co4ie Posted October 15, 2011 Report Posted October 15, 2011 Over the past few months I’ve been working on a side project when I had some spare time. I’m releasing the 0.1 alpha pre-release edition of Artillery. Artillery is a combination of a honeypot, file monitoring and integrity, alerting, and brute force prevention tool. It’s extremely light weight, has multiple different methods for detecting specific attacks and eventually will also notify you of insecure nix configurations.secmaniacIt’s written in Python, its completely open-source and free as all the stuff I write is. You can download Artillery here:svn co http://svn.secmaniac.com/artillery artillery/To install, simply run ./install.py. This will add artillery to bootup and start Artillery. To give a run down of some of the features. Here is a netstat before:root@bt:~/Desktop/dev# netstat -antp | grep LISTENroot@bt:~/Desktop/dev#Here is a netstat after running Artillery:root@bt:~# netstat -antp | grep LISTENtcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:5800 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:1433 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:1337 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:44443 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:3389 0.0.0.0:* LISTEN 29310/pythontcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 29310/pythonroot@bt:~#If anyone decides to port scan or touch those ports, they are blacklisted immediately and permanently. It’s multi-threaded and can handle as many connections thrown at it. I did some extensive testing under heavy traffic loads on secmaniac.com and derbycon.com. In the first 3 days, it blocked over 387 individuals.In addition to the monitoring, it will also monitor file integrity leveraging sha-512 database where it keeps track of all system files and if anything changes, will email you with the change. By default it monitors /etc/ and /var/www.Artillery also monitors the SSH logs, and the event of a brute force attack, blacklists the host forever.All of this is configurable through the Artillery config. By default artillery installs in /var/artillery and the config file is located at /var/artillery/config:############################################################################################### This is the Artillery configuration file. Change these variables and flags to change how# this behaves.################################################################################################ DETERMINE IF YOU WANT TO MONITOR OR NOTMONITOR=YES## THESE ARE THE FOLDERS TO MONITOR, TO ADD MORE, JUST DO “/root”,”/var/”, etc.MONITOR_FOLDERS=”/var/www”,”/etc/”## BASED ON SECONDS, 2 = 2 seconds.MONITOR_FREQUENCY=10## PORTS TO SPAWN HONEYPOT FORPORTS=”135,445,22,1433,3389,8080,21,5900,25,53,110,3306,1723,1337,10000,5800,44443?#EMAIL_ALERTS=OFF## CURRENT SUPPORT IS FOR GMAIL ONLY, ENTER YOUR GMAIL USERNAME AND PASSWORD HEREGMAIL_USERNAME=”thisisjustatest@gmail.com”## ENTER THE GMAIL PASSWORD HEREGMAIL_PASSWORD=”SETHERE”## ENTER THE EMAIL ADDRESS TO RECEIVE THE ALERTALERT_USER_EMAIL=”user@whatever.com”## DO YOU WANT TO MONITOR SSH BRUTE FORCE ATTEMPTSSSH_BRUTE_MONITOR=ON## HOW MANY ATTEMPTS BEFORE YOU BANSSH_BRUTE_ATTEMPTS=4Why write this? I looked at a lot of the honeypot/monitoring tools out there and they are extremely complex to learn. I wanted to write something simple that I know does a good job of weeding out some of the simplistic attacks and keep it very light weight. No external third party modules were used in developing Artillery. It is written purely in Python.Enjoy, much more to come on this.SURSA Quote