Or is only Apache supported?

Hi everyone,

when artillery detects a file change the email alert arrives perfectly, however, when it bans an ip for connection to a honeypot port the sending fails with the error:

Jun 25 10:43:33 immuno-security [!] Error, Artillery was unable to log into the mail server
Jun 25 10:43:33 immuno-security [!] message repeated 111 times: [ Error, Artillery was unable to log into the mail server]

Also, as a side question: the banning is quite slow, usually happening 30 sec/1 minute after the port is touched. Is this normal? It is normal that the syslog is full of duplicated messages for the same ip & port?

Thank you!

How to specify multiple mail recipients in the CONFIG file? I tried with,

ALERT_USER_EMAIL="[email protected] , [email protected]"
ALERT_USER_EMAIL="[email protected] ; [email protected]"
ALERT_USER_EMAIL="[email protected]" , "[email protected]"

Nothing works. Any idea?

Hi all

I`ve been through the other topics that relate to this issue, but none of the fixes appear to work. I have installed, removed, re-cloned, and deployed so many times, its not even funny anymore :)

I have deployed Artillery on a vanilla Ubuntu 14.04.1 Server, and have set it to use our internal LAN mail relay(s), which allows relay from anywhere internally.

Artillery detects port traffic and file changes, reports them in the syslog locally, but it is unable to send email, reporting:

[!] 2014-11-12 09:49:41: Error, Artillery was unable to log into the mail server

Running tcpdump shows that the artillery script is connecting to the mail server. Its gets past the three way handshake, does its initial "EHLO ", receives the code 250 return traffic (VRFY, AUTH, etc), then Artillery initiates the closing of the connection with a FIN packet, and it all closes down normally.

I have tried several mail servers on our LAN, differing types and platforms (CentOS, Ubuntu, a commercial mail server on Windows that I cannot mention for $REASONS), and all show the same symptoms.

The relevant part of the config file is pasted below. Any help you can give would be gratefully received. pcap files can be supplied via secure channel (dont really want to be posting up pcaps of LAN traffic in public)

EMAIL_ALERTS=ON

CURRENT SUPPORT IS FOR SMTP, ENTER YOUR USERNAME AND PASSWORD HERE. LEAVE BLANK FOR OPEN RELAY

SMTP_USERNAME=""

ENTER THE SMTP PASSWORD HERE. LEAVE BLANK FOR OPEN RELAY

SMTP_PASSWORD=""

THIS IS WHO TO SEND THE ALERTS TO - EMAILS WILL BE SENT FROM ARTILLERY TO THIS ADDRESS

ALERT_USER_EMAIL="[email protected]" (obviously not my real address!)

FOR SMTP ONLY HERE, THIS IS THE MAILTO

SMTP_FROM="Artillery Incident"

SMTP ADDRESS FOR SENDING EMAILS, DEFAULT IS GMAIL

SMTP_ADDRESS="

SMTP PORT FOR SENDING EMAILS DEFAULT IS GMAIL WITH TTLS

SMTP_PORT="25"

THIS WILL SEND EMAILS OUT DURING A CERTAIN FREQUENCY. IF THIS IS SET TO OFF, ALERTS

WILL BE SENT AUTOMATICALLY AS THEY HAPPEN (CAN LEAD TO A LOT OF SPAM)

EMAIL_TIMER=ON

HOW OFTEN DO YOU WANT TO SEND EMAIL ALERTS (DEFAULT 10 MINUTES)

EMAIL_FREQUENCY=600

hi! using this on kali 2.0, i'm getting this error when running the setup.py:

python setup.py
Traceback (most recent call last):
File "setup.py", line 4, in
import py2exe, sys, paramiko, ecdsa, ssl, ctypes, _ctypes, _thread
ImportError: No module named py2exe

I haven't been able to figure it out. Any help?

Would be awesome if artillery supported the ability to define a range of ports ( example 5900-6120 or 20-1024 ).

I am trying to install this on a digitalocean droplet and receive the below error when running the setup.py.

Traceback (most recent call last):
File "./setup.py", line 10, in
from src.core import *
File "/root/artillery/src/core.py", line 422
if not os.path.isdir("/var/artillery/logs"): os.makedirs("/var/artillery/logs")
^
TabError: inconsistent use of tabs and spaces in indentation

I am running Python 3.5.2

I haven't had a close look at the code for this but the EXCLUDE options for the file monitor is ignoring the provided values if they are file names.

