Deploying a Honeypot on AWS

As this is my first post on Medium, I wanted to take the opportunity to document my recent experience of setting up a honeypot on an AWS EC2 instance. Additionally, I wanted to archive this process for anyone else who may be interested in doing the same. Also, I’m going to try -as best as I can- to write this as simply and as detailed as possible so anyone can follow it, even if you’re new to AWS, VM’s or Linux.

Next, I want to cover what a honeypot is and more importantly, why would you want to set one up. I felt like this was an important question that should be addressed up-front.

To answer the first part, I’m going to give you a link to a SANS article which describes a honeypot in detail. The TL;DR of that article is that a honeypot (in this context) is “an information system resource whose value lies in unauthorized or illicit use of that resource”, or more simply, we are putting this intentionally vulnerable machine out on the internet to get attacked, for research purposes.

Now, to answer why we want to do this is so that you can become familiar with the types and volume of automated bot/scanner traffic which are looking for open ports and services on AWS(or wherever you choose to deploy your honeypot), gain some knowledge about setting up simple cloud instances, and maybe get inspired to do more projects like this.

Now, let’s make sure we have the necessary items and links for the deployment of our honeypot.

1: AWS account — You need to set up an AWS account, which is pretty simple. Click the link, click “Create a Free Account” and begin filling out the form to set up your account. I would also recommend setting up Multi-Factor Authentication (MFA) on your account for added security.

After you set up your account you’ll receive an email with some additional details on how to access and secure your account. I’m not going to cover AWS account set up or MFA in this post because it is very easy and if you can setup a regular Amazon account, you can set up an AWS account.

** FULL DISCLAIMER: I chose to pay for my EC2 instance, but you do not have to pay for an EC2 instance to follow this tutorial.

2: T-Pot — T-Pot is a multi-honeypot project developed by the folks at T-Mobile and is free for use by anyone who wants to download and deploy it. The honeypots which are included in the project are designed to simulate vulnerable web and email servers, databases (like SQL and MongoDB). Additionally, I should point out that the honeypots are also designed to expose ports like SSH, FTP and SMB which malicious people might want to exploit. Lastly, as part of this tutorial, I’ll show you how to allow all traffic to hit your honeypot, so you can reap that sweet, sweet data!

4: SSH client — This is one of the most important parts of the tutorial. Without this, we can’t connect to our instance. I am using a Mac for this tutorial, so I’ll be using the native SSH client. If you’re on Windows, you would probably use PuTTY to connect to the instance. I won’t be covering that for now, but I have linked the puTTY tutorial on how to connect to AWS instances here. I’ll update this tutorial with that specific info, at a later time. Sorry!!

3: CLI knowledge — It should go without saying that you should have a basic understanding of command line interface (CLI) familiarity and a basic understanding of running commands from the CLI. If this is new to you, I would recommend taking the Codecademy class on CLI to get comfortable.

Now that we have the necessary pre-requisites out of the way, let’s get into setting up our AWS account and the honeypot.

AWS Account Setup

First, we need to log into our AWS account by entering our credentials and using our MFA (if you set it up already). Since this is likely your first time using AWS, you will likely be prompted to set up Identity and Access Management (IAM) policies to properly secure your account.

AWS walks you through this process, so I’m not going to cover this step (right now), but it’s a pretty simple walk through. The below screen is part of the IAM page and if you click any of the items, it will explain the steps needed to complete the requirements.


Once you’ve completed the initial set up and security on your account, Click ‘Services’ (at the top of the screen) and click ‘EC2’. This will bring you to a screen where you’ll choose your instance to deploy T-Pot.


On the below screen you have several options to administrate your EC2 Instances. Also, from this screen it wouldn’t be a bad idea to choose the region you want your Instance to be deployed. The reason for doing this is that there will be reduced latency when you choose a region closer to you. If you choose to change the default region, Click the region name in the upper right hand corner of the screen (in my case Oregon), and choose an appropriate region


Now, that you have chosen your region you can click the blue ‘Launch Instance’ button, which will take you to the next screen so that you can launch an Amazon Machine Image (AMI). AMI’s are prebuilt Operating System images which are built specifically for AWS.

