trustedsec / artillery Goto Github PK
View Code? Open in Web Editor NEWThe Artillery Project is an open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.
The Artillery Project is an open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.
Or is only Apache supported?
Hi everyone,
when artillery detects a file change the email alert arrives perfectly, however, when it bans an ip for connection to a honeypot port the sending fails with the error:
Jun 25 10:43:33 immuno-security [!] Error, Artillery was unable to log into the mail server
Jun 25 10:43:33 immuno-security [!] message repeated 111 times: [ Error, Artillery was unable to log into the mail server]
Also, as a side question: the banning is quite slow, usually happening 30 sec/1 minute after the port is touched. Is this normal? It is normal that the syslog is full of duplicated messages for the same ip & port?
Thank you!
How to specify multiple mail recipients in the CONFIG file? I tried with,
ALERT_USER_EMAIL="[email protected] , [email protected]"
ALERT_USER_EMAIL="[email protected] ; [email protected]"
ALERT_USER_EMAIL="[email protected]" , "[email protected]"
Nothing works. Any idea?
Hi all
I`ve been through the other topics that relate to this issue, but none of the fixes appear to work. I have installed, removed, re-cloned, and deployed so many times, its not even funny anymore :)
I have deployed Artillery on a vanilla Ubuntu 14.04.1 Server, and have set it to use our internal LAN mail relay(s), which allows relay from anywhere internally.
Artillery detects port traffic and file changes, reports them in the syslog locally, but it is unable to send email, reporting:
[!] 2014-11-12 09:49:41: Error, Artillery was unable to log into the mail server
Running tcpdump shows that the artillery script is connecting to the mail server. Its gets past the three way handshake, does its initial "EHLO ", receives the code 250 return traffic (VRFY, AUTH, etc), then Artillery initiates the closing of the connection with a FIN packet, and it all closes down normally.
I have tried several mail servers on our LAN, differing types and platforms (CentOS, Ubuntu, a commercial mail server on Windows that I cannot mention for $REASONS), and all show the same symptoms.
The relevant part of the config file is pasted below. Any help you can give would be gratefully received. pcap files can be supplied via secure channel (dont really want to be posting up pcaps of LAN traffic in public)
EMAIL_ALERTS=ON
SMTP_USERNAME=""
SMTP_PASSWORD=""
ALERT_USER_EMAIL="[email protected]" (obviously not my real address!)
SMTP_FROM="Artillery Incident"
SMTP_ADDRESS="
"SMTP_PORT="25"
EMAIL_TIMER=ON
EMAIL_FREQUENCY=600
hi! using this on kali 2.0, i'm getting this error when running the setup.py:
python setup.py
Traceback (most recent call last):
File "setup.py", line 4, in
import py2exe, sys, paramiko, ecdsa, ssl, ctypes, _ctypes, _thread
ImportError: No module named py2exe
I haven't been able to figure it out. Any help?
Would be awesome if artillery supported the ability to define a range of ports ( example 5900-6120 or 20-1024 ).
I am trying to install this on a digitalocean droplet and receive the below error when running the setup.py.
Traceback (most recent call last):
File "./setup.py", line 10, in
from src.core import *
File "/root/artillery/src/core.py", line 422
if not os.path.isdir("/var/artillery/logs"): os.makedirs("/var/artillery/logs")
^
TabError: inconsistent use of tabs and spaces in indentation
I am running Python 3.5.2
I haven't had a close look at the code for this but the EXCLUDE options for the file monitor is ignoring the provided values if they are file names.
Some "systems administrators" don't allow the installation of software thought git or anything like that. Packing as .rpm and .deb packages fixes that (and also make it more friendly for newcomers).
For instance, core.is_already_banned() uses the Linux command 'iptables', this will not work on windows. There are similar things all trough the code. It is clear this program wasn't made for windows.
Consider removing Windows from "Supported platforms" in the readme.
I'm running everything through Raspberry Pi Debian Linux terminal, I am very new to all of this.
There is a commented line above the e-mail alerts about " # CURRENT SUPPORT IS FOR SMTP, ENTER YOUR USERNAME AND PASSWORD HERE. LEAVE BLANK FOR OPEN RELAY
USERNAME="" "
PASSWORD=""
Do I need to fill out my username and password in those lines in order to receive an e-mail alert?