Some "systems administrators" don't allow the installation of software thought git or anything like that. Packing as .rpm and .deb packages fixes that (and also make it more friendly for newcomers).

For instance, core.is_already_banned() uses the Linux command 'iptables', this will not work on windows. There are similar things all trough the code. It is clear this program wasn't made for windows.

Consider removing Windows from "Supported platforms" in the readme.

I'm running everything through Raspberry Pi Debian Linux terminal, I am very new to all of this.

1. My first question is about the e-mail feature. I have set e-mail alerts to ON and the e-mail timer to OFF through the config file, but have not received any e-mails in my spam folder or my inbox.

There is a commented line above the e-mail alerts about " # CURRENT SUPPORT IS FOR SMTP, ENTER YOUR USERNAME AND PASSWORD HERE. LEAVE BLANK FOR OPEN RELAY
USERNAME="" "

ENTER THE SMTP PASSWORD HERE. LEAVE BLANK FOR OPEN RELAY

PASSWORD=""

Do I need to fill out my username and password in those lines in order to receive an e-mail alert?

When I go into the sys log, it says "raspberrypi [!] Error, Artillery was unable to log into the mail server"

Why might the e-mail function not work?

2. Side Question: I'm starting to wonder if I installed Artillery correct.

I used git clone https://github.com/trustedsec/artillery artillery/
When I set it up, it asks if I'd like to install, and I put yes. But when it asks if I'd like to keep it updated, I have to put No or I can't run artillery. Is this normal?
It talks about how it can't getcwd() if I say Yes to updating it.

When installing Artillery the setup script doesn't create the src/program_junk and database directories causing an error on first run. Maybe easy to create these dirs during the install script?

I'm testing Artillery on CentOS 7 and it works fine when I have SYSLOG_TYPE=LOCAL. When I change that to REMOTE, I get the following error.

Traceback (most recent call last):
File "./artillery.py", line 30, in
write_log("Artillery has started successfully.")
File "/var/artillery/src/core.py", line 356, in write_log
syslog(alert)
File "/var/artillery/src/core.py", line 352, in syslog
my_logger.critical(line + "\n")
UnboundLocalError: local variable 'my_logger' referenced before assignment

Please consider to allow users to change the Apache Monitoring path in configure file in order to allow non-Apache users to use this application program.

on RPi2B mail -s works (ssmtp as mail handler) but artillery throws error " unable to log it..." all the alerts are correct (tail -f /var/artillery/logs/alerts.log) but I dont seem to see why system mail works and Artillery doesnt.. both configured to use smtp.google.com, and credentials match in ssmtp.conf and artillery/config

Niel
[email protected]

It looks from the core.py that linux offers a banlist.txt

It might be nice to have that same list generated for Windows.

If HONEYPOT_BAN=ON is set, you'll see the following in the logs:
Mar 24 13:20:24 localhost 2014-03-24 13:20:24.088033 [!] Artillery has blocked (and blacklisted) the IP Address: 192.168.0.1 for connecting to a honeypot restricted port: 80

If HONEYPOT_BAN=OFF is set, you'll see a few log lines broken up:
Mar 24 13:32:41 localhost 2014-03-24 13:32:41.544426 [!] Artillery has detected an attack from IP address: 192.168.0.1
Mar 24 13:32:41 2014-03-24 last message repeated 5 times
Mar 24 13:32:41 localhost for a connection on a honeypot port: 80

It would be really helpful if the port was logged on each line (like the first example) rather than as a single line at the end of the attack.

Hi there,

I'm using ADHD 0.5.0
Similar problem to #35

When I run python2 artillery.py, I get a whole bunch of these errors:

Exception AttributeError: AttributeError("'_DummyThread' object has no attribute '_Thread__block'",) in <module 'threading' from '/usr/lib/python2.7/threading.pyc'> ignored

And although artillery seems to be correctly blocking the IP address when I telnet to port 21, I don't see any logs.

Where are they supposed to be?
I looked at all log files under /var/log, nothing is there.

