Home IT Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Configuring LIDS build Linux kernel security intrusion detection system     - Service manager OpenBSD on rccl (Server)

- Depth study and understanding for individual users suicide DDoS attacks (Linux)

- Virtualization and IT cooperation (Linux)

- Installation of Python2.7.10 under CentOS 6.4 (Linux)

- Build Nginx + uWSGI + Flask operating environment under CentOS 6.4 tutorial (Server)

- File encryption and decryption of Linux security mechanisms (Linux)

- Linux virtual memory and physical memory (Linux)

- Linux print file and send mail (Linux)

- Upgrading Oracle to (Database)

- Linux --- process tracking (Linux)

- Talk about jsonp (Programming)

- Git build a team development environment operating drills (Linux)

- Linux set the maximum number of open files nofile and nr_open, file-max Description (Linux)

- Process monitoring tools Supervisor start MongoDB (Database)

- Eclipse distributed management using GitHub project development (Linux)

- Revised OpenJDK Java Memory Model (Programming)

- Network traffic monitoring ntopng (Linux)

- CentOS 6 / Linux su: Unable to set user ID: Resource temporarily unavailable (Linux)

- Ceph Source Analysis: Network Module (Server)

- CentOS install SystemTap-2.6 (Linux)

  Configuring LIDS build Linux kernel security intrusion detection system
  Add Date : 2018-11-21      
  LIDS (Linux Intrusion detection system) is a Linux kernel patch and systems management staff lidsadm), it strengthened the Linux kernel. It implements a safe mode in the kernel - the core reference model and the Mandatory Access Control (command to enter control) mode. This paper will present LIDS features and how to use it to build a secure Linux system.


With the growing popularity of Linux interconnection line, more and more applications on an existing GNU / LINUX system security vulnerabilities are discovered. Many programs use a programmer carelessness, such as buffer overflow, format code attacks. When the system security by threatening programs, hackers to gain ROOT privileges, the whole system will be intruder control.

Since the code is open, we can get a lot of Linux applications desired original code, and according to our need to be modified. So the bug can be found easily and quickly repaired. But when the vulnerability was revealed, and the neglect of the system administrators to patch vulnerabilities, resulting in easily to the invasion, even worse, a hacker can get ROOT SHELL. Use of existing GNU / Linux system, he pleases. This is the LIDS want to solve the problem.

First look at what are the problems existing GNU / Linux system.

File system is not protected

System of many important documents, such as / bin / login, once the hacking, he can upload the modified login file instead of / bin / login, then he can not require any login name and password to login. This is often referred to as Trojan house.

Process is not protected

Processes running on the system for some system functions and services, such as HTTPD is a web server for remote clients to meet the needs of web. As a web server system, the process is not to protect their illegal termination is very important. But when the intruder gained ROOT permissions, we can not do anything.

Unprotected systems management

Many systems management, for example, loading / unloading, routing settings, firewall rules module, and can easily be modified if the user ID is 0. So when an intruder access to ROOT permissions, it becomes very safe.

Superuser (root) as a possible abuse of authority ROOT

He can do whatever they want, as ROOT he can even modify the existing permissions.

In summary, we found that the existing Linux system into the control mode is not enough to establish a secure Linux system. We must add a new pattern in the system to solve these problems. This is the LIDS to do.

LIDS features

Linux intrusion detection system is a Linux kernel patch and system administrator tool, it strengthened the core of security. It implements the reference monitor mode and Mandatory Access Control (command to enter control) in the kernel mode. When it works, select the file to enter, manage the operation of each system / network, any use of authority, raw device, mem and I / O will be able to enter the prohibited even for ROOT is the same. It uses and extends the functionality of the system, setting binding control over the entire system, add network security features and file system in the kernel, thus enhancing security. You can adjust online security protection, hide sensitive processes, receive security alerts via the network, and so on.

In short, LIDS provides protection, detection, response function, which is the LINUX kernel in safe mode can be achieved.


LIDS provides the following protection:

Hard disk protection on any type of important files and directories, including ROOT any person can not change. Protect important process can not be terminated to prevent illegal procedure RAW IO operation. Protect the hard disk, including MBR protection, and so on. You can protect sensitive system files to prevent unauthorized persons (including ROOT), and unauthorized program proceeds.


When someone scanning your host, LIDS can detect and report to the system administrator. LIDS can also detect any illegal rule to the process on the system.


When someone violate rules, LIDS will be illegal to record details of the operation by the LIDS protection system log file. LIDS can also log information reach your mailbox. LIDS can also turn off the dialogue with the user immediately.

To establish a secure Linux system

After reading the LIDS features, let's look at how to step by step to establish a secure system with LIDS. [Next]

LIDS patch download the official Linux kernel and related

From LIDS Home, LIDS Ftp Home or recent LIDS Mirror obtain LIDS patch and systems management tools.

