HLIPS - Hardened Linux from scratch Intrusion Prevention System
szift at szift.org
Tue Dec 13 16:06:48 PST 2005
I started a new project and wanted to know Your opinion on the base
ideas I have about it.
As You read in the title, I called it HLIPS.
(The HLFS is there, as that's where I develope and test it at and
because it's my favourite distro (if You can call it a distro of course) :)
The whole thing is a big script composed with the AIDE, ChkRootKit and
I tweaked the ChkRootKit a little bit (It tended to find a few rootkits
on fresh HLFS binaries, a compiled netstat as an example - I know it's
not in HLFS, but ChkRootKit relays on it)
Thus making a check and notification system.
Currently it's still under development (duh), but I want to release an
alpha someday maybe in the next 2 weeks :]
So what it does?
It checks and makes archives (when changes occur) of the systems
configuration (/etc and everywhere else where You keep Your configs that
You would not want too lose)
It checks the system for exploits and rootkits using ChkRootKit and
It uses AIDE to make sure that there were no changes where they
It depends on only a few binaries (grep, cat, echo, aide, chkrootkit bins)
It parses the SYSLOG and outputs desired data, right now I got it set up
to filter out all info on malicious packets, group it into 'per IP',
count it (how many packets, how many different IPs) and if there was any
info retrieved by netfilters OSF module, display it too.
For example, a typical output looks like this:
SRC=18.104.22.168  () TTL=103 SPT=4625 DPT=1025 
SRC=22.214.171.124  () TTL=95 SPT=4795 DPT=1025  TTL=95 SPT=4794
SRC=126.96.36.199  () TTL=34 PROTO=UDP SPT=35315 DPT=1026 
SRC=188.8.131.52  () TTL=94 SPT=1953 DPT=1025 
SRC=184.108.40.206  () TTL=32 PROTO=UDP SPT=39261 DPT=1026 
SRC=220.127.116.11  (Redline [::Redline_T|X_2200] : hops=141) TTL=114
SPT=30386 DPT=1080 
the first brackets after the IP tell how many connection's have been
logged into syslog (I use somewhat more complicated firewall, so it
doesn't mean that there were only this many connection attempts, but
many of the others were tarpitted and dropped without logging)
the second () contain info on the system from which the packet
originated, it's OSF (fingerprint) based and usually works well.
Then there are a few informations I want it to tell me like
TTL,PROTO,SPT,DPT, if PROTO is unspecified it's assumed to be TCP (it
keeps the output even more readable) the last brackets tell how many
such connections were logged (with the same TTL,PROTO,SPT and DPT)
Finally it outputs everything else from the syslog, if there were any
other errors or such.
Every hour the scripts is run and I get a stat on everything into my
Currently when something is detected, depending on the severity, I
either get it by email with a marker in the subject to look at it more
closely, or when it's something really weird, I get info by SMS :]
I also have a little script allowing the remote shutdown of the entire
server, using just the mobile and a specialy crafted message, that when
delivered to a specified account, from a specified adress causes the
shutdown :] (if things would go very bad and I couldn't access the
So the order in which it works is:
- check the config archives for modifications (if I update, I also
update the aide database, so this should ALWAYS return NO MODIFICATIONS,
else sms me right now and tell me who's logged, what's he executing and
- check the config and do an archive if something changed
- run chkrootkit and filter the output from things like 'not found' or
'not infected' etc. to let only the important ones stay
- run chexploit and parse the output in the same way
- run aide to generally check most of the system
- run the syslog analiser script
mail all the output info to my email account with apropriate subject
(depending on whether there were changes found or not)
The entire process on my Celeron 600mhz with 192MbRAM takes around 8 to
When doing the installable package of it, I'd like to use as many
randomness as possible. To do that I'd have to make it even more
position independent then it is now but it's possible.
And another thing would be to hide it as well as possible (why any
intruder would need to know that it's target is using the HLIPS? :)
Then on compilation, the location would be choosen based on existing
system structures (some random existing location, of course after
telling the user where and if he/she agries to it) and so would be the
file names, to make finding of the system even harder.
Another thing I'd like it to do is to hide from ps aux
For example to pretend it's another running program (say httpd or
anything else or to just vanish)
Another thing is to make it start we need the position dependency, when
tracing the /etc/rc.d/init.d and /etc/inittab we can find everything
that gets started up (I assume the intruder gets root privilliges)
but let's say it would get started from inside another program, some
specialy crafted `echo` (or anything else) command option that would
look as normal as it is :] Then that would be the only place to put the
position of the system into, and even We could go ahead and forget about
So what do You think? Is it paranoic enough?
And maybe You already know something similar to this?
I wish to make the program as customizable as it gets, and also easy to
use and install. Make some English and Polish docs on it (maybe someone
will help with other languages).
You know, everything that a good program should have :]
If anybody is interested, I can post later info on the subject when I'll
be close enough to the alpha to let it run somewhere outside my server
for the first time :]
szift at szift.org
More information about the hlfs-dev