Starting with Artillery
Artillery is a combination of a honeypot, file monitoring and integrity, alerting, and brute force prevention tool. It’s extremely light weight, has multiple different methods for detecting specific attacks and eventually will also notify you of insecure nix configurations.
Installation of Artillery is currently really simple, download via svn, run the installer script, edit the config file (if necessary) and run:
$svn co http://svn.secmaniac.com/artillery artillery/
N.B. don’t make the same daft error I made initially by editing the files in the svn download. Once the installer.py script has been run, cd to /var/artillery.
Artillery goes beyond typical honeypots, as it actively blocks remote clients and protects the system it’s running on. Artillery listens on a number of common ports (configurable, look at the PORTS variable), if it receives a connection on any of the fake ports it permanently blocks the source IP address by adding a DROP rule to iptables.
From my experience Artillery gets results REALLY quickly. After getting the system online I performed a quick test from another host under my control and starting writing up this post; in the time it’s taken to write the content above Artillery has already added 8 addresses to iptables:
Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- host-31-42-163-53.pois.com.ua anywhere DROP all -- net242.187.188-2.oren.ertelecom.ru anywhere DROP all -- 94-21-36-156.pool.digikabel.hu anywhere DROP all -- 126.96.36.199 anywhere DROP all -- ras.beamtele.net anywhere DROP all -- dsl5401A8C9.pool.t-online.hu anywhere DROP all -- catv-178-48-151-67.catv.broadband.hu anywhere DROP all -- 188.8.131.52 anywhere
Other functionality included in Artillery mirrors that of Tripwire, monitoring the contents of different directories (again, configurable) and generating alerts if the contents of the directories and files changes.
I really like the premise of Artillery, and Dave in his usual fashion is coding like a madman adding fixes and new functionality (new version, 0.1.1 was released 24hrs after initial announcement). I’d be wary where you set this system up to test it though due to the automatic lockout; if Artillery is on a remote system, and you connect to a dummy port from your location to test you’ve just been locked out of your own server ;)
Looking forward to seeing Artillery mature, thanks Dave.