For T-Pot, we need to Select the Ubuntu Server 16.04 AMI.


Next we need to choose our Instance Type. If you want to stay in the Free Tier, you need to choose the t2.micro instance. A t2.micro instance consists of 1 vCPU and 1GB of memory. The T-Pot system requirements document says you need to have at least 4GB of memory to run T-Pot, but you can get away with a t2.micro(although it will be somewhat slow and kind of a pain).

If you are being serious about leaving the honeypots up and running so that you can gain value from them for personal or professional purposes, I would recommend a t2.medium or t2.large. But just remember, there is a cost associated with this!!


After choosing your instance type, we need to click ‘Configure Instance Details’. This step doesn’t require any actions, unless you want to put the honeypots in a specific subnet. Most people won’t have a need to change this setting, so let’s skip past this and click ‘Add Storage’ in the bottom right.


On this screen, you can choose how much storage you would like. I set mine to 50GB because i wanted to make sure I had enough room for the log files. The T-Pot documents say you need 64GB SSD volumes, but I’m doing fine with 50GB, for now. Input your desired storage size under ‘Size (GiB)’ and once that’s done, click ‘Add Tags’.


At this point, you can choose to add tags to your AMI so you can refer to it later. This is isn’t necessary for most users, unless you have multiple EC2 instances and want to keep them organized. So lets skip this part and click ‘Configure Security Group’.


This next screen is important and it’s something we’ll be revisiting again, after installing/setting up T-Pot. The Security Groups control internal and external access to your EC2 instance. The default setting allows inbound SSH connections from an undefined IP range. THIS IS POTENTIALLY BAD, as it would allow anyone to connect your EC2 instance.

So to fix this, Click the ‘Source’ button and choose ‘My IP’ so that your EC2 instance only accepts incoming SSH connections from your computer. We’ll need to change this setting in a bit, since T-Pot has an SSH honeypot built into it. But for now this works.


Now that we’ve set everything up, click ‘Review and Launch’.

If everything went well, this next step will allow you to review your settings to insure you got everything right. If you somehow failed to set up proper SSH access or chose a non-free EC2 instance(which is ok), AWS will give you a warning/system message with the changes that need to be made. You can choose to ignore the message (if you get one), but I would recommend fixing the issues.

Now you can click the ‘Launch’ button in the bottom right of the screen.


Once you launch your instance, you’ll be prompted to set up a key pair. This will allow you to make a secure connection to the EC2 instance.

Choose the ‘Create a new key pair’ option and name it something you’ll remember. Try to use a simple name without spaces or special characters. Also, you’ll need to download the Private Key PEM file to a folder/directory that you’ll remember. You’ll need it when we connect to our instance.

Once you’ve generated and downloaded the PEM file, click ‘Launch Instances’.

Now, AWS will bring you to the Launch Status window. From here you can see that the instance is beginning to boot up. So now, click the instance name (a string of letters and numbers) which will bring you to the EC2 Running instance page.

If you can’t figure out what to click, you can always click ‘Services’ in the upper left portion of the page and then click ‘EC2'. Once you get to the EC2 console, click ‘Running Instances’.

On this page you can see your Instance booting up and once you see 2/2 checks’ under ‘System Checks’, you can successfully connect. This check is an AWS diagnostic tool to insure you have network connectivity to the instance.


Connect to your EC2 Instance

Now we want to connect to our instance. To do this, open a terminal on your Mac by pressing CMD+Spacebar, which brings up the Spotlight Search bar.

Type Terminal and then hit Enter.
If you’re on Linux, you can right click on the desktop and click Open Terminal.

To successfully connect to your instance:

1. Locate your private key file path (YourFileName.pem). The AWS setup wizard automatically detects the key you used to launch the instance.

