Sunday, February 5, 2012

Artillery

I have known about honeypots for a little while now, but haven't had any professional experience with them. When I first read about the idea of a honeypot I thought it sounded really fun. I don't know about you, but I have a passion for information security because it is exciting. There is sort of a secret agent appeal to a lot of the industry, honeypots being one of them.

As defined by ISACA: A specially configured server, also known as a decoy server, designed to attract and monitor intruders in a manner such that their actions do not affect production systems. 

Scope Notes: Also known as "decoy server".

So, when I was looking at the Social Engineering Toolkit, Dave Kennedy also promotes his honeypot, Artillery.

Artillery is a honeypot/monitoring/prevention tool used to protect Linux-based systems. Artillery will setup multiple ports on the nix system and if anything touches it will automatically blacklist them. In addition, it monitors the file system for changes and e-mails the changes back to you. It also detects SSH brute force attacks and automatically blocks them as well.

I went ahead and downloaded it and let it take its natural course. Well, you won't really notice anything happen until you configure it properly. So, let's walk through a few of the steps you'll take to configure your honeypot.

1) Download Artillery.

root@:/root/# svn co http://svn.secmaniac.com/artillery artillery/





2) Configure Artillery.



root@:/root/# gedit /var/artillery/config







Feel free to use whatever editor you use, nano, pico, vi, etc.






There are some pretty self explanatory options that you need to configure.






# DETERMINE IF YOU WANT TO MONITOR OR NOT


MONITOR=YES








# THESE ARE THE FOLDERS TO MONITOR, TO ADD MORE, JUST DO "/root","/var/", etc.


MONITOR_FOLDERS="/var/www","/etc/","/root/"




# BASED ON SECONDS, 2 = 2 seconds.
MONITOR_FREQUENCY=60




# DO YOU WANT TO TURN ON THE HONEYPOT
HONEYPOT=YES




# DO YOU WANT TO AUTOMATICALLY BAN ON THE HONEYPOT
HONEYPOT_BAN=YES




# WHITELIST IP ADDRESSES, SPECIFY BY COMMAS ON WHAT IP ADDRESSES YOU WANT TO WHITELIST
WHITELIST_IP=127.0.0.1,localhost




Those sort of begin the basic functionality of the honeypot/monitoring tool. There are some preferential options after this. Which will be up to your discretion and how it fits your scenario. If you have a router properly filtering traffic to your network, you likely will not be seeing much action. However, if you want to see how much traffic would be getting through or are just curious to see Artillery in action, you could forward port 80 from your router to your local device. It can be quite alarming to see the random wanderings and probing that are happening all the time.










Kudos to SECMANIAC for Artillery, a great product.

















Posted by





at
12:48 PM


0
comments






































        

      









Subscribe to:
Posts (Atom)