I wanted to make a nice cybersecurity project, and I also wanted to show what I can do in AWS. I made a vulnerable virtual computer in AWS and collected attacker information in a Security Information Event Manager(SIEM). I will include a video link and write out all the steps below.
First you will need an application to Secure Shell login to the Honeypot. I used a MacBook, so I used the terminal. Then you need to make sure the region your EC2 instance is set to is correct(closest one to you). I did this project in Maryland, so I used the N.Virginia region.
It is good to use the AWS network , not your home network to prevent threading or hacking. AWS is being used as a container in this project.
Step 1: I chose the Debian 10 Buster machine, you can choose a different one depending on what level performance you need.
Step 2: Choose instance type. I chose t2.xl 4vCPUs 16 MeM GiB Network Performance : Moderate
Step 3: Configure Instance Details
Network : Default VPC
Subnet: ap-northeast 1a
Auto assign Public IP: Enable
Step 4: Add Storage. Size (GiB) 128
Step 5: Add Tags. Name: Honeypot
Step 6: Leave Security Groups Default for now
Step 7: Review Instance Launch
Step 8: Name your Rivet-Shamir Aldeman(RSA) key pair and download it, and finally click Instance launch
Now you can wait until the status check on the EC2 instance (in your region) says 2/2 checks passed
Click checkbox left on Instance Name and click white connect box
Go to the SSH client tab & follow instructions it lists which are
1.) Open an SSH Client
2.) Locate your private key
3.) chmod 400 honeypot.pem
4.) connect to your instance using its public DNS listed in the portal
Next Download the honeypot software and update the libraries for Debian. I used the Telekom(T-Mobile) software.
When you are in you are in your SSH client( you can download one if on windows) do write the flooring commands one at a time, hit enter after each one.
Command 1: sudo apt update
Command 2: sudo apt upgrade
Do you want to continue [Y/N] Y
Next install got command
Command 3: sudo apt install git
now download the Telekom GitHub repository
command 6: git clone https://github.com/telekom-security/tpotce.git
command 7 : cd tpotce/
command 8: ls
command 9 : sudo ./install.sh –type=user
command 10: Y
Now you choose standard honeypot edition
Make a username, and a password. You will then be exited from the server
Now you modify the security groups we left default in step 6 higher in the page.
Click instance ID
go to security tab
click security groups link
Click “Edit inbound rules”
change type from SSH —> custom TCP
port range [ Put a range number like 46029] basically don’t use a real port number commonly used
source —-> My IP ______ put your IPv4 address from your instance
put description for rule( used for SSH login)
Try not use your VPN for this(you might be able to)
Add another port on the security group, this will be for the web portal. I made mine 46030 source my ip Description: this is for the web portal
add a third port
type: custom tcp port range:1-46000 source: Anywhere Description: Susceptible to hackers
click save rules for all the security group changes just made
command 11: clear
use the same SSH login command and add -P 46029
command 12: ls
command 13: cd tpotce
put the instance IPv4 address in the browser bar
https:// IPv4 address : 46030
click advanced and proceed to the site, basically bypass the warning because this is a project not an actual risk
Login with the credentials you made earlier. Now you can see the attacks in the SIEM , wait some hours or even a day(the longer you let the machine run the more you pay) to see attacker information collected and displayed in the SIEM.
Delete the instance when you collected and documented enough info, so you do not get excessively billed.
https://drive.google.com/file/d/1ZXZSfcA128l-T6HSgQG05TcwL2ScGVK2/view?usp=share_link
Leave a Reply