2. Your key must not be publicly viewable for SSH to work, so we need to use one of the the following commands to reduce the chances of not being able to connect:

If you are currently in the same folder as the PEM file, use this command:
sudo chmod 400 YourFileName.pem
If you are currently NOT in the same folder as the PEM file, use this command:
sudo chmod 400 ./FolderName/YourFileName.pem

3. Connect to your instance using its Public DNS, you can find this info in the bottom of the EC2 instance panel (your Instance WILL be different):

ec2–12–34–56–78.us-west-2.compute.amazonaws.com

Here’s an example of the command we’ll need to use, when we attempt to connect.

ssh -i "./FolderName/YourFileName.pem" ubuntu@ec2-12–34–56–78.us-west-2.compute.amazonaws.com

Just copy and paste this command into your terminal window and modify it to fit your instance details and once you’re done, hit Enter

Assuming the file path to your Private key is correct and you haven’t made any errors in the text, you should see the following message in your terminal when you try to connect:

The authenticity of host ‘ec2–12–34–56–78.us-west-2.compute.amazonaws.com (12.34.56.78)’ can’t be established.
ECDSA key fingerprint is SHA256:StringOfRandomNumbersAndLetters.
Are you sure you want to continue connecting (yes/no)?
Type yes, and hit Enter.

Now you should see that you have successfully connected and you will be presented with a command prompt, like so:

ubuntu@ip-Your.Internal.IP.Address:~$

Honeypot Install

From here, we can start setting up Ubuntu with T-Pot

So lets update and upgrade our Instance first (which you should do every time you use your instance) by using the following command

sudo apt update && apt upgrade -y

Once Ubuntu is finished updating and upgrading, we’ll need to change the password of our user, as there is no password by default. You’ll need to type:

passwd and hit Enter

Enter your new password (you’ll want to remember this password) and then re-enter your password again, when prompted.

Now we need to generate an SSH key for your user on Ubuntu. This only requires the following command:

ssh-keygen

When you generate the password, it will ask you what user you would like to generate the key for (if not root),

Type ubuntu and hit Enter

Now that we’ve prepped Ubuntu for the honeypot install, we can now quickly move through the install of T-Pot by using the following commands:

git clone https://github.com/dtag-dev-sec/t-pot-autoinstall.git
cd t-pot-autoinstall/
sudo su
./install.sh

Now this should begin installing T-Pot on your Ubuntu instance and there’s only going to be a few answers you have to provide during the install. The first on is:

Which user do you usually work with?
This script is invoked by root, but what is your normal username?
Enter username: ubuntu

Now you should see the following text:

# How do you want to proceed? Enter your choice.
# Required: 4GB RAM, 64GB disk
# Recommended: 8GB RAM, 128GB SSD
# 1 — T-Pot’s STANDARD INSTALLATION # Standard Honeypots, Suricata & ELK #
# 2 — T-Pot’s HONEYPOTS ONLY # Honeypots only, w/o Suricata & ELK #
# 3 — T-Pot’s INDUSTRIAL EDITION # Conpot, eMobility, Suricata & ELK #
# 4 — T-Pot’s FULL INSTALLATION # Everything

I chose to go with Option 4, because my EC2 instance can handle the full install. For the free tier, you can choose Option 1 to get you started as it requires less resources to install. I mentioned in the beginning, if you’re being serious about using this to learn and do some research, I would upgrade to a slightly bigger instance and choose Option 4, but that’s up to you!

Choose your selection and hit Enter.

Now your Ubuntu instance will begin downloading and installing all of the necessary items for the version you chose to install.

You’ll be prompted with one more question during the install:

### Please enter a password for your user ubuntu for web access.
Password: myPassw0rd

The password I used at this point is similar to the one suggested by the T-Pot install docs. You can choose to use any password you wish, but for simplicity sake, use the default password, myPassw0rd.

When you enter the password for your web access, you will be prompted to re-enter that password. Simply re-enter your password, hit Enter, and the install script will continue.


