config

#############################################################################################
#
# This is the Artillery configuration file. Change these variables and flags to change how
# this behaves.
#
# Artillery written by: Dave Kennedy (ReL1K)
# Website: https://www.binarydefense.com
# Email: info [at] binarydefense.com
# Download: git clone https://github.com/binarydefense/artillery artillery/
# Install: python setup.py
#
#############################################################################################
#
# DETERMINE IF YOU WANT TO MONITOR OR NOT
MONITOR="OFF"    # Bootsy
#
# THESE ARE THE FOLDERS TO MONITOR, TO ADD MORE, JUST DO "/root","/var/", etc.
MONITOR_FOLDERS="/var/www","/etc/"
#
# BASED ON SECONDS, 2 = 2 seconds.
MONITOR_FREQUENCY="60"
#
# PORT 22 CHECK
SSH_DEFAULT_PORT_CHECK="ON"
#
# EXCLUDE CERTAIN DIRECTORIES OR FILES. USE FOR EXAMPLE: /etc/passwd,/etc/hosts.allow
EXCLUDE=""
#
# DO YOU WANT TO AUTOMATICALLY BAN ON THE HONEYPOT
HONEYPOT_BAN="OFF"
#
# WHITELIST IP ADDRESSES, SPECIFY BY COMMAS ON WHAT IP ADDRESSES YOU WANT TO WHITELIST
WHITELIST_IP="127.0.0.1,localhost"
#
# PORTS TO SPAWN HONEYPOT FOR
TCPPORTS="22,1433,8080,21,5060,5061,5900,25,53,110,1723,1337,10000,5800,44443,16993,445,80,443,23" # Bootsy
UDPPORTS="123,53,5060,5061,3478"
#
# SHOULD THE HONEYPOT AUTOMATICALLY ADD ACCEPT RULES TO THE ARTILLERY CHAIN FOR ANY PORTS ITS LISTENING ON
HONEYPOT_AUTOACCEPT="ON"
#
# SHOULD EMAIL ALERTS BE SENT
EMAIL_ALERTS="OFF"
#
# CURRENT SUPPORT IS FOR SMTP, ENTER YOUR USERNAME AND PASSWORD HERE. LEAVE BLANK FOR OPEN RELAY
SMTP_USERNAME=""
#
# ENTER THE SMTP PASSWORD HERE. LEAVE BLANK FOR OPEN RELAY
SMTP_PASSWORD=""
#
# THIS IS WHO TO SEND THE ALERTS TO - EMAILS WILL BE SENT FROM ARTILLERY TO THIS ADDRESS
ALERT_USER_EMAIL="user@whatever.com"
#
# FOR SMTP ONLY HERE, THIS IS THE MAILTO
SMTP_FROM="Artillery_Incident"
#
# SMTP ADDRESS FOR SENDING EMAILS, DEFAULT IS GMAIL
SMTP_ADDRESS="smtp.gmail.com"
#
# SMTP PORT FOR SENDING EMAILS DEFAULT IS GMAIL WITH TTLS
SMTP_PORT="587"
#
# THIS WILL SEND EMAILS OUT DURING A CERTAIN FREQUENCY. IF THIS IS SET TO OFF, ALERTS
# WILL BE SENT AUTOMATICALLY AS THEY HAPPEN (CAN LEAD TO A LOT OF SPAM)
EMAIL_TIMER="ON"
#
# HOW OFTEN DO YOU WANT TO SEND EMAIL ALERTS (DEFAULT 10 MINUTES)
EMAIL_FREQUENCY="600"
#
# DO YOU WANT TO MONITOR SSH BRUTE FORCE ATTEMPTS
SSH_BRUTE_MONITOR="OFF"   #Bootsy
#
# HOW MANY ATTEMPTS BEFORE YOU BAN
SSH_BRUTE_ATTEMPTS="4"
#
# DO YOU WANT TO MONITOR FTP BRUTE FORCE ATTEMPTS
FTP_BRUTE_MONITOR="OFF"
#
# HOW MANY ATTEMPTS BEFORE YOU BAN
FTP_BRUTE_ATTEMPTS="4"
#
# DO YOU WANT TO DO AUTOMATIC UPDATES. TYPE ON OR OFF
AUTO_UPDATE="OFF"
#
# ANTI DOS WILL CONFIGURE MACHINE TO THROTTLE CONNECTIONS, TURN THIS OFF IF YOU DO NOT WANT TO USE
ANTI_DOS="OFF"
#
# THESE ARE THE PORTS THAT WILL PROVIDE ANTI-DOS PROTECTION
ANTI_DOS_PORTS="80,443"
