Artillery is a combination of a honeypot, file monitoring and integrity, alerting, and brute force prevention tool. It is light weight, has multiple different methods for detecting specific attacks and eventually will also notify you of insecure nix configurations. Artillery is coded in python.
How to install Artillery
- ./install.py
This will add artillery to bootup and start Artillery. To give a run down of some of the features.
How to check Artillery is running
netstat -antp | grep LISTEN
tcp 0 0 0.0.0.0:135 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:5800 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:3306 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:5900 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:110 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:10000 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:8080 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:53 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:21 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:22 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:25 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:1433 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:1337 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:44443 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:1723 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:3389 0.0.0.0:LISTEN 29310/python
tcp 0 0 0.0.0.0:445 0.0.0.0:LISTEN 29310/python
How does Artillery works
As per above example If anyone decides to port scan or touch those ports, they are blacklisted immediately and permanently. It’s multi-threaded and can handle as many connections thrown at it. Author did some testing on his own site. And results where amazing. In the first 3 days, it blocked over 387 individuals.
In addition to the monitoring, it will also monitor file integrity leveraging sha-512 database where it keeps track of all system files and if anything changes, will email you with the change. By default it monitors /etc/ and /var/www. Artillery also monitors the SSH logs, and the event of a brute force attack, blacklists the host forever.
By default artillery installs in /var/artillery and the config file is located at /var/artillery/config
Changes and Features made in Artillery 0.1.1 alpha
- removed the majority of imports in artillery.py
- added better handling over missing folders
- fixed the installer
- added better wording around what changes were detected
- added time changes were detected
- removed __init__.py, not needed
- added directory checking for monitored folders..different platforms may not have the exact folders
- changed port range to get detected through config versus hardcoded into src/honeypot.py..it will now use
config to generate port ranges - added granularity if port was in use
- added a generate random character sequence upon connect, will send a string between 5 and 30000 to the attacker…should be confusing :)
- added src/harden.py which now checks for base configurations on a linux system that may be insecure in nature
- added check for ssh log in harden.py to see if default port running on 22 and if running as root
- added a check for /var/www to check permissions and ensure files are running as root
- removed some un-necessary code in install and piped subprocess to stdout and stderr instead of /dev/null
- added option to checkout svn during install, this will keep artillery up-to-date
- added automatic-updating when artillery is launched
- added threading to automatic-update to remove any delay that might happen if Internet isn’t working
Download Artillery
Artillery – Artillery V0.1.1 alpha–
svn co http://svn.secmaniac.com/artillery artillery/
{ 0 comments… add one now }