October 14, 2011
New Tool Release "Artillery" for Linux Protection
Written by
David Kennedy
Penetration Testing
Security Testing & Analysis
Over the past few months I've been working on a side project when I had some spare time. I'm releasing the 0.1 alpha pre-release edition of Artillery. Artillery is a combination of a honeypot, file monitoring and integrity, alerting, and brute force prevention tool. It's extremely light weight, has multiple different methods for detecting specific attacks and eventually will also notify you of insecure nix configurations.
It's written in Python, its completely open-source and free as all the stuff I write is. You can download Artillery here:
svn co http://svn.secmaniac.com/artillery artillery/
To install, simply run ./install.py. This will add artillery to bootup and start Artillery. To give a run down of some of the features. Here is a netstat before:
root@bt:~/Desktop/dev# netstat -antp | grep LISTEN
root@bt:~/Desktop/dev#
Here is a netstat after running Artillery:
root@bt:~# netstat -antp | grep LISTEN
tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:5800 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:1433 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:1337 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:44443 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:3389 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 29310/python
root@bt:~#
If anyone decides to port scan or touch those ports, they are blacklisted immediately and permanently. It's multi-threaded and can handle as many connections thrown at it. I did some extensive testing under heavy traffic loads on secmaniac.com and derbycon.com. In the first 3 days, it blocked over 387 individuals.
In addition to the monitoring, it will also monitor file integrity leveraging sha-512 database where it keeps track of all system files and if anything changes, will email you with the change. By default it monitors /etc/ and /var/www.
Artillery also monitors the SSH logs, and the event of a brute force attack, blacklists the host forever.
All of this is configurable through the Artillery config. By default artillery installs in /var/artillery and the config file is located at /var/artillery/config:
#############################################################################################
#
# This is the Artillery configuration file. Change these variables and flags to change how
# this behaves.
#
#############################################################################################
#
# DETERMINE IF YOU WANT TO MONITOR OR NOT
MONITOR=YES
#
# THESE ARE THE FOLDERS TO MONITOR, TO ADD MORE, JUST DO "/root","/var/", etc.
MONITOR_FOLDERS="/var/www","/etc/"
#
# BASED ON SECONDS, 2 = 2 seconds.
MONITOR_FREQUENCY=10
#
# PORTS TO SPAWN HONEYPOT FOR
PORTS="135,445,22,1433,3389,8080,21,5900,25,53,110,3306,1723,1337,10000,5800,44443"
#
EMAIL_ALERTS=OFF
#
# CURRENT SUPPORT IS FOR GMAIL ONLY, ENTER YOUR GMAIL USERNAME AND PASSWORD HERE
GMAIL_USERNAME="[email protected]"
#
# ENTER THE GMAIL PASSWORD HERE
GMAIL_PASSWORD="SETHERE"
#
# ENTER THE EMAIL ADDRESS TO RECEIVE THE ALERT
ALERT_USER_EMAIL="[email protected]"
#
# DO YOU WANT TO MONITOR SSH BRUTE FORCE ATTEMPTS
SSH_BRUTE_MONITOR=ON
#
# HOW MANY ATTEMPTS BEFORE YOU BAN
SSH_BRUTE_ATTEMPTS=4
Why write this? I looked at a lot of the honeypot/monitoring tools out there and they are extremely complex to learn. I wanted to write something simple that I know does a good job of weeding out some of the simplistic attacks and keep it very light weight. No external third party modules were used in developing Artillery. It is written purely in Python.
Enjoy, much more to come on this.