Thanks

Had to do a small change to get the FTP check working in harden.py on slackware 14.1 64bit

diff -Naur /data/downloads/src/git/artillery/src/harden.py src/harden.py
--- /data/downloads/src/git/artillery/src/harden.py 2014-03-17 17:23:43.982040149 +1100
+++ src/harden.py 2014-03-17 20:03:11.522267536 +1100
@@ -34,8 +34,8 @@
if os.path.isfile("/etc/vsftpd.conf"):
fileopen = file("/etc/vsftpd.conf", "r")
data = fileopen.read()

•    anon_check = read_config("anonymous_enable").lower()
  

•    if anon_check == "yes":
  

•   match = re.search("anonymous_enable=YES", data)
  

•    if match:
       # trigger warning if match
       warning = warning + "Issue identified: /etc/vsftpd.conf allows Anonymous login. An attacker can gain a foothold to the system with absolutel zero effort. Recommendation: Change anonymous_enable yes to anonymous_enable no\n\n"
  

Otherwise read_config was reading the config file and failing with object type None when trying .lower():
AttributeError: 'NoneType' object has no attribute 'lower'

ev0x@243d19a

I get the output:

Checking Artillery... Process dead but pidfile exists

when I run "service artillery status." I have rebooted the system and restarted artillery.

As the title says I'd like to know if artillery does support FreeBSD or any *BSD nix

In the config file, the HONEYPOT_BAN variable is set to "YES"
https://github.com/trustedsec/artillery/blob/master/config#L33

However, the code is inconsistent in what it expects the value of this variable to be. "YES", "ON", and "OFF" are all used.
https://github.com/trustedsec/artillery/blob/master/src/honeypot.py#L61-L81

hi,

I'm running artillery from commit 848aeaf on ubuntu 13.04 w/ kernel 3.9.5, and am seeing some unusually high cpu utilization. An htop shows at least two artillery.py processes consuming 100% cpu, even after the system has been running for 40+ minutes (so this does not appear to be a start-up issue). Also, this may or may not be related, but when I attempted to shut down artillery by issuing "service artillery stop", I instead see more artillery processes start consuming 100% cpu (up to 4 total artillery processes consuming 100% cpu now).

There doesn't appear to be any output in /var/artillery/logs to determine what the issue might be.

on trustedsec.com/banlist.txt if you run this command on the file

cat banlist.txt | sort | uniq > banlist2.txt

It will output the sorted and unique ip's in the banlist2 file which removes over a 1000 duplicated non unique ip's which keeps the file size down

no matter what I try, artillery seems to be disliking my entry in the Exclude statement for a directory.

Trying to get it to ignore the webmin status directory with this:

EXCLUDE="/etc/webmin/system-status/"

restart artillery and it persists... is it not smart enough to recurse?

Currently artilery has the option to bind to a particular IP address for the honeypot feature but this is less then ideal when the interface you wish to deploy the honeypot on get's it's IP address from a DHCP server. This could be solved by having artilery to bind to the interface name (eth0,wlan0 etc) of the interface you wish to protect or lookup the ip address of the interface in question and use the current method dynamically.

I edited the logging mechanism to a new file rather than "syslog" when defined LOCAL.

    if type == "local":
        my_logger = logging.getLogger('Artillery')
        my_logger.setLevel(logging.DEBUG)
        HPLOG = read_config("LOG_FILE")
        handler = logging.FileHandler(HPLOG)
        my_logger.addHandler(handler)

The logs were working fine in the define file @ LOG_FILE, but next day the file got re-initiated. I lost day-1 logs. Any idea which code is responsible for that or why the logs are getting rotated when I have defined a new FileHandler?

I'm converting my iptables over to ipset based for the most part and wondering if you've looked at adding ipset usage to Artillery? I would love to have it in there.

root@kali:~/artillery# ./setup.py
Traceback (most recent call last):
File "./setup.py", line 7, in
from src.core import *
File "/root/artillery/src/core.py", line 503
return
^
IndentationError: unindent does not match any outer indentation level

Hi there,

There is a small type in harden.py that stop artillery from running.

@@ -26,7 +26,7 @@ if operating_system == "posix":
         if os.path.isfile("/etc/ssh/sshd_config"):
                 fileopen = file("/etc/ssh/sshd_config", "r")
                 data = fileopen.read()
-               root_check = check_confg("ROOT_CHECK=").lower()
+               root_check = check_config("ROOT_CHECK=").lower()
                if root_check == "on":
                        match = re.search("RootLogin yes", data)
                        # if we permit root logins trigger alert

Should fix it.

root@MainServer:/etc# iptables -L
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

When both UFW and Artillery are enabled and running, I get this error with iptables. I haven't had this issue in the past, so I'm not sure what is wrong. Iptables works when one is disabled.

Request
It is possible to whitelist IPs by subnet range? 192.168.0.0/16

Thanks!

