Artillery is project started by Dave (ReL1K) Kennedy with the aim to secure a linux web server.
Its description reads:
Artillery is a honeypot/monitoring/prevention tool used to protect Linux-based systems. Artillery will setup multiple ports on the nix system and if anything touches it will automatically blacklist them. In addition, it monitors the filesystem for changes and emails the changes back to you. It also detects SSH brute force attacks and automatically blocks them as well.
It can’t be really categorized as a honeypot since it doesn’t allow any interaction with the system, but I wanted to give it a try as an intrusion prevention tool and secure a VPS that I use for project hosting. Artillery essentially does three things: 1) it opens up various ports on the system and checks for connections. If someone abuses them it automatically adds a DROP iptables rule for that IP. 2) It checks SSH logs for brute force attempts and bans the abusing IP as well, 3) it can monitor some folders for changes, for example /var/www/.
Let’s use Artillery and see it in action. I’m using Debian 6 but the same would apply to any other distribution.
Installation is pretty straightforward:
1. First of all you will need SVN:
apt-get install subversion
2. Download the latest version of Artillery:
svn co http://svn.secmaniac.com/artillery artillery/
3. Run the installer (as root). Select no when asked to start Artillery now:
python install.py
This will install Artillery at /var/artillery. Take note of this, because the downloaded files are no longer useful (you can delete them) and any configuration has to be made in the new directory.
Take a look at the /var/artillery/config file where you can set various options. Read the comments above each choice and it should be pretty straightforward. The PORTS variable is the most interesting one since these are the ports Artillery will bind to and listen for connections. One thing to notice here is that Artillery has MySQL’s port 3306 included in the list, so if you run a MySQL server be sure to remove it. The same thing applies for some other common ports like 21 (FTP), 22 (SSH), 53 (DNS). Something for SSH: in order not to mess with Artillery at all and accidentally lock yourself out of the system, I recommend changing your SSH port anyway (for example to 2222). Generally be careful with the automatic lockout feature (don’t test it by logging into dummy ports on your system because you will be banned).
4. Reboot your system (if possible) or run the restart_server.py script. That’s it, you are ready. You can check that Artillery works correctly using:
netstat -antp
where you should see something like this (sample):
One thing you will notice is that Artillery will get results very quickly. I think this is mostly due to port 445 (SMB) because from my experience with Dionaea honeypot it gets a big amount of traffic from infected Windows computers.
While writing this post it had already banned some hosts:
5. You can check for banned IPs using:
iptables -L
and you will get a list of all the IPs (or hostnames as they are auto-resolved) with their DROP rules. For a text-based list of all the IP addresses you can view the banlist.txt file where every banned IP is written to.
Artillery is being developed and hopefully new versions will include even more functionality. I think it is a simple-to-understand and promising tool to enhance the security of a server. More results from its operation will be published in the future!
Pingback: Edgis Security - Artillery()