Archive

Archive for October, 2011

Starting with Artillery

On Friday I arrived home looking forward to a well-earned rest; unfortunately Dave Kennedy seemed to have other ideas for my weekend as he announced the alpha release of a new honeypot, Artillery.

Artillery is a combination of a honeypot, file monitoring and integrity, alerting, and brute force prevention tool. It’s extremely light weight, has multiple different methods for detecting specific attacks and eventually will also notify you of insecure nix configurations.

Installation of Artillery is currently really simple, download via svn, run the installer script, edit the config file (if necessary) and run:

$svn co http://svn.secmaniac.com/artillery artillery/

$./installer.py

$nano config

$./artillery.py

N.B. don’t make the same daft error I made initially by editing the files in the svn download. Once the installer.py script has been run, cd to /var/artillery.

Artillery goes beyond typical honeypots, as it actively blocks remote clients and protects the system it’s running on. Artillery listens on a number of common ports (configurable, look at the PORTS variable), if it receives a connection on any of the fake ports it permanently blocks the source IP address by adding a DROP rule to iptables.

From my experience Artillery gets results REALLY quickly. After getting the system online I performed a quick test from another host under my control and starting writing up this post; in the time it’s taken to write the content above Artillery has already added 8 addresses  to iptables:

Chain INPUT (policy ACCEPT)
target     prot opt source                                destination
DROP       all  --  host-31-42-163-53.pois.com.ua         anywhere
DROP       all  --  net242.187.188-2.oren.ertelecom.ru    anywhere
DROP       all  --  94-21-36-156.pool.digikabel.hu        anywhere
DROP       all  --  89.122.216.109                        anywhere
DROP       all  --  ras.beamtele.net                      anywhere
DROP       all  --  dsl5401A8C9.pool.t-online.hu          anywhere
DROP       all  --  catv-178-48-151-67.catv.broadband.hu  anywhere
DROP       all  --  176.14.205.91                         anywhere

Other functionality included in Artillery mirrors that of Tripwire, monitoring the contents of different directories (again, configurable) and generating alerts if the contents of the directories and files changes.

I really like the premise of Artillery, and Dave in his usual fashion is coding like a madman adding fixes and new functionality (new version, 0.1.1 was released 24hrs after initial announcement). I’d be wary where you set this system up to test it though due to the automatic lockout; if Artillery is on a remote system, and you connect to a dummy port from your location to test you’ve just been locked out of your own server 😉

Looking forward to seeing Artillery mature, thanks Dave.

–Andrew Waite

Categories: Artillery, Honeypot