When I go into the sys log, it says "raspberrypi [!] Error, Artillery was unable to log into the mail server"
Why might the e-mail function not work?
I used git clone https://github.com/trustedsec/artillery artillery/
When I set it up, it asks if I'd like to install, and I put yes. But when it asks if I'd like to keep it updated, I have to put No or I can't run artillery. Is this normal?
It talks about how it can't getcwd() if I say Yes to updating it.
When installing Artillery the setup script doesn't create the src/program_junk and database directories causing an error on first run. Maybe easy to create these dirs during the install script?
I'm testing Artillery on CentOS 7 and it works fine when I have SYSLOG_TYPE=LOCAL. When I change that to REMOTE, I get the following error.
Traceback (most recent call last):
File "./artillery.py", line 30, in
write_log("Artillery has started successfully.")
File "/var/artillery/src/core.py", line 356, in write_log
syslog(alert)
File "/var/artillery/src/core.py", line 352, in syslog
my_logger.critical(line + "\n")
UnboundLocalError: local variable 'my_logger' referenced before assignment
Please consider to allow users to change the Apache Monitoring path in configure file in order to allow non-Apache users to use this application program.
on RPi2B mail -s works (ssmtp as mail handler) but artillery throws error " unable to log it..." all the alerts are correct (tail -f /var/artillery/logs/alerts.log) but I dont seem to see why system mail works and Artillery doesnt.. both configured to use smtp.google.com, and credentials match in ssmtp.conf and artillery/config
Niel
[email protected]
It looks from the core.py that linux offers a banlist.txt
It might be nice to have that same list generated for Windows.
If HONEYPOT_BAN=ON is set, you'll see the following in the logs:
Mar 24 13:20:24 localhost 2014-03-24 13:20:24.088033 [!] Artillery has blocked (and blacklisted) the IP Address: 192.168.0.1 for connecting to a honeypot restricted port: 80
If HONEYPOT_BAN=OFF is set, you'll see a few log lines broken up:
Mar 24 13:32:41 localhost 2014-03-24 13:32:41.544426 [!] Artillery has detected an attack from IP address: 192.168.0.1
Mar 24 13:32:41 2014-03-24 last message repeated 5 times
Mar 24 13:32:41 localhost for a connection on a honeypot port: 80
It would be really helpful if the port was logged on each line (like the first example) rather than as a single line at the end of the attack.
Hi there,
I'm using ADHD 0.5.0
Similar problem to #35
When I run python2 artillery.py, I get a whole bunch of these errors:
Exception AttributeError: AttributeError("'_DummyThread' object has no attribute '_Thread__block'",) in <module 'threading' from '/usr/lib/python2.7/threading.pyc'> ignored
And although artillery seems to be correctly blocking the IP address when I telnet to port 21, I don't see any logs.
Where are they supposed to be?
I looked at all log files under /var/log, nothing is there.
Thanks
Had to do a small change to get the FTP check working in harden.py on slackware 14.1 64bit
diff -Naur /data/downloads/src/git/artillery/src/harden.py src/harden.py
--- /data/downloads/src/git/artillery/src/harden.py 2014-03-17 17:23:43.982040149 +1100
+++ src/harden.py 2014-03-17 20:03:11.522267536 +1100
@@ -34,8 +34,8 @@
if os.path.isfile("/etc/vsftpd.conf"):
fileopen = file("/etc/vsftpd.conf", "r")
data = fileopen.read()
anon_check = read_config("anonymous_enable").lower()
if anon_check == "yes":
match = re.search("anonymous_enable=YES", data)
if match:
# trigger warning if match
warning = warning + "Issue identified: /etc/vsftpd.conf allows Anonymous login. An attacker can gain a foothold to the system with absolutel zero effort. Recommendation: Change anonymous_enable yes to anonymous_enable no\n\n"
Otherwise read_config was reading the config file and failing with object type None when trying .lower():
AttributeError: 'NoneType' object has no attribute 'lower'
I get the output:
Checking Artillery... Process dead but pidfile exists
when I run "service artillery status." I have rebooted the system and restarted artillery.
