#############################################################################################
#
# This is the Artillery configuration file. Change these variables and flags to change how
# this behaves.
#
# Artillery written by: Dave Kennedy (ReL1K)
# Website: https://www.binarydefense.com
# Email: info [at] binarydefense.com
# Download: git clone https://github.com/binarydefense/artillery artillery/
# Install: python setup.py
#
#############################################################################################
#

# DETERMINE IF YOU WANT TO MONITOR OR NOT
MONITOR="ON"

# THESE ARE THE FOLDERS TO MONITOR, TO ADD MORE, JUST DO "/root","/var/", etc.
MONITOR_FOLDERS=""/var/www","/etc/""

# BASED ON SECONDS, 2 = 2 seconds.
MONITOR_FREQUENCY="60"

# PERFORM CERTAIN SYSTEM HARDENING CHECKS
SYSTEM_HARDENING="ON"

# CHECK/WARN IF SSH IS RUNNING ON PORT 22
SSH_DEFAULT_PORT_CHECK="ON"

# EXCLUDE CERTAIN DIRECTORIES OR FILES. USE FOR EXAMPLE: /etc/passwd,/etc/hosts.allow
EXCLUDE=""

# DO YOU WANT TO AUTOMATICALLY BAN ON THE HONEYPOT
HONEYPOT_BAN="OFF"

# WHEN BANNING, DO YOU WANT TO BAN ENTIRE CLASS C AT ONCE INSTEAD OF INDIVIDUAL IP ADDRESS
HONEYPOT_BAN_CLASSC="OFF"

# PUT A PREFIX ON ALL BANNED IP ADDRESSES. HELPFUL FOR WHEN TRYING TO PARSE OR SHOW DETECTIONS THAT YOU ARE PIPING OFF TO OTHER SYSTEMS. WHEN SET, PREFIX IPTABLES LOG ENTRIES WITH THE PROVIDED TEXT
HONEYPOT_BAN_LOG_PREFIX=""

# WHITELIST IP ADDRESSES, SPECIFY BY COMMAS ON WHAT IP ADDRESSES YOU WANT TO WHITELIST
WHITELIST_IP="127.0.0.1,localhost"

# TCP PORTS TO SPAWN HONEYPOT FOR
TCPPORTS="22,1433,8080,21,5060,5061,5900,25,53,110,1723,1337,10000,5800,44443,16993"

# UDP PORTS TO SPAWN HONEYPOT FOR
UDPPORTS="123,53,5060,5061,3478"

# SHOULD THE HONEYPOT AUTOMATICALLY ADD ACCEPT RULES TO THE ARTILLERY CHAIN FOR ANY PORTS ITS LISTENING ON
HONEYPOT_AUTOACCEPT="ON"

# SHOULD EMAIL ALERTS BE SENT
EMAIL_ALERTS="OFF"

# CURRENT SUPPORT IS FOR SMTP. ENTER YOUR USERNAME AND PASSWORD HERE FOR STARTTLS AUTHENTICATION. LEAVE BLANK FOR OPEN RELAY
SMTP_USERNAME=""

# ENTER SMTP PASSWORD HERE
SMTP_PASSWORD=""

# THIS IS WHO TO SEND THE ALERTS TO - EMAILS WILL BE SENT FROM ARTILLERY TO THIS ADDRESS
ALERT_USER_EMAIL="enter_your_email_address_here@localhost"

# FOR SMTP ONLY HERE, THIS IS THE MAILTO
SMTP_FROM="Artillery_Incident@localhost"

# SMTP ADDRESS FOR SENDING EMAIL, DEFAULT IS GMAIL
SMTP_ADDRESS="smtp.gmail.com"

# SMTP PORT FOR SENDING EMAILS DEFAULT IS GMAIL WITH STARTTLS
SMTP_PORT="587"

# THIS WILL SEND EMAILS OUT DURING A CERTAIN FREQUENCY. IF THIS IS SET TO OFF, ALERTS WILL BE SENT IMMEDIATELY (CAN LEAD TO A LOT OF SPAM)
EMAIL_TIMER="ON"

# HOW OFTEN DO YOU WANT TO SEND EMAIL ALERTS (DEFAULT 10 MINUTES) - IN SECONDS
EMAIL_FREQUENCY="600"

# DO YOU WANT TO MONITOR SSH BRUTE FORCE ATTEMPTS
SSH_BRUTE_MONITOR="ON"

# HOW MANY ATTEMPTS BEFORE YOU BAN
SSH_BRUTE_ATTEMPTS="4"

# DO YOU WANT TO MONITOR FTP BRUTE FORCE ATTEMPTS
FTP_BRUTE_MONITOR="OFF"

# HOW MANY ATTEMPTS BEFORE YOU BAN
FTP_BRUTE_ATTEMPTS="4"

# DO YOU WANT TO DO AUTOMATIC UPDATES - ON OR OFF
AUTO_UPDATE="ON"

# ANTI DOS WILL CONFIGURE MACHINE TO THROTTLE CONNECTIONS, TURN THIS OFF IF YOU DO NOT WANT TO USE
ANTI_DOS="OFF"

# THESE ARE THE PORTS THAT WILL PROVIDE ANTI_DOS PROTECTION
ANTI_DOS_PORTS="80,443"

# THIS WILL THROTTLE HOW MANY CONNECTIONS PER MINUTE ARE ALLOWED HOWEVER THE BUST WILL ENFORCE THIS
ANTI_DOS_THROTTLE_CONNECTIONS="50"

