Tutorial

How To Set Up an Artillery Honeypot on an Ubuntu VPS

Published on December 5, 2013
author

Paul White

How To Set Up an Artillery Honeypot on an Ubuntu VPS

Introduction


Artillery is a multi-purpose defense tool for Linux based systems including honeypot capabilities, OS hardening, file system monitoring and real-time threat analysis. Alone it provides a fair amount of security to your system, but it is meant to be used as part of a multi-layered security scheme and plays nicely with web application firewalls such as ModSecurity.

Some of the most useful features of Artillery are the honeypot, file system monitoring, and real-time threat analysis aspects, so this article will focus mainly on those. The honeypot is designed to reply to port and vulnerability scanners with some of the most commonly attacked ports such as SSH, MSSQL, RPC/SMB, etc. This actually makes your Linux server appear to be a Windows based server to a would be attacker.

File system monitoring works by actively monitoring typically targeted directories for changes (/tmp, /var/www), and monitoring files that are of great importance to attackers (/etc/passwd, /etc/shadow/, ~/.ssh/authorized_keys). Artillery is configured to monitor these most common files and directories by default, but allows the user to easily include any files or directories that you feel need monitoring.

One of the more interesting features that sets Artillery apart from many other defensive tools is the “Artillery Threat Intelligence Feed” which aggregates ip addresses and information about known attackers into a central feed, which can then be used by any machine running Artillery to detect and ban known attackers from your server in real-time.

Download and Installation of Artillery


Downloading Artillery requires git be installed on your server. If it is not currently installed, you will need to install it through your distributions package manager. The following command should do the trick:

apt-get update && apt-get install git 

After the installation of git has completed we are now ready to clone the Artillery packages.

git clone https://github.com/trustedsec/artillery/ artillery/

Now we can move to the Artillery directory and launch the installer.

cd /artillery
./setup.py

You will be given three prompts during installation that require y/n answers. Go ahead and answer yes to each. Note that you may encounter an error at the end of installation saying that /var/artillery/database/temp.database does not exist. If you encounter this error the following commands will fix the issue.

mkdir /var/artillery/database
touch /var/artillery/database/temp.database
service artillery restart

Configuring Artillery


We now have a functional installation of Artillery. Out of the box, Artillery is pre-configured for typical Linux installations, but it is highly recommended to customize the configurations to suit the needs of your individual VPS. We will walk you through editing the config file now.

Open the config file with nano.

nano /var/artillery/config

Changing the following line enables file system monitoring for custom directories:

MONITOR_FOLDERS=”/var/www”,”/etc” 

Simply add any directories you wish to have monitored following “/etc”. For example, if you would like to monitor /root, you would add ,”/root”. The end result would look like this.

MONITOR_FOLDERS=”/var/www”,”/etc”,”/root”

The EXCLUDE entry allows you to specify folders or files that SHOULD NOT be monitored. If you do not wish for /etc/passwd to be monitored for instance, you would change the entry as follows:

EXCLUDE=/etc/passwd

You can also whitelist IP addresses as needed. This is useful if you are part of a team that accesses the virtual server and you do not wish to have anyone banned for failing to enter a correct SSH password 4 times. It is recommended to whitelist at least your own IP address if you plan on running automated port or vulnerability scanners against your droplet as doing so will cause a ban and you will no longer be able to connect. By default loopback addresses are whitelisted, to add additional IP’s simply enter a comma and then the IP like so:

WHITELIST_IP=127.0.0.1,localhost,xxx.xxx.xxx.xxx <-Replace the x's with your IP address.

Additionally, you can specify ports that the honeypot should report as open. As previously mentioned the honeypot is configured by default to spawn the honeypot on the most commonly attacked ports, but if you feel it necessary you can add additional ports by adding comma separated entries. To add ports 1024, and 139 you would change the following line:

PORTS="135,445,22,1433,3389,8080,21,5900,25,53,110,1723,1337,10000,5800,44443"

to

PORTS="135,445,22,1433,3389,8080,21,5900,25,53,110,1723,1337,10000,5800,44443,1024"

It is recommended to enable automatic updates by changing the value of auto_update to on.

AUTO_UPDATE=ON

By default, Artillery is configured to attempt to mitigate DoS (Denial of Service) attacks against ports 80 (http) and 443 (https). If your droplet runs web services on other ports (8080,8180,10000), you can enable DoS protection on those ports as well by adding the ports, comma separated.

ANTI_DOS_PORTS=80,443,8080,8180,10000

If you wish to disable DoS protection, simply change the value of ANTI_DOS to off.

ANTI_DOS=ON

Maintenance of Artillery


Artillery is designed to run as a service after installation. During the installation, Artillery starts itself so there is no need for a server restart.

Artillery will start itself on each reboot of your droplet, providing constant protection in the background.

Much like Apache, Artillery can be started and restarted as a service by running the following commands:

service artillery start   # <-Starts the service.
service artillery restart # <-Restarts the service.

You can also check the current system resource usage of Artillery with ps aux and top as follows:

Take note of the Process ID Artillery is running as.

ps aux | grep artillery

Replace PID with Artillery’s process ID.

top -p PID 

It is important to note that if a user fails to supply a correct SSH password 4 times in a row, they will be banned and can no longer connect to the server. If this happens and an authorized user has been banned, Artillery includes a script to reset bans. The script usage is:

Move to the artillery directory

cd /var/artillery 

Replace the x’s with the ip of the banned user.

./reset-bans.py xxx.xxx.xxx.xxx 

We should now have a working installation of Artillery configured to your needs. Artillery is light on system resources so should not need to upgrade CPU/Memory on your droplet to accommodate it. Also note that for the sake of brevity we did not cover every entry in the config file; instead we covered the most common and important entries. Feel free to experiment and see what configuration options work best for you.

<div class=“author”>Submitted by: <a href=“https://twitter.com/Su1ph3r”>Paul White</div>

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors
Default avatar
Paul White

author

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
9 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

FWIW: You have “To add ports 1024, and 139 you would change the following line” in the tutorial, but you never actually added port 139 in the example.

The honeypot reports ports like 21 as open. Am I correct in my assumption that i have to remove port 21 from the honeypot-config if i want to run an ftp server?

I get the error: “Checking Artillery… Process dead but pidfile exists”

When checking “service artillery status”.

I rebooted the system and restarted the service.

Just something to note- the “/var/log/reset-bans.py” command is no longer there; it has been replaced by “/var/log/remove_ban.py”.

I should also mention that I’m not finding artillery to be especially light on memory, while it’s light on CPU. I’m using between 100-200 MB of memory on average. Then again, “light” is a relative term.

I’ve also read in a few places that the iptables: Resource temporarily unavailable. error is usually related to a lack of memory.

I’m having the same issue. I can run iptables -L but only as root.

Kamal Nasser
DigitalOcean Employee
DigitalOcean Employee badge
December 7, 2013

@kevin.koekemoer: Can you run <pre>iptables -L</pre> or does it error out?

Great tut, I get a bunch of these after installing and restarting?

iptables: Resource temporarily unavailable.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.