HLIPS - Hardened Linux from scratch Intrusion Prevention System

Łukasz Hejnak szift at szift.org
Tue Dec 13 16:06:48 PST 2005

Hi :]
I started a new project and wanted to know Your opinion on the base 
ideas I have about it.
As You read in the title, I called it HLIPS.
(The HLFS is there, as that's where I develope and test it at and 
because it's my favourite distro (if You can call it a distro of course) :)
The whole thing is a big script composed with the AIDE, ChkRootKit and 
I tweaked the ChkRootKit a little bit (It tended to find a few rootkits 
on fresh HLFS binaries, a compiled netstat as an example - I know it's 
not in HLFS, but ChkRootKit relays on it)
Thus making a check and notification system.
Currently it's still under development (duh), but I want to release an 
alpha someday maybe in the next 2 weeks :]
So what it does?

It checks and makes archives (when changes occur) of the systems 
configuration (/etc and everywhere else where You keep Your configs that 
You would not want too lose)
It checks the system for exploits and rootkits using ChkRootKit and 
It uses AIDE to make sure that there were no changes where they 
shouldn't be.
It depends on only a few binaries (grep, cat, echo, aide, chkrootkit bins)
It parses the SYSLOG and outputs desired data, right now I got it set up 
to filter out all info on malicious packets, group it into 'per IP', 
count it (how many packets, how many different IPs) and if there was any 
info retrieved by netfilters OSF module, display it too.
For example, a typical output looks like this:
SRC= [7] () TTL=103 SPT=4625 DPT=1025 [7]
SRC= [3] () TTL=95 SPT=4795 DPT=1025 [2] TTL=95 SPT=4794 
DPT=1025 [1]
SRC= [1] () TTL=34 PROTO=UDP SPT=35315 DPT=1026 [1]
SRC= [2] () TTL=94 SPT=1953 DPT=1025 [2]
SRC= [1] () TTL=32 PROTO=UDP SPT=39261 DPT=1026 [1]
SRC= [1] (Redline [::Redline_T|X_2200] : hops=141) TTL=114 
SPT=30386 DPT=1080 [1]

the first brackets after the IP tell how many connection's have been 
logged into syslog (I use somewhat more complicated firewall, so it 
doesn't mean that there were only this many connection attempts, but 
many of the others were tarpitted and dropped without logging)
the second () contain info on the system from which the packet 
originated, it's OSF (fingerprint) based and usually works well.
Then there are a few informations I want it to tell me like 
TTL,PROTO,SPT,DPT, if PROTO is unspecified it's assumed to be TCP (it 
keeps the output even more readable) the last brackets tell how many 
such connections were logged (with the same TTL,PROTO,SPT and DPT)

Finally it outputs everything else from the syslog, if there were any 
other errors or such.

Every hour the scripts is run and I get a stat on everything into my 
email box.
Currently when something is detected, depending on the severity, I 
either get it by email with a marker in the subject to look at it more 
closely, or when it's something really weird, I get info by SMS :]

I also have a little script allowing the remote shutdown of the entire 
server, using just the mobile and a specialy crafted message, that when 
delivered to a specified account, from a specified adress causes the 
shutdown :] (if things would go very bad and I couldn't access the 
server directly)

So the order in which it works is:
- check the config archives for modifications (if I update, I also 
update the aide database, so this should ALWAYS return NO MODIFICATIONS, 
else sms me right now and tell me who's logged, what's he executing and 
such info)
- check the config and do an archive if something changed
- run chkrootkit and filter the output from things like 'not found' or 
'not infected' etc. to let only the important ones stay
- run chexploit and parse the output in the same way
- run aide to generally check most of the system
- run the syslog analiser script
mail all the output info to my email account with apropriate subject 
(depending on whether there were changes found or not)

The entire process on my Celeron 600mhz with 192MbRAM takes around 8 to 
10 minutes.

When doing the installable package of it, I'd like to use as many 
randomness as possible. To do that I'd have to make it even more 
position independent then it is now but it's possible.
And another thing would be to hide it as well as possible (why any 
intruder would need to know that it's target is using the HLIPS? :)

Then on compilation, the location would be choosen based on existing 
system structures (some random existing location, of course after 
telling the user where and if he/she agries to it) and so would be the 
file names, to make finding of the system even harder.
Another thing I'd like it to do is to hide from ps aux
For example to pretend it's another running program (say httpd or 
anything else or to just vanish)
Another thing is to make it start we need the position dependency, when 
tracing the /etc/rc.d/init.d and /etc/inittab we can find everything 
that gets started up (I assume the intruder gets root privilliges)
but let's say it would get started from inside another program, some 
specialy crafted `echo` (or anything else) command option that would 
look as normal as it is :] Then that would be the only place to put the 
position of the system into, and even We could go ahead and forget about 
it :]

So what do You think? Is it paranoic enough?
And maybe You already know something similar to this?

I wish to make the program as customizable as it gets, and also easy to 
use and install. Make some English and Polish docs on it (maybe someone 
will help with other languages).
You know, everything that a good program should have :]

If anybody is interested, I can post later info on the subject when I'll 
be close enough to the alpha to let it run somewhere outside my server 
for the first time :]

Best wishes
Łukasz Hejnak
szift at szift.org

More information about the hlfs-dev mailing list