How to set up a honeypot with artillery
If you want to make your system more secrue you can use a honeypot. A honeypot is a program to detect, mislead and trap an attacker. In this article I will show you an example of a honeypot called artillery. Artillery is a very simple honeypot, easy to use and (in my opinion) very effective. It opens a few ports and if someone tries to connect to one of these ports, he/she will be banned immediately. But artillery can also monitor folders for changes or monitor the ssh-server for brute force attacks and ban the attackers.
To download artillery you have to use subversion. The following subversion command will download artillery to a folder named artillery.
svn co http://svn.secmaniac.com/artillery artillery/
git clone https://github.com/trustedsec/artillery/ artillery/
To install artillery simply enter the following command.
sudo ./setup.py install
During the installation process you will be asked a few questions.
Do you want to install Artillery and have it automatically run when you restart [y/n]:
Do you want to keep Artillery updated? (requires internet) [y/n]:
Would you like to start Artillery now? [y/n]:
I answered every question with yes but feel free to answer the questions as you want. Let’s have a look at the configuration file which is located at
The following lines are an excerpt of the config file.
# DO YOU WANT TO TURN ON THE HONEYPOT
# DO YOU WANT TO AUTOMATICALLY BAN ON THE HONEYPOT
# WHITELIST IP ADDRESSES, SPECIFY BY COMMAS ON WHAT IP ADDRESSES YOU WANT TO WHITELIST
# PORTS TO SPAWN HONEYPOT FOR
# DO YOU WANT TO MONITOR SSH BRUTE FORCE ATTEMPTS
# HOW MANY ATTEMPTS BEFORE YOU BAN
The most important lines are the whitelist and ports line. Enter every ip-address to the whitelist which should not be affected by the honeypot. All ports in the portlist will be monitored by artillery. I recommend to use common ports like 21(FTP), 23(Telnet), etc. because portscanners often scan these ports by default. If a host (which is not on the whitelist) tries to connect to one of these ports, it will be banned immediately. Configure artillery that it suits your requirements.
Now let’s restart artillery and have a look what happens if a host tries to connect to a monitored port. To restart artillery we can use the restart-script.
Let’s try to connect to port 21 with a host that is not on the whitelist. You can use telnet for that purpose:
telnet IP-ADDRESS PORT
All we get is a bunch of random characters. OK let’s try it again and let’s see what happens:
Nothing. We’re banned and are not able to connect to any port on the monitored host. To remove the ban you can use the remove_ban-script.
sudo python remove_ban.py IP-ADDRESS
This honeypot makes it very hard for an attacker to get useful information about your system. If an attacker connects to one of the monitored ports, the attacker will be banned. You can find a video of artillery in action (with installation) here (This video is not made by me).