How to set up a honeypot with artillery

If you want to make your system more secrue you can use a honeypot. A honeypot is a program to detect, mislead and trap an attacker. In this article I will show you an example of a honeypot called artillery. Artillery is a very simple honeypot, easy to use and (in my opinion) very effective. It opens a few ports and if someone tries to connect to one of these ports, he/she will be banned immediately. But artillery can also monitor folders for changes or monitor the ssh-server for brute force attacks and ban the attackers.

To download artillery you have to use subversion. The following subversion command will download artillery to a folder named artillery.
svn co http://svn.secmaniac.com/artillery artillery/
UPDATE:

git clone https://github.com/trustedsec/artillery/ artillery/

To install artillery simply enter the following command.
sudo ./setup.py install

During the installation process you will be asked a few questions.
Do you want to install Artillery and have it automatically run when you restart [y/n]:
Do you want to keep Artillery updated? (requires internet) [y/n]:
Would you like to start Artillery now? [y/n]:

I answered every question with yes but feel free to answer the questions as you want. Let’s have a look at the configuration file which is located at
/var/artillery/config

The following lines are an excerpt of the config file.

# DO YOU WANT TO TURN ON THE HONEYPOT
HONEYPOT=YES
#
# DO YOU WANT TO AUTOMATICALLY BAN ON THE HONEYPOT
HONEYPOT_BAN=YES
#
# WHITELIST IP ADDRESSES, SPECIFY BY COMMAS ON WHAT IP ADDRESSES YOU WANT TO WHITELIST
WHITELIST_IP=127.0.0.1,localhost
#
# PORTS TO SPAWN HONEYPOT FOR
PORTS="21,23,25,53,110,135,445"
#
EMAIL_ALERTS=ON
# DO YOU WANT TO MONITOR SSH BRUTE FORCE ATTEMPTS
[...]
Snip
[...]
SSH_BRUTE_MONITOR=ON
#
# HOW MANY ATTEMPTS BEFORE YOU BAN
SSH_BRUTE_ATTEMPTS=4

The most important lines are the whitelist and ports line. Enter every ip-address to the whitelist which should not be affected by the honeypot. All ports in the portlist will be monitored by artillery. I recommend to use common ports like 21(FTP), 23(Telnet), etc. because portscanners often scan these ports by default. If a host (which is not on the whitelist) tries to connect to one of these ports, it will be banned immediately. Configure artillery that it suits your requirements.

Now let’s restart artillery and have a look what happens if a host tries to connect to a monitored port. To restart artillery we can use the restart-script.
python restart_server.py

Let’s try to connect to port 21 with a host that is not on the whitelist. You can use telnet for that purpose:
telnet IP-ADDRESS PORT

Screenshot

All we get is a bunch of random characters. OK let’s try it again and let’s see what happens:
Screenshot_2
Nothing. We’re banned and are not able to connect to any port on the monitored host. To remove the ban you can use the remove_ban-script.
sudo python remove_ban.py IP-ADDRESS

This honeypot makes it very hard for an attacker to get useful information about your system. If an attacker connects to one of the monitored ports, the attacker will be banned. You can find a video of artillery in action (with installation) here (This video is not made by me).

Advertisements

Posted on September 1, 2012, in Configure, Install, Network, Security and tagged , , , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: