Over the past few months I’ve been working on a side project when I had some spare time. I’m releasing the 0.1 alpha pre-release edition of Artillery. Artillery is a combination of a honeypot, file monitoring and integrity, alerting, and brute force prevention tool. It’s extremely light weight, has multiple different methods for detecting specific attacks and eventually will also notify you of insecure nix configurations.

secmaniac

It’s written in Python, its completely open-source and free as all the stuff I write is. You can download Artillery here:

svn co http://svn.secmaniac.com/artillery artillery/

To install, simply run ./install.py. This will add artillery to bootup and start Artillery. To give a run down of some of the features. Here is a netstat before:

Here is a netstat after running Artillery:


If anyone decides to port scan or touch those ports, they are blacklisted immediately and permanently. It’s multi-threaded and can handle as many connections thrown at it. I did some extensive testing under heavy traffic loads on secmaniac.com and derbycon.com. In the first 3 days, it blocked over 387 individuals.

In addition to the monitoring, it will also monitor file integrity leveraging sha-512 database where it keeps track of all system files and if anything changes, will email you with the change. By default it monitors /etc/ and /var/www.

Artillery also monitors the SSH logs, and the event of a brute force attack, blacklists the host forever.

All of this is configurable through the Artillery config. By default artillery installs in /var/artillery and the config file is located at /var/artillery/config:

Why write this? I looked at a lot of the honeypot/monitoring tools out there and they are extremely complex to learn. I wanted to write something simple that I know does a good job of weeding out some of the simplistic attacks and keep it very light weight. No external third party modules were used in developing Artillery. It is written purely in Python.

Enjoy, much more to come on this.