Securing a server with Artillery

Artillery is project started by Dave (ReL1K) Kennedy with the aim to secure a linux web server.

Its description reads:

Artillery is a honeypot/monitoring/prevention tool used to protect Linux-based systems. Artillery will setup multiple ports on the nix system and if anything touches it will automatically blacklist them. In addition, it monitors the filesystem for changes and emails the changes back to you. It also detects SSH brute force attacks and automatically blocks them as well.

It can’t be really categorized as a honeypot since it doesn’t allow any interaction with the system, but I wanted to give it a try as an intrusion prevention tool and secure a VPS that I use for project hosting. Artillery essentially does three things: 1) it opens up various ports on the system and checks for connections. If someone abuses them it automatically adds a DROP iptables rule for that IP. 2) It checks SSH logs for brute force attempts and bans the abusing IP as well, 3) it can monitor some folders for changes, for example /var/www/.

Let’s use Artillery and see it in action. I’m using Debian 6 but the same would apply to any other distribution.

Installation is pretty straightforward:

1. First of all you will need SVN:

apt-get install subversion

2. Download the latest version of Artillery:

svn co http://svn.secmaniac.com/artillery artillery/

3. Run the installer (as root). Select no when asked to start Artillery now:

python install.py

This will install Artillery at /var/artillery. Take note of this, because the downloaded files are no longer useful (you can delete them) and any configuration has to be made in the new directory.

Take a look at the /var/artillery/config file where you can set various options. Read the comments above each choice and it should be pretty straightforward. The PORTS variable is the most interesting one since these are the ports Artillery will bind to and listen for connections. One thing to notice here is that Artillery has MySQL’s port 3306 included in the list, so if you run a MySQL server be sure to remove it. The same thing applies for some other common ports like 21 (FTP), 22 (SSH), 53 (DNS). Something for SSH: in order not to mess with Artillery at all and accidentally lock yourself out of the system, I recommend changing your SSH port anyway (for example to 2222). Generally be careful with the automatic lockout feature (don’t test it by logging into dummy ports on your system because you will be banned).

4. Reboot your system (if possible) or run the restart_server.py script. That’s it, you are ready. You can check that Artillery works correctly using:

netstat -antp

where you should see something like this (sample):

One thing you will notice is that Artillery will get results very quickly. I think this is mostly due to port 445 (SMB) because from my experience with Dionaea honeypot it gets a big amount of traffic from infected Windows computers.

While writing this post it had already banned some hosts:

5. You can check for banned IPs using:

iptables -L

and you will get a list of all the IPs (or hostnames as they are auto-resolved) with their DROP rules. For a text-based list of all the IP addresses you can view the banlist.txt file where every banned IP is written to.

Artillery is being developed and hopefully new versions will include even more functionality. I think it is a simple-to-understand and promising tool to enhance the security of a server. More results from its operation will be published in the future!

4 comments

1 ping

Skip to comment form

  1. Did you have any issues with setting Artillery up as a service on Debian? When I installed via the install script it created an issue since Debian 6.0+ doesn’t use update-rc.d for service management. Did you notice the same issue?

      • Ion on February 28, 2012 at 10:45 AM
        Author
      • Reply

      Hello ch33se. Not really as I remember. I’ve stopped using Artillery since then to setup a malware honeypot on that VPS… Your best bet would be to poke @dave_rel1k on twitter and ask 🙂

    • tuwi on January 6, 2014 at 2:15 AM
    • Reply

    i had some issues as the syslog feauter didnt work and the auto-ban feature also didnt quite do the job..
    When i stop and start it would create me two chains and reload the entire list
    I dont know if this thing really works as they advertise it ..

    1. Hello tuwi. I have not played around with Artillery for a long time now.

      But it seems to be maintained. I think it’s better to file an issue through GitHub: https://github.com/trustedsec/artillery/

      Regards,
      Ion

  1. […] highlighted in Brute Force Lab’s blog [2], Artillery cannot be really categorised as a honeypot since it doesn’t allow any interaction […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Read previous post:
Kippo-Geo asks for Google Maps API key

I got a message about Kippo-Geo page displaying a warning, telling you that you need a valid Google Maps API...

Close