Artillery: a low-interaction honeypot minimal howto on CentOS7

As a requirement for enterprise infras, you need to have a honeypot or sort of in your arsenal…Here is my solution for a solution that is nifty and easy to implement, I also try to get one step ahead to configure it in a way to send logs to a central log server and at the same time make it run at reboot in a detached screen . As ever my environment is purely on the CentOS7 so expect systemd and firewalld and selinux mix…Also note that all the below is run as root
Installation
install git
yum install git
clone the repo from the latest
git clone https://github.com/trustedsec/artillery/ artillery/
cd to the artillery dir and run the python install script
cd /var/artillery && ./setup.py
once installed-which will be in the /var/artillery-you need to explicitly create the below dir
mkdir -p /var/artillery/database
Now cd to /var/artillery and read through the config file. It is enough self-explanatory and note what it can do…in my case the below changes needed to be done:
a. the ports it is listening to
# PORTS TO SPAWN HONEYPOT FOR
PORTS="22,80,1433,3306,8080,21,5900,25,53,110,1723,1337,10000,5800,44443,16993"
#

b. Get the remote log server info into the below directives
# Specify SYSLOG TYPE to be local, file or remote. LOCAL will pipe to syslog, REMOTE will pipe to remote SYSLOG, and file will send to alerts.log in local artillery directory
SYSLOG_TYPE="REMOTE"
#
# IF YOU SPECIFY SYSLOG TYPE TO REMOTE, SPECIFY A REMOTE SYSLOG SERVER TO SEND ALERTS TO
SYSLOG_REMOTE_HOST="192.168.10.111"
#
# IF YOU SPECIFY SYSLOG TYPE OF REMOTE, SEPCIFY A REMOTE SYSLOG PORT TO SEND ALERTS TO
SYSLOG_REMOTE_PORT="514"
#
# TURN ON CONSOLE LOGGING
CONSOLE_LOGGING="ON"

Exit from the editor.
Interface addition
If you are like me and have different zones of operation in production, you need to add interfaces to your VM and enable routing config. Remember that in the linux world there are no multiple default gws in NetworkManager unless by issuing nmtui and editing respective interface custom route. If you followed my steps you will be presented with something like:
default via 192.168.10.1 dev ens160 proto static metric 100
default via 172.17.1.1 dev ens192 proto static metric 101
default via 172.16.1.1 dev ens224 proto static metric 102
172.16.1.0/24 dev ens224 proto kernel scope link src 172.16.1.200 metric 100
172.17.1.0/24 dev ens192 proto kernel scope link src 172.17.1.200 metric 100
192.168.10.0/24 dev ens160 proto kernel scope link src 192.168.10.109 metric 100

Enabling ssh on different port
This step is necessary only if you want to keep an eye on the port:22;and if you don’t while you have port 22 in the list of listening ports for artillery, every time you run artillery it will complains so lets cut to the chase and go that further last mile to change the ssh port to another port:
change the ssh port value in /etc/ssh/sshd_config
Port 2222
I hate to see people setting off selinux or permissive, I used to be one with permissive habit but long dropped it by learning to fix issues of services with non-default behavior/config/port…here is howto achieve it:
Install policycoreutils
yum install policycoreutils-python
Get the service allowed
cat /var/log/audit/audit.log |grep denied |grep ssh |audit2allow -M ssh
allow the new port
semanage port -a -t ssh_port_t -p tcp 2222
restart the sshd service-you need to reconnect to it on the new port and make sure from the console if the service is green-status

All goes fine and now changing directory to the /var/artillery and issuing the ./artillery.py will get you a rolling window and notification how the service is working. Did I tell you how shameful it is to turn off selinux and firewalld? in this case you need to turn off firewalld all together for good as the correlation of the ports/service with the firewall allowing it makes it complex and remember that in the first place you are setting up a honeypot which is promiscuous in a sense…so lets turn off firewalld
systemctl stop firewalld && systemctl disable firewalld

Final step to make it run with no interactions
The problem with the script is that it does not fully integrate to systemstartup in Centos7, no worries we make it work in a clean and nifty way 😉
Install screen on the box
yum install screen
Create a bash script to run the application,something like the below but be my guest and allow your wildest imagination to come out,hahaha:
vim /root/artillery.sh
#!/bin/sh
# This is the main script to run artillery...it is used in another rc.local script to create a screen and attach to it to run this script
cd /var/artillery
/usr/bin/python artillery.py

Edit the /etc/rc.local to include the below
screen -dmS artillery-screen ./root/artillery.sh
Finally do the execution enabler
chmod +x /etc/rc.d/rc.local
Reboot and smile time for a test…
make sure that the artillery has started and already running by executing
screen -ls
and connect to it by:
screen -r artillery-screen
From another machine simply run the below commands and see the notifications on the screen
curl -I http://artillery-machineIP
ssh root@artillery-machineIP

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.