#
# THIS WILL THROTTLE HOW MANY CONNECTIONS PER MINUTE ARE ALLOWED HOWEVER THE BURST WILL ENFORCE THIS
ANTI_DOS_THROTTLE_CONNECTIONS="50"
#
# THIS WILL ONLY ALLOW A CERTAIN BURST PER MINUTE THEN WILL ENFORCE AND NOT ALLOW ANYMORE TO CONNECT
ANTI_DOS_LIMIT_BURST="200"
#
# THIS IS THE PATH FOR THE APACHE LOG FILES INCLUDING ERROR AND ACCESS
ACCESS_LOG="/var/log/apache2/access.log"
ERROR_LOG="/var/log/apache2/error.log"
#
# THIS ALLOWS YOU TO SPECIFY AN IP ADDRESS. LEAVE THIS BLANK TO BIND TO ALL INTERFACES. EXAMPLE BIND_IP="192.168.1.154"
BIND_INTERFACE=""
#
# THIS TURNS ON THE THREAT INTELLIGENCE FEED, THIS WILL CALL TO https://www.binarydefense.com/banlist.txt IN ORDER TO FIND
# ALREADY KNOWN MALICIOUS WEBSITES. WILL PULL EVERY 24 HOURS
THREAT_INTELLIGENCE_FEED="OFF" # Bootsy
#
# CONFIGURE THIS TO BE WHATEVER THREAT FEED YOU WANT BY DEFAULT IT WILL USE BINARY DEFENSE
# NOTE YOU CAN SPECIFY MULTIPLE THREAT FEEDS BY DOING #http://urlthreatfeed1,http://urlthreadfeed2
THREAT_FEED="https://www.binarydefense.com/banlist.txt"
#
# A THREAT SERVER IS A SERVER THAT WILL COPY THE BANLIST.TXT TO A PUBLIC HTTP LOCATION TO BE PULLED BY
# OTHER ARTILLERY SERVER. THIS IS USED IF YOU DO NOT WANT TO USE THE STANDARD BINARY DEFENSE ONE.
#
# THIS WILL DETECT IF A THREAT SERVER IS NEEDED, AS IN IT WILL COPY TO /var/www/ FOR YOU AUTOMATICALLY
THREAT_SERVER="OFF"
#
# PUBLIC LOCATION TO PULL VIA HTTP ON THE THREAT SERVER. NOTE THAT THREAT SERVER MUST BE SET TO ON
THREAT_LOCATION="/var/www/"
#
# THIS CHECKS TO SEE WHAT PERMISSIONS ARE RUNNING AS ROOT IN A WEB SERVER DIRECTORY
ROOT_CHECK="ON"
#
# Specify SYSLOG TYPE to be local, file or remote. LOCAL will pipe to syslog, REMOTE will pipe to remote SYSLOG, and file will send to alerts.log in local artillery directory
SYSLOG_TYPE="LOCAL"
#
# LOG MESSAGES (IMPORTANT: Everything except the %s are optional.  e.g. a minimal message would be "%s %s %s" which would be
# the time, the ipaddress, and the port number
LOG_MESSAGE_ALERT="%s [!] Artillery has detected an attack from IP address: %s for a connection on a honeypot port: %s"
LOG_MESSAGE_BAN="%s [!] Artillery has blocked (and blacklisted) the IP Address: %s for connecting to a honeypot restricted port: %s"
#
# IF YOU SPECIFY SYSLOG TYPE TO REMOTE, SPECIFY A REMOTE SYSLOG SERVER TO SEND ALERTS TO
SYSLOG_REMOTE_HOST="192.168.0.1"
#
# IF YOU SPECIFY SYSLOG TYPE OF REMOTE, SEPCIFY A REMOTE SYSLOG PORT TO SEND ALERTS TO
SYSLOG_REMOTE_PORT="514"
#
# TURN ON CONSOLE LOGGING
CONSOLE_LOGGING="ON"
#
# RECYCLE LOGS AFTER A CERTAIN AMOUNT OF TIME - THIS WILL WIPE ALL IP ADDRESSES AND START FROM SCRATCH AFTER A CERTAIN INTERVAL
RECYCLE_IPS="ON"   # Bootsy
#
# RECYCLE INTERVAL AFTER A CERTAIN AMOUNT OF MINUTES IT WILL OVERWRITE THE LOG WITH A BLANK ONE AND ELIMINATE THE IPS - DEFAULT IS 7 DAYS
ARTILLERY_REFRESH="604800"
#
# PULL ADDITIONAL SOURCE FEEDS FOR BANNED IP LISTS FROM MULTIPLE OTHER SOURCES OTHER THAN ARTILLERY
SOURCE_FEEDS="OFF"   # Bootsy