How To Set Up an Artillery Honeypot on an Ubuntu VPS
Artillery is a multi-purpose defense tool for Linux based systems including honeypot capabilities, OS hardening, file system monitoring and real-time threat analysis. Alone it provides a fair amount of security to your system, but it is meant to be used as part of a multi-layered security scheme and plays nicely with web application firewalls such as ModSecurity.
Some of the most useful features of Artillery are the honeypot, file system monitoring, and real-time threat analysis aspects, so this article will focus mainly on those. The honeypot is designed to reply to port and vulnerability scanners with some of the most commonly attacked ports such as SSH, MSSQL, RPC/SMB, etc. This actually makes your Linux server appear to be a Windows based server to a would be attacker.
File system monitoring works by actively monitoring typically targeted directories for changes (/tmp, /var/www), and monitoring files that are of great importance to attackers (/etc/passwd, /etc/shadow/, ~/.ssh/authorized_keys). Artillery is configured to monitor these most common files and directories by default, but allows the user to easily include any files or directories that you feel need monitoring.
One of the more interesting features that sets Artillery apart from many other defensive tools is the “Artillery Threat Intelligence Feed” which aggregates ip addresses and information about known attackers into a central feed, which can then be used by any machine running Artillery to detect and ban known attackers from your server in real-time.
Download and Installation of Artillery
Downloading Artillery requires git be installed on your server. If it is not currently installed, you will need to install it through your distributions package manager. The following command should do the trick:
apt-get update && apt-get install git
After the installation of git has completed we are now ready to clone the Artillery packages.
git clone https://github.com/trustedsec/artillery/ artillery/
Now we can move to the Artillery directory and launch the installer.
cd /artillery ./setup.py
You will be given three prompts during installation that require y/n answers. Go ahead and answer yes to each. Note that you may encounter an error at the end of installation saying that /var/artillery/database/temp.database does not exist. If you encounter this error the following commands will fix the issue.
mkdir /var/artillery/database touch /var/artillery/database/temp.database service artillery restart
We now have a functional installation of Artillery. Out of the box, Artillery is pre-configured for typical Linux installations, but it is highly recommended to customize the configurations to suit the needs of your individual VPS. We will walk you through editing the config file now.
Open the config file with nano.
Changing the following line enables file system monitoring for custom directories:
Simply add any directories you wish to have monitored following “/etc”. For example, if you would like to monitor /root, you would add ,”/root”. The end result would look like this.
The EXCLUDE entry allows you to specify folders or files that SHOULD NOT be monitored. If you do not wish for /etc/passwd to be monitored for instance, you would change the entry as follows:
You can also whitelist IP addresses as needed. This is useful if you are part of a team that accesses the virtual server and you do not wish to have anyone banned for failing to enter a correct SSH password 4 times. It is recommended to whitelist at least your own IP address if you plan on running automated port or vulnerability scanners against your droplet as doing so will cause a ban and you will no longer be able to connect. By default loopback addresses are whitelisted, to add additional IP’s simply enter a comma and then the IP like so:
WHITELIST_IP=127.0.0.1,localhost,xxx.xxx.xxx.xxx <-Replace the x's with your IP address.
Additionally, you can specify ports that the honeypot should report as open. As previously mentioned the honeypot is configured by default to spawn the honeypot on the most commonly attacked ports, but if you feel it necessary you can add additional ports by adding comma separated entries. To add ports 1024, and 139 you would change the following line:
It is recommended to enable automatic updates by changing the value of auto_update to on.
By default, Artillery is configured to attempt to mitigate DoS (Denial of Service) attacks against ports 80 (http) and 443 (https). If your droplet runs web services on other ports (8080,8180,10000), you can enable DoS protection on those ports as well by adding the ports, comma separated.
If you wish to disable DoS protection, simply change the value of ANTI_DOS to off.
Maintenance of Artillery
Artillery is designed to run as a service after installation. During the installation, Artillery starts itself so there is no need for a server restart.
Artillery will start itself on each reboot of your droplet, providing constant protection in the background.
Much like Apache, Artillery can be started and restarted as a service by running the following commands:
service artillery start # <-Starts the service. service artillery restart # <-Restarts the service.
You can also check the current system resource usage of Artillery with ps aux and top as follows:
Take note of the Process ID Artillery is running as.
ps aux | grep artillery
Replace PID with Artillery’s process ID.
top -p PID
It is important to note that if a user fails to supply a correct SSH password 4 times in a row, they will be banned and can no longer connect to the server. If this happens and an authorized user has been banned, Artillery includes a script to reset bans. The script usage is:
Move to the artillery directory
Replace the x’s with the ip of the banned user.
We should now have a working installation of Artillery configured to your needs. Artillery is light on system resources so should not need to upgrade CPU/Memory on your droplet to accommodate it. Also note that for the sake of brevity we did not cover every entry in the config file; instead we covered the most common and important entries. Feel free to experiment and see what configuration options work best for you.