　　
Install LIDS
　　
First, before installation, we need most of the latest LIDS software packages (I am using 0.9) and appropriate kernel versions. I am using the 2.2.14-12 kernel downloaded from the Red Hat homepage because it contains some security patches. At the same time, you also need some source code of the kernel you are using.
　　
Currently, LIDS is mainly applicable to kernels of version 2.2.14. I installed LIDS on Red Hat Linux 6.2 in the 2.2.14 kernel. Before installing LIDS, I downloaded the latest kernel version at ftp.redhat.com and installed it according to the http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel-upgrade.html.
The next thing is to upgrade the kernel source code. Here we do this:
　　
Rpm-Uhv kernel-source-2.2.14-12.i386.rpm
　　
Then compile and install the lidsadm program:
　　
Cd/usr/local/src/security/lids-0.9/lidsadm-0.9
Make
Make install
　　
Generate a RipeMD-160 password which will be installed into the kernel later:
　　
Lidsadm-P
　　
Enter the password "anypass" to obtain the key "d502d92bfead11d1ef17887c9db07a78108859e8 ". Next, I copied the Redhat configuration file to my structure, under the/usr/src/linux directory:
　　
Cd/usr/src/linux/configs/
Cp kernel-2.2.12-i686.config ..
　　
Run the following command to install LIDS:
　　
Cd/usr/src
　　
Patch-p0 at the same time, we should note that there are some minor differences between the kernel provided by Red Hat and the standard 2.2.14 kernel released by Linus, because it contains some modified drivers. The same lids-0.9-2.2.14-redhat.patch files are also slightly different from the standard lids-0.9-2.2.14.patch released by LIDS, not