Project Artillery is an open source project aimed at the detection of early warning indicators and attacks. The concept is that Artillery will spawn multiple ports on a system giving the attacker the idea that multiple ports are exposed. Additionally, Artillery actively monitors the filesystem for changes, brute force attacks, and other indicators of compromise. Artillery is a full suite for protection against attack on Linux and Windows based devices. It can be used as an early warning indicator of attackers on your network. Additionally, Artillery integrates into threat intelligence feeds which can notify when a previously seen attacker IP address has been identified. Artillery supports multiple configuration types, different versions of Linux, and can be deployed across multiple systems and events sent centrally.
Artillery is a combination of a honeypot, monitoring tool, and alerting system. Eventually this will evolve into a hardening monitoring platform as well to detect insecure configurations from nix systems. It's relatively simple, run
./setup.py
and hit yes, this will install Artillery in /var/artillery
and edit your /etc/init.d/rc.local
to start artillery on boot up.Features
- It sets up multiple common ports that are attacked. If someone connects to these ports, it blacklists them forever (to remove blacklisted ip's, remove them from
/var/artillery/banlist.txt
) - It monitors what folders you specify, by default it checks
/var/www
and/etc
for modifications. - It monitors the SSH logs and looks for brute force attempts.
- It will email you when attacks occur and let you know what the attack was.
Be sure to edit the
/var/artillery/config
to turn on mail delivery, brute force attempt customizations, and what folders to monitor.Project structure
For those technical folks you can find all of the code in the following structure:
src/core.py
- main central code reuse for things shared between each modulesrc/monitor.py
- main monitoring module for changes to the filesystemsrc/ssh_monitor.py
- main monitoring module for SSH brute forcingsrc/honeypot.py
- main module for honeypot detectionsrc/harden.py
- check for basic hardening to the OSdatabase/integrity.data
- main database for maintaining sha512 hashes of filesystemsetup.py
- copies files to/var/artillery/
then edits/etc/init.d/artillery
to ensure artillery starts per each reboot
Supported platforms
- Linux
- Windows
Video Installation of Artillery