################################################################################

1. #############################################################################################
2. #
3. # This is the Artillery configuration file. Change these variables and flags to change how
4. # this behaves.
5. #
6. # Artillery written by: Dave Kennedy (ReL1K)
7. # Website: https://www.binarydefense.com
8. # Email: info [at] binarydefense.com
9. # Download: git clone https://github.com/binarydefense/artillery artillery/
10. # Install: python setup.py
11. #
12. #############################################################################################
13. #
14. # DETERMINE IF YOU WANT TO MONITOR OR NOT
15. MONITOR="ON"
16. #
17. # THESE ARE THE FOLDERS TO MONITOR, TO ADD MORE, JUST DO "/root","/var/", etc.
18. MONITOR_FOLDERS="/var/www","/root","/home"
19. #
20. # BASED ON SECONDS, 2 = 2 seconds.
21. MONITOR_FREQUENCY="90"
22. #
23. # PORT 22 CHECK
24. SSH_DEFAULT_PORT_CHECK="ON"
25. #
26. # EXCLUDE CERTAIN DIRECTORIES OR FILES. USE FOR EXAMPLE: /etc/passwd,/etc/hosts.allow
27. EXCLUDE=""
28. #
29. # DO YOU WANT TO AUTOMATICALLY BAN ON THE HONEYPOT
30. HONEYPOT_BAN="OFF"
31. #
32. # WHITELIST IP ADDRESSES, SPECIFY BY COMMAS ON WHAT IP ADDRESSES YOU WANT TO WHITELIST
33. WHITELIST_IP="127.0.0.1,localhost"
34. #
35. # PORTS TO SPAWN HONEYPOT FOR
36. PORTS="135,445,1433,3389,8080,21,5900,1723,1337,10000,5800,44443"
37. #
38. # SHOULD THE HONEYPOT AUTOMATICALLY ADD ACCEPT RULES TO THE ARTILLERY CHAIN FOR ANY PORTS ITS LISTENING ON
39. HONEYPOT_AUTOACCEPT="ON"
40. #
41. # SHOULD EMAIL ALERTS BE SENT
42. EMAIL_ALERTS="OFF"
43. #
44. # CURRENT SUPPORT IS FOR SMTP, ENTER YOUR USERNAME AND PASSWORD HERE. LEAVE BLANK FOR OPEN RELAY
45. SMTP_USERNAME=""
46. #
47. # ENTER THE SMTP PASSWORD HERE. LEAVE BLANK FOR OPEN RELAY
48. SMTP_PASSWORD=""
49. #
50. # THIS IS WHO TO SEND THE ALERTS TO - EMAILS WILL BE SENT FROM ARTILLERY TO THIS ADDRESS
51. ALERT_USER_EMAIL="user@whatever.com"
52. #
53. # FOR SMTP ONLY HERE, THIS IS THE MAILTO
54. SMTP_FROM="Artillery Incident"
55. #
56. # SMTP ADDRESS FOR SENDING EMAILS, DEFAULT IS GMAIL
57. SMTP_ADDRESS="smtp.gmail.com"
58. #
59. # SMTP PORT FOR SENDING EMAILS DEFAULT IS GMAIL WITH TTLS
60. SMTP_PORT="587"
61. #
62. # THIS WILL SEND EMAILS OUT DURING A CERTAIN FREQUENCY. IF THIS IS SET TO OFF, ALERTS
63. # WILL BE SENT AUTOMATICALLY AS THEY HAPPEN (CAN LEAD TO A LOT OF SPAM)
64. EMAIL_TIMER="ON"
65. #
66. # HOW OFTEN DO YOU WANT TO SEND EMAIL ALERTS (DEFAULT 10 MINUTES)
67. EMAIL_FREQUENCY="600"
68. #
69. # DO YOU WANT TO MONITOR SSH BRUTE FORCE ATTEMPTS
70. SSH_BRUTE_MONITOR="ON"
71. #
72. # HOW MANY ATTEMPTS BEFORE YOU BAN
73. SSH_BRUTE_ATTEMPTS="4"
74. #
75. # DO YOU WANT TO MONITOR FTP BRUTE FORCE ATTEMPTS
76. FTP_BRUTE_MONITOR="OFF"
77. #
78. # HOW MANY ATTEMPTS BEFORE YOU BAN
79. FTP_BRUTE_ATTEMPTS="4"
80. #
81. # DO YOU WANT TO DO AUTOMATIC UPDATES. TYPE ON OR OFF
82. AUTO_UPDATE="OFF"
83. #