As the title says I'd like to know if artillery does support FreeBSD or any *BSD nix
In the config file, the HONEYPOT_BAN variable is set to "YES"
https://github.com/trustedsec/artillery/blob/master/config#L33
However, the code is inconsistent in what it expects the value of this variable to be. "YES", "ON", and "OFF" are all used.
https://github.com/trustedsec/artillery/blob/master/src/honeypot.py#L61-L81
hi,
I'm running artillery from commit 848aeaf on ubuntu 13.04 w/ kernel 3.9.5, and am seeing some unusually high cpu utilization. An htop shows at least two artillery.py processes consuming 100% cpu, even after the system has been running for 40+ minutes (so this does not appear to be a start-up issue). Also, this may or may not be related, but when I attempted to shut down artillery by issuing "service artillery stop", I instead see more artillery processes start consuming 100% cpu (up to 4 total artillery processes consuming 100% cpu now).
There doesn't appear to be any output in /var/artillery/logs to determine what the issue might be.
on trustedsec.com/banlist.txt if you run this command on the file
cat banlist.txt | sort | uniq > banlist2.txt
It will output the sorted and unique ip's in the banlist2 file which removes over a 1000 duplicated non unique ip's which keeps the file size down
no matter what I try, artillery seems to be disliking my entry in the Exclude statement for a directory.
Trying to get it to ignore the webmin status directory with this:
EXCLUDE="/etc/webmin/system-status/"
restart artillery and it persists... is it not smart enough to recurse?
Currently artilery has the option to bind to a particular IP address for the honeypot feature but this is less then ideal when the interface you wish to deploy the honeypot on get's it's IP address from a DHCP server. This could be solved by having artilery to bind to the interface name (eth0,wlan0 etc) of the interface you wish to protect or lookup the ip address of the interface in question and use the current method dynamically.
I edited the logging mechanism to a new file rather than "syslog" when defined LOCAL.
if type == "local":
my_logger = logging.getLogger('Artillery')
my_logger.setLevel(logging.DEBUG)
HPLOG = read_config("LOG_FILE")
handler = logging.FileHandler(HPLOG)
my_logger.addHandler(handler)
The logs were working fine in the define file @ LOG_FILE, but next day the file got re-initiated. I lost day-1 logs. Any idea which code is responsible for that or why the logs are getting rotated when I have defined a new FileHandler?
I'm converting my iptables over to ipset based for the most part and wondering if you've looked at adding ipset usage to Artillery? I would love to have it in there.
root@kali:~/artillery# ./setup.py
Traceback (most recent call last):
File "./setup.py", line 7, in
from src.core import *
File "/root/artillery/src/core.py", line 503
return
^
IndentationError: unindent does not match any outer indentation level
Hi there,
There is a small type in harden.py that stop artillery from running.
@@ -26,7 +26,7 @@ if operating_system == "posix": if os.path.isfile("/etc/ssh/sshd_config"): fileopen = file("/etc/ssh/sshd_config", "r") data = fileopen.read() - root_check = check_confg("ROOT_CHECK=").lower() + root_check = check_config("ROOT_CHECK=").lower() if root_check == "on": match = re.search("RootLogin yes", data) # if we permit root logins trigger alert
Should fix it.
root@MainServer:/etc# iptables -L
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
When both UFW and Artillery are enabled and running, I get this error with iptables. I haven't had this issue in the past, so I'm not sure what is wrong. Iptables works when one is disabled.
Request
It is possible to whitelist IPs by subnet range? 192.168.0.0/16
Thanks!
I'm attempting to run artillery on the ADHD linux disto and receive the following error
"[!] Error Detected. Printing: expected string or buffer"
I have started artillery with the following command:
"sudo python2 artillery.py 2> /dev/null"
When I attempt to connect to one of the honeypot ports it prints out the error message stated above, 1 for each attempt. No logs are generated in /var/artillery/logs.
Artillery version: 0.7.1
Python version: 2.7.3
Distro: ADHD 0.5.0
The indent level is wrong in lines 501-502 of src/core.py, causing program failure. Fix is to remove two leading spaces on each line.
I have modified and start using this, it seems to be working well. The only issue i'm having is not creating the rule in the INPUT chain when it already exists. Thought i'd share it with you.