I'm attempting to run artillery on the ADHD linux disto and receive the following error
"[!] Error Detected. Printing: expected string or buffer"

I have started artillery with the following command:
"sudo python2 artillery.py 2> /dev/null"

When I attempt to connect to one of the honeypot ports it prints out the error message stated above, 1 for each attempt. No logs are generated in /var/artillery/logs.

Artillery version: 0.7.1
Python version: 2.7.3
Distro: ADHD 0.5.0

The indent level is wrong in lines 501-502 of src/core.py, causing program failure. Fix is to remove two leading spaces on each line.

I have modified and start using this, it seems to be working well. The only issue i'm having is not creating the rule in the INPUT chain when it already exists. Thought i'd share it with you.

Under which (OSS) license is artillery distributed?

I configured the mail settings, and could see the Incident Email in my Gmail "Sent" items of configured mail address.
But, the recipient is not receiving any email. The same email when I forward from Gmail, it gets to the target recipient account. Not sure on the workaround.

Any ideas?

Getting the following issue after updating to the latest version of Artillery:

Traceback (most recent call last):
File "/var/artillery/artillery.py", line 16, in
write_log("Artillery has started successfully.")
File "/var/artillery/src/core.py", line 352, in write_log
syslog(alert)
File "/var/artillery/src/core.py", line 308, in syslog
type = read_config("SYSLOG_TYPE").lower()
File "/var/artillery/src/core.py", line 38, in read_config
line = line.split("")
ValueError: empty separator

Installing on AilenVault OSSIM. I have 5 others running flawlessly, just on this 1, I cannot get artillery to run ...

./artillery.py
[] 2015-03-17 00:37:07: Artillery has started successfully.
[] Console logging enabled.

Has not found configuration file for ftp. Ftp monitor now stops.
General exception: zero length field name in format
Fatal Python error: PyImport_GetModuleDict: no module dictionary!
Aborted

Hello, i encounter an error when i was launching setup.py with python 2.7.9 and python 3.4.2.

./setup.py
Traceback (most recent call last):
File "./setup.py, line 7, in
from src.come import *
File "/opt/artillery/src/core.py", line 503
return
^

IndentationError: unindent does not match any outer indentation level

Thanks for your help
Stan !

Written by: Dave Kennedy (ReL1K)

Do you want to install Artillery and have it automatically run when you restart [y/n]: y
[] Checking to see if Artillery is currently running...
[] Beginning installation. This should only take a moment.
[] Adding artillery into startup through init scripts..
[] Triggering update-rc.d on artillery to automatic start...
update-rc.d: warning: /etc/init.d/artillery missing LSB information
update-rc.d: see http://wiki.debian.org/LSBInitScripts
System start/stop links for /etc/init.d/artillery already exist.
Do you want to keep Artillery updated? (requires internet) [y/n]: n
[] Copying setup files over...
Would you like to start Artillery now? [y/n]: y
[] Installation complete. Edit /var/artillery/config in order to config artillery to your liking..
root@danu-AO725:/home/danu/artillery# Unhandled exception in thread started by <function monitor_system at 0xb7003844>
Traceback (most recent call last):
File "/var/artillery/src/monitor.py", line 70, in monitor_system
filewrite = file("/var/artillery/database/temp.database", "w")
IOError: [Errno 2] No such file or directory: '/var/artillery/database/temp.database'

Did I install artillery incorrectly?

I followed the step-by-step directions in the ADHD tool usage PDF. When I telnet or use puTTy to access an open port, artillery does not do anything.

I ran a Nessus scan (on a different machine not running Artillery) against the IP address of the machine running Artillery and that's when I saw an IP address was added to the banlist.txt

I soon after wanted to access the logs.alert file and the logs directory is empty.

pi@raspberrypi / $ tail /var/artillery/logs/alerts.log
tail: cannot open `/var/artillery/logs/alerts.log' for reading: No such file or directory

Thanks.

hi, with EMAIL_ALERTS=ON and something in /var/artillery/src/program_junk/email_alerts.log
I get this exception:

Unhandled exception in thread started by <function check_alert at 0x9da230>
Traceback (most recent call last):
File "/var/artillery/src/email_handler.py", line 24, in check_alert
data)
TypeError: mail() takes exactly 3 arguments (2 given)

When I run Python shell script using IDLE, I get the following errors on Windows 7 64 bit. I have removed the "C:\program files\artillery" folder before running it and still get the error. Scripts run as local admin.

Python 2.7.9 (default, Dec 10 2014, 12:28:03) [MSC v.1500 64 bit (AMD64)] on win32
Type "copyright", "credits" or "license()" for more information.