84. # ANTI DOS WILL CONFIGURE MACHINE TO THROTTLE CONNECTIONS, TURN THIS OFF IF YOU DO NOT WANT TO USE
85. ANTI_DOS="OFF"
86. #
87. # THESE ARE THE PORTS THAT WILL PROVIDE ANTI-DOS PROTECTION
88. ANTI_DOS_PORTS="80,443"
89. #
90. # THIS WILL THROTTLE HOW MANY CONNECTIONS PER MINUTE ARE ALLOWED HOWEVER THE BURST WILL ENFORCE THIS
91. ANTI_DOS_THROTTLE_CONNECTIONS="50"
92. #
93. # THIS WILL ONLY ALLOW A CERTAIN BURST PER MINUTE THEN WILL ENFORCE AND NOT ALLOW ANYMORE TO CONNECT
94. ANTI_DOS_LIMIT_BURST="200"
95. #
96. # THIS IS THE PATH FOR THE APACHE LOG FILES INCLUDING ERROR AND ACCESS
97. ACCESS_LOG="/var/log/apache2/access.log"
98. ERROR_LOG="/var/log/apache2/error.log"
99. #
100. # THIS ALLOWS YOU TO SPECIFY AN IP ADDRESS. LEAVE THIS BLANK TO BIND TO ALL INTERFACES. EXAMPLE BIND_IP="192.168.1.154"
101. BIND_INTERFACE=""
102. #
103. # THIS TURNS ON THE THREAT INTELLIGENCE FEED, THIS WILL CALL TO https://www.binarydefense.com/banlist.txt IN ORDER TO FIND
104. # ALREADY KNOWN MALICIOUS WEBSITES. WILL PULL EVERY 24 HOURS
105. THREAT_INTELLIGENCE_FEED="OFF"
106. #
107. # CONFIGURE THIS TO BE WHATEVER THREAT FEED YOU WANT BY DEFAULT IT WILL USE BINARY DEFENSE
108. # NOTE YOU CAN SPECIFY MULTIPLE THREAT FEEDS BY DOING http://urlthreatfeed1,http://urlthreadfeed2
109. THREAT_FEED="https://www.binarydefense.com/banlist.txt"
110. #
111. # A THREAT SERVER IS A SERVER THAT WILL COPY THE BANLIST.TXT TO A PUBLIC HTTP LOCATION TO BE PULLED BY
112. # OTHER ARTILLERY SERVER. THIS IS USED IF YOU DO NOT WANT TO USE THE STANDARD BINARY DEFENSE ONE.
113. #
114. # THIS WILL DETECT IF A THREAT SERVER IS NEEDED, AS IN IT WILL COPY TO /var/www/ FOR YOU AUTOMATICALLY
115. THREAT_SERVER="OFF"
116. #
117. # PUBLIC LOCATION TO PULL VIA HTTP ON THE THREAT SERVER. NOTE THAT THREAT SERVER MUST BE SET TO ON
118. THREAT_LOCATION="/var/www/"
119. #
120. # THIS CHECKS TO SEE WHAT PERMISSIONS ARE RUNNING AS ROOT IN A WEB SERVER DIRECTORY
121. ROOT_CHECK="ON"
122. #
123. # Specify SYSLOG TYPE to be local, file or remote. LOCAL will pipe to syslog, REMOTE will pipe to remote SYSLOG, and file will send to alerts.log in local artillery directory
124. SYSLOG_TYPE="REMOTE"
125. #
126. # IF YOU SPECIFY SYSLOG TYPE TO REMOTE, SPECIFY A REMOTE SYSLOG SERVER TO SEND ALERTS TO
127. SYSLOG_REMOTE_HOST="192.168.3.1"
128. #
129. # IF YOU SPECIFY SYSLOG TYPE OF REMOTE, SEPCIFY A REMOTE SYSLOG PORT TO SEND ALERTS TO
130. SYSLOG_REMOTE_PORT="514"
131. #
132. # TURN ON CONSOLE LOGGING
133. CONSOLE_LOGGING="OFF"
134. #
135. # RECYCLE LOGS AFTER A CERTAIN AMOUNT OF TIME - THIS WILL WIPE ALL IP ADDRESSES AND START FROM SCRATCH AFTER A CERTAIN INTERVAL
136. RECYCLE_IPS="OFF"
137. #
138. # RECYCLE INTERVAL AFTER A CERTAIN AMOUNT OF MINUTES IT WILL OVERWRITE THE LOG WITH A BLANK ONE AND ELIMINATE THE IPS - DEFAULT IS 7 DAYS
139. ARTILLERY_REFRESH="604800"
140. #
141. # PULL ADDITIONAL SOURCE FEEDS FOR BANNED IP LISTS FROM MULTIPLE OTHER SOURCES OTHER THAN ARTILLERY
142. SOURCE_FEEDS="ON"