Once the install script finishes, it will display the following message:

### Thanks for your patience. Now rebooting. Remember to login on SSH port 64295 next time or visit the dashboard on port 64297!
./install.sh: line 500: 9604 Terminated reboot
Connection to ec2–12–34–56–78.us-west-2.compute.amazonaws.com closed by remote host.
Connection to ec2–12–34–56–78.us-west-2.compute.amazonaws.com closed.

Now we need to go back to our EC2 instance page on AWS to modify our Security Group settings to allow us to access our honeypots after the install.

As mentioned earlier in this process, the default SSH port (22) will be used as a honeypot, so the new port for SSH will be 64295. Additionally, the ports 80 and 443, which are normally used to view webpages are going to be used as honeypots as well, so we’ll be using port 64297 to securely connect to our browser with the User/Password we used during the install.

On the EC2 instance page, let’s click Services (at the top of the screen) and click EC2. Now, click Running Instances and you should see your Instance details.

We need to modify the security group of this instance, so look at the bottom of the screen and under the Description Tab, you’ll see Security Groups:

Click the launch-wizard# link and it will bring you to the screen so we can modify our inbound and outbound rules.

Click the ‘Inbound’ tab
Click ‘Edit’, and then when the screen pops up, Click ‘Add rule’.

We are going to change our rules to allow for access of SSH on port 64295 and Web access on port 64297.

Click the ‘Type’ button and choose ‘Custom TCP Rule
In the ‘Port Range’ option, type 64295
For ‘Source’, choose ‘My IP’ from the dropdown and in the description field type SSH (so you can remember why you made this rule).

Now we need to repeat these steps to enable web access to the T-Pot Web access portal.

Click Add rule.
Click the ‘Type’ button and choose ‘Custom TCP Rule
In the ‘Port Range’ option, type 64297
For ‘Source’, choose ‘My IP’ from the dropdown and in the description field type Web Access.

Now we need to do two more things.

Delete the original SSH rule (port 22) by clicking the ‘X’ at the right side of that rule, because we can no longer access our honeypots on this port.

We also want to open up our honeypots to all inbound traffic, so we’ll add rules similar to the SSH and web access, but we want anyone to be able to access them.

Repeat the steps we just used for adding SSH and Web Access, but for the ‘Port Range’ use 0–64294 and for ‘Source’ choose ‘Anywhere’. Repeat this one more time for the remaining IP range of 64298–65535 and ‘Source’, ‘Anywhere’.

Once complete, your Security group settings page should look similar to this:

Now that we’ve completed this portion you should be able to use the SSH command we used earlier to connect back to T-Pot. Also, we can now connect to the web portal so we can start visualizing attacks, too!

I should mention that when T-Pot reboots from the initial install script, the IP is likely to change, so take note of that when trying to connect.

To access the Web browser or SSH use the Public IP address info from your AWS instance details page:

Https://your.AWS.IP.address:64297
Enter your credentials we used during set up: 
Username: ubuntu
Passwd: yourpasswd

or to connect via SSH, you can use:

ssh -i “./FolderName/YourFileName.pem” ubuntu@ec2–12–34–56–78.us-west-2.compute.amazonaws.com

If you’re connecting to the Web interface (which you should be), you’ll see something like this:

Otherwise, if you’re connecting through SSH, you’ll see the same message from when you tried to connect to the Ubuntu instance, from earlier.


So now I would let your honeypots sit for a bit (like 30 minutes) to let it start capturing scanner/bot traffic. You’ve earned a break so go get a snack, take a walk or stare at your screen and wait for data to start to start showing up, it’s up to you. I will say that scans/potential attacks start relatively quickly. In my case, it started within seconds, but your mileage may vary.

When you’re ready to start looking at data, click the T-Pot link from the above screen and it will show you an aggregated list of the attacks you’ve seen thus far.

I’ll also go into more detail at some point about what else you can do with these honeypots, but for now just watch and wait!!


I hope this has been a helpful (albeit long) tutorial. But my hope is that it inspires you to learn more and teach others.

If you’re hung up on anything or need help, you can tweet @sudojune and I’ll do my best to help you out.

Thanks and happy researching!