Click an Ad

If you find this blog helpful, please support me by clicking an ad!

Thursday, February 12, 2015

Artillery "Honeypot" for Intrusion Detection

I know it's been awhile, but I've been busy working accumulating new blog material! Upcoming topics include:

My standard Ubuntu 14.04 LTS server build guide
Restricting normal users from running Powershell, and why
VMware vCenter Auditing with Powershell
Defending your fileserver/network against crypto ransomware using FSRM

Today though, I'm going to put on my security hat and discuss intrusion detection. Intrusion philosophy has gone through a big shift over the past few years. It used to be that we just had to worry about the perimeter, but now we need to worry about other devices on the network. The current posture is to trust nothing. Your own network is not safe.

When I went to GrrCon last October, David Kennedy (TrustedSec) gave a keynote and mentioned a piece of software called Artillery. Now, Honeypots have always intrigued me, but I'm no security researcher. Nor am I a well-versed in the used of Linux, for that matter. It seems to me that most of the more robust honeypots are overkill for what I wanted, which is basically a booby trap on my network to tell me if anything tries to connect to it. This is the reason that "Honeypot" is in quotes in the title. Artillery isn't a full-blown honeypot.

In my case, Artillery helps by alerting me if someone is snooping around where they shouldn't, or if I have something arbitrarily working its way through my systems; an SMB worm, for example.

First off, I would recommend giving your Artillery server a juicy, inviting name; something having to do with IT docs, or finance, or maybe even certificates. This should change depending on what's of value in your network. Put on your black hat: What would an evildoer be looking for?

After the installation, Artillery presents any open ports you tell it to, and when someone tries to connect it emails me. It's important to note that running Nmap against the server generates no alerts - only attempting to connect to the port triggers any action.

VM Details:
VM Name: JUICYTARGET
16 GB HDD
Ubuntu 64-bit
1 GB RAM
1 CPUs
VMXNET3 NIC


  • Install Log

Boot from Ubuntu 14.04.1 LTS 64-bit
Hostname: JUICYTARGET
User Account:
Password:
No Proxy
Install Security Updates Automatically
Remove disk, reboot

Log in

Change login to root:
sudo su -


  • Configure static IP Address, etc

vi /etc/network/interfaces
change 'iface eth0 inet dhcp' to 'iface eth0 inet static'

add the following lines:
address 192.168.1.45
gateway 192.168.1.1
netmask 255.255.255.0
dns-nameservers 192.168.1.2
Save and exit

  • Install VMware Tools (If this applies to you)

From vCenter, start the Install Vmware Tools process
In the VM:
mkdir /mnt/cdrom
mount /dev/cdrom /mnt/cdrom
tar xzvf /mnt/cdrom/VMwareTools-*.gz -C /tmp/
cd /tmp/vmware-tools-distrib/
./vmware-install.pl -d
Accept defaults
After the install completes :
cd /tmp
rmdir vmware-tools-distrib --ignore-fail-on-non-empty
Restart the computer

Log in
Verify network/internet connectivity using ifconfig, ping, nslookup
Update apt-get
sudo apt-get update
Install Ubuntu patches:
sudo apt-get upgrade
reboot
Created DNS A and PTR records (JUICYTARGET)

Log in


  • Artillery Installation

sudo su -
apt-get install git
git clone https://github.com/trustedsec/artillery/ artillery/

cd ~
cd artillery
./setup.py

Do you want to install Artillery and have it automatically run when you restart [y/n]: yes
Do you want to keep Artillery updated? (requires internet) [y/n]: yes
Would you like to start Artillery now? [y/n]: yes


  • Artillery Configuration

cp /var/artillery/config /var/artillery/config-default.bak
nano /var/artillery/config
I Changed:
MONITOR_FREQUENCY=120
HONEYPOT_BAN=OFF
Whitelist any scanning IP Addresses (AV, Monitoring, Vulnerability Scanner, etc)
PORTS="135,445,22,1433,3389,8080,21,5900,25,53,110,5800,80,443,23"
EMAIL_ALERTS=ON
ALERT_USER_EMAIL="bob@contoso.com"
SMTP_FROM="artillery@contoso.com"
SMTP_ADDRESS="192.168.1.40"
SMTP_PORT=25
EMAIL_TIMER=OFF
EMAIL_FREQUENCY=30
SSH_BRUTE_MONITOR=ON
SSH_BRUTE_ATTEMPS=10
FTP_BRUTE_MONITOR=ON
FTP_BRUTE_ATTEMPTS=10
AUTO_UPDATE=OFF
reboot


  • Make Some Aliases

nano ~/.bashrc
Add these lines to the bottom
alias artlast='tail -f /var/log/syslog'
alias artdrop='iptables -L'

That's it. Try connection to the server. Play with it.

NOTE THAT THIS SERVER WILL NOT HAVE A USEFUL SSH INSTALL (that port is used in the detection scheme), so you will need to open the VMware console to manage it.

Some commands to know:
ipchains -L can show you what IP addresses have been banned (Look for the words 'DROP' and 'all' in the Chain Artillery section). I've added the alias 'artdrop' for my convenience.

As root, if you go to /var/artillery, you can run python remove_ban.py <IP_Address> to unban an IP

View the last bit of the log file: tail -f /var/log/syslog (I've created the alias 'artlast' to do this for me).

If you edit the config file (nano /var/artillery/config), you'll need to restart artillery with python restart_server.py (from the /var/artillery dir)