# THIS WILL ONLY ALLOW A CERTAIN BURST PER MINUTE THEN WILL ENFORCE AND NOT ALLOW ANYMORE TO CONNECT
ANTI_DOS_LIMIT_BURST="200"

# THIS IS THE PATH FOR THE APACHE ACCESS LOG
ACCESS_LOG="/var/log/apache2/access.log"

# THIS IS THE PATH FOR THE APACHE ERROR LOG
ERROR_LOG="/var/log/apache2/error.log"

# THIS ALLOWS YOU TO SPECIFY AN IP ADDRESS. LEAVE THIS BLANK TO BIND TO ALL INTERFACES.
BIND_INTERFACE=""

# TURN ON INTELLIGENCE FEED, CALL TO https://www.binarydefense.com/banlist.txt IN ORDER TO GET ALREADY KNOWN MALICIOUS IP ADDRESSES. WILL PULL EVERY 24 HOURS
THREAT_INTELLIGENCE_FEED="ON"

# CONFIGURE THIS TO BE WHATEVER THREAT FEED YOU WANT BY DEFAULT IT WILL USE BINARY DEFENSE - NOTE YOU CAN SPECIFY MULTIPLE THREAT FEEDS BY DOING #http://urlthreatfeed1,http://urlthreadfeed2
THREAT_FEED="https://www.binarydefense.com/banlist.txt"

# A THREAT SERVER IS A SERVER THAT WILL COPY THE BANLIST.TXT TO A PUBLIC HTTP LOCATION TO BE PULLED BY OTHER ARTILLERY SERVER. THIS IS USED IF YOU DO NOT WANT TO USE THE STANDARD BINARY DEFENSE ONE.
THREAT_SERVER="OFF"

# PUBLIC LOCATION TO PULL VIA HTTP ON THE THREAT SERVER. NOTE THAT THREAT SERVER MUST BE SET TO ON
THREAT_LOCATION="/var/www/"

# FILE TO COPY TO THREAT_LOCATION, TO ACT AS A THREAT_SERVER. CHANGE TO "localbanlist.txt" IF YOU HAVE ENABLED "LOCAL_BANLIST" AND WISH TO HOST YOUR LOCAL BANLIST. IF YOU WISH TO COPY BOTH FILES, SEPARATE THE FILES WITH A COMMA - f.i. "banlist.txt,localbanlist.txt"
THREAT_FILE="banlist.txt"

# CREATE A SEPARATE LOCAL BANLIST FILE (USEFUL IF YOU'RE ALSO USING A THREAT FEED AND WANT TO HAVE A FILE THAT CONTAINS THE IPs THAT HAVE BEEN BANNED LOCALLY
LOCAL_BANLIST="OFF"

# THIS CHECKS TO SEE WHAT PERMISSIONS ARE RUNNING AS ROOT IN A WEB SERVER DIRECTORY
ROOT_CHECK="ON"

# Specify SYSLOG TYPE to be local, file or remote. LOCAL will pipe to syslog, REMOTE will pipe to remote SYSLOG, and file will send to alerts.log in local artillery directory
SYSLOG_TYPE="LOCAL"

# ALERT LOG MESSAGES (You can use the following variables: %time%, %ip%, %port%)
LOG_MESSAGE_ALERT="Artillery has detected an attack from %ip% for a connection on a honeypot port %port%"

# BAN LOG MESSAGES (You can use the following variables: %time%, %ip%, %port%)
LOG_MESSAGE_BAN="Artillery has blocked (and blacklisted) an attack from %ip% for a connection to a honeypot restricted port %port%"

# IF YOU SPECIFY SYSLOG TYPE TO REMOTE, SPECIFY A REMOTE SYSLOG SERVER TO SEND ALERTS TO
SYSLOG_REMOTE_HOST="192.168.0.1"

# IF YOU SPECIFY SYSLOG TYPE OF REMOTE, SEPCIFY A REMOTE SYSLOG PORT TO SEND ALERTS TO
SYSLOG_REMOTE_PORT="514"

# TURN ON CONSOLE LOGGING
CONSOLE_LOGGING="ON"

# RECYCLE LOGS AFTER A CERTAIN AMOUNT OF TIME - THIS WILL WIPE ALL IP ADDRESSES AND START FROM SCRATCH AFTER A CERTAIN INTERVAL
RECYCLE_IPS="OFF"

# RECYCLE INTERVAL AFTER A CERTAIN AMOUNT OF MINUTES IT WILL OVERWRITE THE LOG WITH A BLANK ONE AND ELIMINATE THE IPS - DEFAULT IS 7 DAYS
ARTILLERY_REFRESH="604800"

# PULL ADDITIONAL SOURCE FEEDS FOR BANNED IP LISTS FROM MULTIPLE OTHER SOURCES OTHER THAN ARTILLERY
SOURCE_FEEDS="OFF"
