InfoSec Daily Podcast Episode 496 for October 17, 2011. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Beau Woods, Karthik Rangarajan, and Varun Sharma
Special Guest: Scot Terban
Announcements:
Hack3rCon 2011
When: October 21-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/
NordSec 2011
When: October 26–28, 2011
Where: Tallinn Science Park “Tehnopol”, Tallinn, Estonia
http://nordsec2011.cyber.ee/
New Hampshire InfoSec Tweetup
When: October 29, 2011
Where: Pawtuckaway State Park in Nottingham, NH
http://nhinfosectweetup.eventbrite.com/
( It is just a gathering of security professionals and their families. No talks, just abunch of likeminded people and some good food.)
SkyDogCon
When: Nov 4th – Nov 6th
Where: Holiday Inn Airport, Nashville, TN
http://www.skydogcon.com
Phreaknic
When: Nov 4th – Nov 6th
Where: Days Inn Stadium, Nashville, TN
http://www.phreaknic.info
BsidesATL 2011
When: November 4th, 2011
Where: Think Inc World HQ, 1375 Peachtree St. Suite 600, Atlanta, Ga (The Earthlink Bldg).
http://www.securitybsides.com/w/page/44893559/BSidesATL-2011
This year there will be 3 tracks, a CISO panel on some good topics recently (Hacker vs Biz Skillset, etc), Lockpick Village by FALE, Prize Giveaway at End. Of course all day Podcast Area.
BSidesDFW 2011
When: November 5th, 2011
Where: Microsoft Technology Center Dallas
http://www.securitybsides.com/w/page/36779575/BSidesDFW%202011
Cost = FREE
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
BSides Delaware
When: November 11-12, 2011
Where: Wilmington University, Delaware Campus
http://www.securitybsides.com/w/page/40113309/BSidesDelaware2010
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Starts November 30, 2011
Where: Atlanta, GA
Discount Code: M1011IPAD (free iPad 2)
http://www.sans.org/mentor/details.php?nid=25504
Stories:
Source: http://www.secmaniac.com/blog/2011/10/14/new-tool-release-artillery-for-linux-protection/
Over the past few months I’ve been working on a side project when I had some spare time. I’m releasing the 0.1 alpha pre-release edition of Artillery. Artillery is a combination of a honeypot, file monitoring and integrity, alerting, and brute force prevention tool. It’s extremely light weight, has multiple different methods for detecting specific attacks and eventually will also notify you of insecure nix configurations.
It’s written in Python, its completely open-source and free as all the stuff I write is. You can download Artillery here:
svn co http://svn.secmaniac.com/artillery artillery/
To install, simply run ./install.py. This will add artillery to bootup and start Artillery. To give a run down of some of the features. Here is a netstat before:
root@bt:~/Desktop/dev# netstat -antp | grep LISTEN
root@bt:~/Desktop/dev#
Here is a netstat after running Artillery:
root@bt:~# netstat -antp | grep LISTEN
tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:5800 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:1433 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:1337 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:44443 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:3389 0.0.0.0:* LISTEN 29310/python
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 29310/python
root@bt:~#
If anyone decides to port scan or touch those ports, they are blacklisted immediately and permanently. It’s multi-threaded and can handle as many connections thrown at it. I did some extensive testing under heavy traffic loads on secmaniac.com and derbycon.com. In the first 3 days, it blocked over 387 individuals.
In addition to the monitoring, it will also monitor file integrity leveraging sha-512 database where it keeps track of all system files and if anything changes, will email you with the change. By default it monitors /etc/ and /var/www.
Artillery also monitors the SSH logs, and the event of a brute force attack, blacklists the host forever.
Interview:
