LIDS - Linux Intrusion Detection System
INSTALAÇÃO E CONFIGURAÇÃO
http://www.lids.org
Arquivos envolvidos:
Kernel 2.2.16 (linux-2.2.16.tar.gz)
LIDS 0.9.8 (lids-0.9.8-2.2.16.tar.gz)
2.Descompactar arquivos
#cd /usr/src/
#tar -xvzf .../linux-2.2.16.tar.gz
#cd /opt/
#tar -xvzf .../lids-0.9.8-2.2.16.tar.gz
3.Adicionar PATCH ao kernel:
#patch -p0 </opt/lids0.9.8/lids-0.9.8-2.2.16.patch
4.Compilar kernel:
#cd /usr/src/linux/
#make mrproper
#make menuconfig
opções do kernel --> *(As opções em negrito são necessárias)
Code maturity level options --->
[*] Prompt for development and/or incomplete code/drivers
General setup --->
[*] Networking support
[*] PCI support
(Any) PCI access mode
[*] PCI quirks
[ ] PCI bridge optimization (experimental)
[*] Backward-compatible /proc/pci
[ ] MCA support
[ ] SGI Visual Workstation support
[*] System V IPC
[ ] BSD Process Accounting
[*] Sysctl support
<*> Kernel support for a.out binaries
<*> Kernel support for ELF binaries
<*> Kernel support for MISC binaries
<M> Kernel support for JAVA binaries (obsolete)
< > Parallel port support
[ ] Advanced Power Management BIOS support
Networking options ---> *(Personalize de acordo com suas necessidades)
<*> Packet socket
[*] Kernel/User netlink socket
[*] Routing messages
<*> Netlink device emulation
[*] Network firewalls
[ ] Socket Filtering
<*> Unix domain sockets
[*] TCP/IP networking
[ ] IP: multicasting
[*] IP: advanced router
[ ] IP: policy routing
[*] IP: equal cost multipath
[ ] IP: use TOS value as routing key
[*] IP: verbose route monitoring
[*] IP: large routing tables
[ ] IP: kernel level autoconfiguration
[*] IP: firewalling
[*] IP: firewall packet netlink device
[ ] IP: transparent proxy support
[*] IP: masquerading
--- Protocol-specific masquerading support will be built as modules.
[*] IP: ICMP masquerading
--- Protocol-specific masquerading support will be built as modules.
[*] IP: masquerading special modules support
<M> IP: ipautofw masq support (EXPERIMENTAL)
<M> IP: ipportfw masq support (EXPERIMENTAL)
<M> IP: ip fwmark masq-forwarding support (EXPERIMENTAL)
[*] IP: optimize as router not host
< > IP: tunneling
< > IP: GRE tunnels over IP
[*] IP: aliasing support
[ ] IP: ARP daemon support (EXPERIMENTAL)
[*] IP: TCP syncookie support (not enabled per default)
--- (it is safe to leave these untouched)
< > IP: Reverse ARP
[*] IP: Allow large windows (not recommended if <16Mb of memory)
< > The IPv6 protocol (EXPERIMENTAL)
opções do lids no kernel -->
Linux Intrusion Detection System --->
[*] Linux Intrusion Detection System support (EXPERIMENTAL)
--- LIDS features
(1024) Maximum protected objects to manage
(1024) Maximum ACL subjects to manage
(1024) Maximum ACL objects to manage
(1024) Maximum protected proceeds
[ ] Hang up console when raising a securit alert
[ ] Security alert when execing unprotected programs before sealing LIDS
[*] Try not to flood logs
(60)Authorised time between two identic logs (seconds)
[*] Allow switching LIDS protections
(3)Number of attempts to submit password
(3) Time to wait after a fail (seconds)
[ ] Allow remote users to switch LIDS protections
[ ] Allow any program to switch LIDS protections
[*] Allow reloading config. File
[*] Port Scanner Detector in kernel
[*] Send security alerts through network
[ ] Hide klids kernel thread
(3) Number of connection tries before giving up
(30)Sleep time after a failed connection
(16)Message queue size
#make dep clean bzImage
5.Compilar LIDS:
#cd /opt/lids0.9.8/lidsadm-0.9.8/
#make
#gzip lidsadm.1 (*arquivo do man)
#make install
6.Editar LILO para boot com LIDS:
6.1.Copiar o arquivo do kernel para o diretório de boot:
#cp /usr/src/linux/arch/i386/boot/bzImage /boot/
6.2.Editar lilo:
#vi /etc/lilo.conf
image=/boot/bzImage
label=lids
root=/dev/hda1
read-only
6.3.Executar lilo:
#lilo
7.Configurações do LIDS:
7.1.Gerar arquivo de senha (/etc/lids/lids.pw):
#lidsadm -P
7.2.Editar arquivo de configurações de rede (/etc/lids/lids.net):
