If you are looking for a way to secure your linux server from some of the most common attacks being carried out today against linux servers then look no further then Rel1K’s Artillery program. Artillery is a combination of a honeypot, file monitoring and integrity, alerting, and brute force prevention tool.
Artillery acts like a honeypot by listening to ports you specify. When someone does a port scan on your machine they will be blacklisted and an iptables entry will be added to block communication from that IP. You can also configure it to send an email letting you know that the IP was blocked. A whitelist is also available so you can add your IP addresses so they don’t get blocked when you are running an assessment on the server.
Not only does Artillery act like a honeypot but it also does file monitoring and integrity checking on directories you specify in the config file. The file integrity mechanism leverages a 512-SHA database to monitor file changes. If a change has been detected then an email can be sent to notify you of the change.
When is the last time you have looked at your auth.log? I bet when you look at it that you will see attempts to authenticate to your server. The SSH brute force detection and prevention module mitigates this issue by reading over your auth.log file. Once it detects an attempt it adds that an iptables entry blocking communications from that IP. The threshold of attempted logins is configurable. By default it blocks after 4 attempts have been made. As mentioned before there is a whitelist that prevents Artillery from adding your IP to iptables.
To download Artillery onto your server navigate to where you would like to download Artillery and type:
svn co http://svn.secmaniac.com/artillery artillery/
After it is downloaded open the artillery directory and type
./install.py.
Doing this will install Artillery in the /var directory, set it up to start at boot, and start Artillery. Kill the Artillery process by finding it’s PID and customize the config file to fit your environment.
ps aux |grep Artillery
kill (PID)
nano /var/artillery/config
When you are done editing the config file start Artillery back up.
/etc/init.d/Artillery
Please keep in mind that as of this writing that Artillery is in Alpha and may have a few kinks in it. I have ran it for a few days now with only one minor issue.
Check out Rel1K’s other projects at SecManiac.com which include the Social-Engineer Toolkit, Derbycon, and Metasploit: The Penetration Tester’s Guide (Excellent Read!). Also, be sure to get your free hug from him as well.