================================ RESTART ================================

Welcome to the Artillery installer. Artillery is a honeypot, file monitoring, and overall security tool used to protect your nix systems.

Written by: Dave Kennedy (ReL1K)

Do you want to install Artillery and have it automatically run when you restart [y/n]: y

Traceback (most recent call last):
File "C:\Python27\artillery-master\setup.py", line 61, in
os.makedirs(program_files + "\Artillery\logs")
File "C:\Python27\lib\os.py", line 157, in makedirs
mkdir(name, mode)
WindowsError: [Error 183] Cannot create a file when that file already exists: 'C:\Program Files\Artillery\logs'

Is there a way to limit the size of the log? Or change what artillery logs to, and then limit it's size?

i'm having an issue where i'm getting the below randomly, and I'm pretty sure its falling over and missing traffic. my ssh gets hammered alot and I haven't figured out how to debug this. Any suggestions?

Artillery has started successfully.
Console logging enabled.
...
/opt/artillery.sh: line 28: 31007 Hangup /var/artillery/artillery.py

Hi,

Please take a look at: trustedsec/meterssh#4

Thanks.

Just tried 1.0 on a production system (about 20 clients). Memory and CPU usage spiked and sustained. Memory was at about 2.8G (Res) 7G (Virt) consumed when i killed it. I wasn't able to find any log files so i'm not sure what I can send you to help troubleshoot the error.

Also, I've been running 0.9 on a smaller server with no problems. I just upgraded that server to 1.0 to see if the issue would reproduce. The problem is a little different on that box. I can visibly watch the CPU and memory climb, but the process eventually dies. That box only has 1gb of ram, so the system might be killing it once the resources start to cap out.

as of commit ded89a9

Install fails as follows:

root@Wrath ~/t/artillery# python setup.py install

Welcome to the Artillery installer. Artillery is a honeypot, file monitoring, and overall security
tool used to protect your nix systems.

Written by: Dave Kennedy (ReL1K)

Artillery detected. Do you want to uninstall [y/n:] y
[] Checking to see if Artillery is currently running...
[] Artillery has been uninstalled. Manually kill the process if it is still running.
root@Wrath ~/t/artillery# ps aux|grep python
chris 2392 0.0 0.6 847336 24608 ? Sl 15:49 0:00 /usr/bin/python3 /usr/lib/unity-lens-photos/unity-lens-photos
chris 2396 0.0 0.5 719856 21876 ? Sl 15:49 0:00 /usr/bin/python /usr/lib/unity-lens-video/unity-lens-video
chris 2524 0.0 0.4 815408 18384 ? Sl 15:49 0:00 /usr/bin/python3 /usr/lib/unity-lens-files/unity-scope-gdrive
chris 2561 0.0 0.4 542952 18792 ? Sl 15:49 0:00 /usr/bin/python /usr/lib/unity-scope-video-remote/unity-scope-video-remote
root 17343 0.0 0.0 13628 956 pts/2 R+ 16:05 0:00 grep python
root@Wrath ~/t/artillery# python setup.py install

Welcome to the Artillery installer. Artillery is a honeypot, file monitoring, and overall security
tool used to protect your nix systems.

Written by: Dave Kennedy (ReL1K)

Do you want to install Artillery and have it automatically run when you restart [y/n]: y
[] Checking to see if Artillery is currently running...
[] Beginning installation. This should only take a moment.
[] Adding artillery into startup through init scripts..
[] Triggering update-rc.d on artillery to automatic start...
update-rc.d: warning: /etc/init.d/artillery missing LSB information
update-rc.d: see http://wiki.debian.org/LSBInitScripts
System start/stop links for /etc/init.d/artillery already exist.
Do you want to keep Artillery updated? (requires internet) [y/n]: y
[] Checking out Artillery through subversion to /var/artillery
[] Doing some housecleaning..
fatal: destination path '/var/artillery' already exists and is not an empty directory.
[] Finished. If you want to update Artillery go to /var/artillery and type 'git pull'
Would you like to start Artillery now? [y/n]: y
[] Installation complete. Edit /var/artillery/config in order to config artillery to your liking..
root@Wrath ~/t/artillery# python: can't open file '/var/artillery/artillery.py': [Errno 2] No such file or directory

indentation of the project isn't quite regular, so it would be cool to run reindent.py on it(I can do it myself if somebody accepts my pull request #15 - I just don't ran it already because it will make a lot harder for who will do the code review).

http://svn.python.org/projects/python/trunk/Tools/scripts/reindent.py