Artillery Combine Honeypot Monitoring and Prevention

Dave (ReL1K) Kennedy author of The Social-Engineering Toolkit (SET) have released last December another interesting tool written in python that helps to protect *nix based system with a combination of honeypot , monitoring and prevention systems.

Honeypot is a good way to trick attacker by simulating a vulnerable system to attract hacker or a malicious user to launch their attack, Here Artillery will create several vulnerable ports on the *nix system and if anything unusual detected including a scan or attack it will automatically blacklist them.

Artillery can also be used to prevent brute force attack, so you will not need to install any other security solution if you are running SSH. This is for *nix user now you can find also a windows version that will also create a fake vulnerable ports on windows system and will ban any attack detected.  The release note for this version includes the following:

  • added a check to see if we are running on windows or linux
  • added a new anti-dos protection for linux, it will check connections and limit based on how many are connecting, you will probably want to adjust this per server
  • changed honeypot ban method to src.core through ban(ip) versus standalone call for iptables
  • changed iptable chains to be ARTILLERY versus piggy backing INPUT, much cleaner to view
  • fixed a bug that would cause duplicate entries into iptables and in banlist.txt
  • added functionality to support blacklisting via redirection routes on windows machines.. may have better alternatives but this works for now
  • added a ip check routine for when banning IP addresses, ensures sanitization if something crazy is inserted instead of an IP address
  • converted all core.py modules to be windows compliant
  • converted all of honeypot.py modules to be windows compliant
  • converted all of the monitor.py modules, this will only work for linux until I rewrite the module to support difflib versus the actual application diff
  • converted all of the ssh_brute.py modules to be windows compliant.. this will be linux only since nix is primarily used for SSH
  • converted all of the harden.py modules to be windows compliant.. this will be linux only since nix is primarily checked. Will expand later on others
  • fixed a bug that would not properly monitor the overall database for monitored files (thanks Pier)

You can find the full description with installing manual on the official website:  http://www.secmaniac.com/blog/2011/12/07/artillery-0-2-alpha-has-been-released/

Share
You can leave a response, or trackback from your own site.