Under which (OSS) license is artillery distributed?
I configured the mail settings, and could see the Incident Email in my Gmail "Sent" items of configured mail address.
But, the recipient is not receiving any email. The same email when I forward from Gmail, it gets to the target recipient account. Not sure on the workaround.
Any ideas?
Getting the following issue after updating to the latest version of Artillery:
Traceback (most recent call last):
File "/var/artillery/artillery.py", line 16, in
write_log("Artillery has started successfully.")
File "/var/artillery/src/core.py", line 352, in write_log
syslog(alert)
File "/var/artillery/src/core.py", line 308, in syslog
type = read_config("SYSLOG_TYPE").lower()
File "/var/artillery/src/core.py", line 38, in read_config
line = line.split("")
ValueError: empty separator
Installing on AilenVault OSSIM. I have 5 others running flawlessly, just on this 1, I cannot get artillery to run ...
./artillery.py
[] 2015-03-17 00:37:07: Artillery has started successfully.
[] Console logging enabled.
Has not found configuration file for ftp. Ftp monitor now stops.
General exception: zero length field name in format
Fatal Python error: PyImport_GetModuleDict: no module dictionary!
Aborted
Hello, i encounter an error when i was launching setup.py with python 2.7.9 and python 3.4.2.
./setup.py
Traceback (most recent call last):
File "./setup.py, line 7, in
from src.come import *
File "/opt/artillery/src/core.py", line 503
return
^
IndentationError: unindent does not match any outer indentation level
Thanks for your help
Stan !
Written by: Dave Kennedy (ReL1K)
Do you want to install Artillery and have it automatically run when you restart [y/n]: y
[] Checking to see if Artillery is currently running...
[] Beginning installation. This should only take a moment.
[] Adding artillery into startup through init scripts..
[] Triggering update-rc.d on artillery to automatic start...
update-rc.d: warning: /etc/init.d/artillery missing LSB information
update-rc.d: see http://wiki.debian.org/LSBInitScripts
System start/stop links for /etc/init.d/artillery already exist.
Do you want to keep Artillery updated? (requires internet) [y/n]: n
[] Copying setup files over...
Would you like to start Artillery now? [y/n]: y
[] Installation complete. Edit /var/artillery/config in order to config artillery to your liking..
root@danu-AO725:/home/danu/artillery# Unhandled exception in thread started by <function monitor_system at 0xb7003844>
Traceback (most recent call last):
File "/var/artillery/src/monitor.py", line 70, in monitor_system
filewrite = file("/var/artillery/database/temp.database", "w")
IOError: [Errno 2] No such file or directory: '/var/artillery/database/temp.database'
Did I install artillery incorrectly?
I followed the step-by-step directions in the ADHD tool usage PDF. When I telnet or use puTTy to access an open port, artillery does not do anything.
I ran a Nessus scan (on a different machine not running Artillery) against the IP address of the machine running Artillery and that's when I saw an IP address was added to the banlist.txt
I soon after wanted to access the logs.alert file and the logs directory is empty.
pi@raspberrypi / $ tail /var/artillery/logs/alerts.log
tail: cannot open `/var/artillery/logs/alerts.log' for reading: No such file or directory
Thanks.
hi, with EMAIL_ALERTS=ON and something in /var/artillery/src/program_junk/email_alerts.log
I get this exception:
Unhandled exception in thread started by <function check_alert at 0x9da230>
Traceback (most recent call last):
File "/var/artillery/src/email_handler.py", line 24, in check_alert
data)
TypeError: mail() takes exactly 3 arguments (2 given)
When I run Python shell script using IDLE, I get the following errors on Windows 7 64 bit. I have removed the "C:\program files\artillery" folder before running it and still get the error. Scripts run as local admin.
Python 2.7.9 (default, Dec 10 2014, 12:28:03) [MSC v.1500 64 bit (AMD64)] on win32
Type "copyright", "credits" or "license()" for more information.
================================ RESTART ================================
Welcome to the Artillery installer. Artillery is a honeypot, file monitoring, and overall security tool used to protect your nix systems.