#vi /etc/lids/lids.net
lids.net
# LIDS
# Send Alert Message From Network
# for lids 0.9.8
# xie@gnuchina.org
# -------------------------------------------------------------------
# MAIL_SWITCH = 1 | 0
# 1 , send alert function is on
# 0, send alert function is off
MAIL_SWITCH= 1
# MAIL_RELAY=hex IP:port
# IP11.1 of the machine that will be directly connected by LIDS
# for relaying its mails. Port is usually 25, but who knows...
MAIL_RELAY= 192.168.1.1:25 (IP do servidor SMTP)
# MAIL_SOURCE=source machine :
# Name of the source machine, used for the ehlo identification.
# Note that a bad name here could make the mail relay refuse your
# mails.
MAIL_SOURCE=nome_da_maquina_origem(de onde vai partir o e-mail)
# MAIL_FROM=sender address
# Sender address, which will also be in the ``from'' field.
MAIL_FROM= quem vai mandar o e-mail (Eu usei lids@meudomínio.com.br)
# MAIL_TO=recipient address :
# Recipient address.
MAIL_TO= para quem vai o e-mail (admin@meudominio.com.br)
# MAIL_SUBJECT= subject :
# Subject of the mail.
MAIL_SUBJECT= LIDS Alert **INVASÃO!!!**
7.3.Editar arquivo de capability (/etc/lids/lids.cap):
#vi /etc/lids/lids.cap
lids.cap
+0:CAP_CHOWN
+1:CAP_DAC_OVERRIDE
+2:CAP_DAC_READ_SEARCH
+3:CAP_FOWNER
+4:CAP_FSETID
+5:CAP_KILL
+6:CAP_SETGID
+7:CAP_SETUID
+8:CAP_SETPCAP
-9:CAP_LINUX_IMMUTABLE
-10:CAP_NET_BIND_SERVICE
+11:CAP_NET_BROADCAST
-12:CAP_NET_ADMIN
-13:CAP_NET_RAW
+14:CAP_IPC_LOCK
+15:CAP_IPC_OWNER
+16:CAP_SYS_MODULE
-17:CAP_SYS_RAWIO
-18:CAP_SYS_CHROOT
-19:CAP_SYS_PTRACE
+20:CAP_SYS_PACCT
-21:CAP_SYS_ADMIN
+22:CAP_SYS_BOOT
+23:CAP_SYS_NICE
+24:CAP_SYS_RESOURCE
+25:CAP_SYS_TIME
+26:CAP_SYS_TTY_CONFIG
-27:CAP_HIDDEN
+28:CAP_INIT_KILL
7.4.Atualizar o arquivo de configuração do LIDS (/etc/lids/lids.conf):
#lidsadm -U (atualiza os inodes)
lids.conf
# It is auto generated by lidsadm
# Please do not modify this file by hand
#
0:0::1:47521:769:/sbin
0:0::1:47810:769:/bin
0:0::1:111103:769:/boot
0:0::1:79202:769:/lib
0:0::1:79201:769:/usr
0:0::0:66847:769:/etc/shadow
50195:769:/bin/login:1:66847:769:/etc/shadow
49273:769:/bin/su:1:66847:769:/etc/shadow
0:0::7:81906:769:/var/log/wtmp
48144:769:/sbin/fsck.ext2:7:66906:769:/etc/mtab
0:0::7:66906:769:/etc/mtab
0:0::7:63361:769:/etc
66004:769:/usr/sbin/sendmail:7:82182:769:/var/log/sendmail.st
50195:769:/bin/login:7:79497:769:/var/log/lastlog
48151:769:/bin/cat:1:320641:774:/home/xhg
0:0::0:176353:774:/home/httpd
62413:773:/usr/sbin/httpd:1:176353:774:/home/httpd
0:0::0:31561:773:/etc/httpd/conf
62413:773:/usr/sbin/httpd:1:31561:773:/etc/httpd/conf
66004:769:/usr/sbin/sendmail:7:82182:769:/var/log/sendmail.st
77662:773:/usr/X11R6/bin/XF86_SVGA:0:-1:17:RAWIO
66951:773:/usr/sbin/in.ftpd:1:66847:769:/etc/shadow
62413:773:/usr/sbin/httpd:0:-1:27:HIDDEN
0:0::3:79496:769:/var/log
Obs.:#lidsadm -L (lista o arquivo de regras)
Selar o kernel após o boot:
#vi /etc/rc.d/rc.local
#adicionar esta linha para selar o kernel.
/sbin/lidsadm -I
9.Alguns comandos úteis:
Habilitar e desabilitar LIDS
lidsadm -S -- -LIDS (Desliga LIDS)
lidsadm -S -- +LIDS (Liga LIDS)
#É necessário a senha fornecida com o comando "lidsadm -P"
#Disponível se a opção Allow switching LIDS protections da #configuração do Kernel estiver habilitada)
Adicionar Regras
lidsadm -A /var/log/messages -o -j APPEND
#(Somente deixa adicionar ao arquivo.)
man lidsadm
#Para mais exemplos e explicações...
10.Rebootar a máquina (o sistema estará protegido pelo LIDS após o boot).
________________________________________
Desenvolvido por:
Denis Galvão
________________________________________
A reprodução intergral ou parcial deste
documento é permitida desde que seja
explicitamente especificado o seu autor.
________________________________________