Beefing up the firewall using Artillery

We have a project that an external group is helping with, and wanted a hardened machine for them to ssh into without worries.

For projects like this, I recommend you wander over to secmaniac to see Dave Kennedy’s blog on security related stuff.  He’s got out a relatively new tool (a few months old) that’s (a first for him) on the defensive side of security (as opposed to the breaking stuff side of security) called Artillery.  Now I know, you are probably a geospatial professional and therefore leave the security to someone else (if at all).  Don’t.  It’s no fun to be pwned.

Anyway, I deployed it on Ubuntu 11.10 with great ease, just svn a copy and follow the directions in the readme.  It will re-write your firewall rules, leave some ports of your choice open for sniffing, and then write a permanent deny entry for connecting on your machine’s ports.  I banned my own machines pretty quickly before remembering to whitelist… .  In Dave’s words:

“Artillery is a tool designed to confuse attackers and block them before an actual attack occurs. Artillery is a newer project and does a combination of host monitoring, security hardening, and honeypot type defensive strategies. Artillery has an active component where if it detects a connection on a given port that is triggered as a honeypot, it will automatically block the offending IP address.”

I’m hoping to modify it a bit to handle whitelisting dynamic IPs, but I don’t think I even need to poke under the hood to do that– just write a script to modify the config file whitelist and reload.

While I advocate you look into this tool, do watch the licensing– while released under a modified BSD, it does have a clause requiring a hug and a beer be offered if you meet Dave in a bar.  Don’t use it if you aren’t comfortable with the terms.