Written by: Dave Kennedy (ReL1K)
Do you want to install Artillery and have it automatically run when you restart [y/n]: y
Traceback (most recent call last):
File "C:\Python27\artillery-master\setup.py", line 61, in
os.makedirs(program_files + "\Artillery\logs")
File "C:\Python27\lib\os.py", line 157, in makedirs
mkdir(name, mode)
WindowsError: [Error 183] Cannot create a file when that file already exists: 'C:\Program Files\Artillery\logs'
Is there a way to limit the size of the log? Or change what artillery logs to, and then limit it's size?
i'm having an issue where i'm getting the below randomly, and I'm pretty sure its falling over and missing traffic. my ssh gets hammered alot and I haven't figured out how to debug this. Any suggestions?
Artillery has started successfully.
Console logging enabled.
...
/opt/artillery.sh: line 28: 31007 Hangup /var/artillery/artillery.py
Just tried 1.0 on a production system (about 20 clients). Memory and CPU usage spiked and sustained. Memory was at about 2.8G (Res) 7G (Virt) consumed when i killed it. I wasn't able to find any log files so i'm not sure what I can send you to help troubleshoot the error.
Also, I've been running 0.9 on a smaller server with no problems. I just upgraded that server to 1.0 to see if the issue would reproduce. The problem is a little different on that box. I can visibly watch the CPU and memory climb, but the process eventually dies. That box only has 1gb of ram, so the system might be killing it once the resources start to cap out.
as of commit ded89a9
Install fails as follows:
root@Wrath ~/t/artillery# python setup.py install
Welcome to the Artillery installer. Artillery is a honeypot, file monitoring, and overall security
tool used to protect your nix systems.
Written by: Dave Kennedy (ReL1K)
Artillery detected. Do you want to uninstall [y/n:] y
[] Checking to see if Artillery is currently running...
[] Artillery has been uninstalled. Manually kill the process if it is still running.
root@Wrath ~/t/artillery# ps aux|grep python
chris 2392 0.0 0.6 847336 24608 ? Sl 15:49 0:00 /usr/bin/python3 /usr/lib/unity-lens-photos/unity-lens-photos
chris 2396 0.0 0.5 719856 21876 ? Sl 15:49 0:00 /usr/bin/python /usr/lib/unity-lens-video/unity-lens-video
chris 2524 0.0 0.4 815408 18384 ? Sl 15:49 0:00 /usr/bin/python3 /usr/lib/unity-lens-files/unity-scope-gdrive
chris 2561 0.0 0.4 542952 18792 ? Sl 15:49 0:00 /usr/bin/python /usr/lib/unity-scope-video-remote/unity-scope-video-remote
root 17343 0.0 0.0 13628 956 pts/2 R+ 16:05 0:00 grep python
root@Wrath ~/t/artillery# python setup.py install
Welcome to the Artillery installer. Artillery is a honeypot, file monitoring, and overall security
tool used to protect your nix systems.
Written by: Dave Kennedy (ReL1K)
Do you want to install Artillery and have it automatically run when you restart [y/n]: y
[] Checking to see if Artillery is currently running...
[] Beginning installation. This should only take a moment.
[] Adding artillery into startup through init scripts..
[] Triggering update-rc.d on artillery to automatic start...
update-rc.d: warning: /etc/init.d/artillery missing LSB information
update-rc.d: see http://wiki.debian.org/LSBInitScripts
System start/stop links for /etc/init.d/artillery already exist.
Do you want to keep Artillery updated? (requires internet) [y/n]: y
[] Checking out Artillery through subversion to /var/artillery
[] Doing some housecleaning..
fatal: destination path '/var/artillery' already exists and is not an empty directory.
[] Finished. If you want to update Artillery go to /var/artillery and type 'git pull'
Would you like to start Artillery now? [y/n]: y
[] Installation complete. Edit /var/artillery/config in order to config artillery to your liking..
root@Wrath ~/t/artillery# python: can't open file '/var/artillery/artillery.py': [Errno 2] No such file or directory
indentation of the project isn't quite regular, so it would be cool to run reindent.py on it(I can do it myself if somebody accepts my pull request #15 - I just don't ran it already because it will make a lot harder for who will do the code review).
http://svn.python.org/projects/python/trunk/Tools/scripts/reindent.py
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.