Patch name is lids-x.xx-yyytar.gz, x.xx lids on behalf of the version, yyy on behalf of Linux kernel version, for example, lids-0.9.9-2.2.17.tar.gz representatives lids version is 0.9.9 and the related kernel version is 2.2.17 ..

Must download the kernel version. For example, you downloaded the lids-0.9.9-2.2.17.tar.gz, then you should download the Linux kernel 2.2.17 of the original code. You can get the kernel source code from Kernel FTP Site or other mirror.

Then, the kernel of the original code and LIDS tar decompression, for example, obtained from www.lids.org lids-0.9.9-2.2.17.tar.gz, get linux-2.2.17.tar from ftp.us.kernel.org after .bz2:... 1. uncompress the Linux kernel source code tree # cd linux_install_path / # bzip2 -cd linux-2.2.17.tar.bz2 tar -xvf -2 uncompress the lids source code and install the lidsadm tool # cd lids_install_path # tar -zxvf lids-0.9.8-2.2.17.tar.gz

LIDS patch to play on the official linux kernel, Linux kernel source code to play LIDS patch # cd linux_install_path / linux # patch -p1 / * link the default source path to lids patched version # rm -rf / usr / src / linux # ln - s linux_install_patch / linux / usr / src / linux

Configure the Linux kernel, and now, configuring Linux kernel, follow these steps to implement: Prompt for development and / or incomplete code / driversSysctl supportAfter that, you will find that a new item appear in the bottom of the configuration menu name "Linux Intrusion Detection System" . Entering this menu, turn the Linux Intrusion Detection System support (EXPERIMENTAL) (NEW).

After configuring LIDS kernel. Exit the configuration, compile the kernel. # Make dep # make clean # make bzImage # make modules # make modules_install

Installation on Linux systems LIDS and systems management tools, copy the bzImage to / boot /, edit /etc/lilo.conf. # Cp arch / i386 / boot / bzImage /boot/bzImage-lids-0.9.9-2.2.17/*build admin tools * / # cd lids-0.9.8-2.2.17 / lidsadm-0.9.8 / # make # make install # less /etc/lilo.confboot=/dev/hdamap=/boot/mapinstall=/boot/boot.bprompttimeout=50default=linuximage=/boot/vmlinuz-2.2.16-3label=linuxread-onlyroot=/dev /hda2image=/boot/bzImage-lids-0.9.9-2.2.17label=devread-onlyroot=/dev/hda2

Run / sbin / lilo to install the new kernel: # / sbin / lilo

LIDS system configuration

Before restarting, you must configure the lids system to meet your security needs. You can define the protected files, protected processes and so on.

By default, lidsadm will install the default configuration file to the / etc / lids /. You must be reconfigured according to their needs. First, you can update the default lids.conf the inode / dev value. # / Sbin / lidsadm -U

Reboot the system

After configuring Linux system to restart. When lilo appears, select loading the lids enable kernel. Then you will enter the wonderful world LIDS.

Package core

After the system starts, do not forget to use lidsadm package core, at the end of /etc/rc.local add the following command: # / sbin / lidsadm -I

Online Management

After the kernel package, your system is under the protection of LIDS. You can do some tests to verify if you want to change some configurations, for example, modify the permissions, you can enter a password online way to change the lids security level. # / Sbin / lidsadm -S - -LIDS

After changing the lids configuration attributes, such as lids.conf, lids.cap, you can reload with the following command in the kernel configuration file: # / sbin / lidsadm -S - + RELOAD_CONF

LIDS system configuration

LIDS configuration directory - "/etc/lids/".html
- Linux System Getting Started Learning: complete installation on Debian or Ubuntu kernel source (Linux)
- Create your own YUM repository (Linux)
- Camouflage Nginx Web server version to prevent invasion (Linux)
- Advanced Search Oracle study notes (Database)
- Learning UNIX good habits (Linux)
- Linux / Unix: chroot command examples to explain (Linux)
- Using Oracle for Oracle GoldenGate to achieve a one-way data synchronization (Database)
- Android custom controls create the simplest skid menu in the history (Programming)
- Oracle Database ORA-01555 snapshot too old (Database)
- File upload via AngularJS and ASP.NET MVC5 (Programming)
- Hibernate in profile (Database)
- Five programming fallacy (Programming)
- Linux performance monitoring and common commands Introduction (Linux)
- About MongoDB query method according to fuzzy field (Database)
- CentOS 6 / Linux su: Unable to set user ID: Resource temporarily unavailable (Linux)
- C ++ hash function (Programming)
- Install Oracle database error process of [INS-35172] (Database)
- How to use OpenVPN and PrivacyIDEA build two-factor authentication for remote access (Server)
- Linux Change ssh port and disable remote root login at (Linux)
- Fragment Android developers learning to resolve (Programming)
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.