Deploy a Honeypot in AWS using T-Pot

This article outlines the step-by-step process of setting up the honeypot, including the necessary configurations and considerations specific to the AWS environment. It covers aspects such as network setup, instance provisioning, and security configurations, ensuring that the honeypot operates effectively and securely within the AWS cloud. Additionally, the report highlights the importance of honeypots as a valuable tool for understanding hacker activity and developing more robust security solutions. By documenting the installation process, this report serves as a valuable resource for organizations looking to implement honeypots in the AWS cloud, contributing to their overall cybersecurity strategy.

Create an account into Amazon AWS, then log in the search bar navigate to ”EC2 Console”. In the top right corner select the region where you want to set your honeypot, 1 keeping in mind that where you set it up may change where the attacks come from. With the region selected you need to launch an instance to host the honeypot, you can do that by clicking on instances on the left menu and then on Launch Instances. 

Use the Debian 11 AMI(Amazon Machine Image) to host the honeypot(you can select others AMIs depending on your machine)

To ensure optimal performance and prevent memory limitations for the honeypot, it is crucial to select a suitable instance type with sufficient processing power and memory capacity. In this case, it is recommended to choose the t2.large instance type. This selection will help maintain the honeypot’s efficiency and stability during operation. Please note that keeping the honeypot running will incur costs, so it is important to be mindful of this aspect.

Deploy the instance in the default VPC provided by the region. The only configuration change required is enabling the ”Auto-assign Public IP” option to ensure accessibility to potential attackers.

For storage increase the Size from 8 to 128 GiB.

Generate a key pair that will serve as the means to SSH into the instance. It is crucial to keep the key pair safe as losing it will result in the loss of access to the instance. Assign a name to the key pair, download it, and proceed to launch the instances. 

After launching the instances you should receive confirmation that the instances were launched successfully. Finally return to the EC2 console and patiently wait for the instance to initiate.

Initially, the status check will indicate ”Initializing,” but it is essential to wait until the status changes to ”2/2 checks passed.” Once the status shows ”2/2 checks passed,” utilize the previously created key to establish an SSH connection with the instance. To obtain the public IP address of the instance, select the instance and copy the Public IPv4 address. Now locate the directory where you have saved the downloaded key file. In order to proceed, it is necessary to modify the permissions of the key file to make it readable. 

    chmod 400 honeypot. pem 

Access the instance via SSH by executing the provided command below: 

    ssh -i honeypot4 . pem admin@13 .37.249.179

Once you have successfully established an SSH connection to the instance, the next step is to ensure that the instance is up to date before proceeding with the installation of Git. Upgrading the instance is crucial to ensure compatibility and optimal performance. After the upgrade, Git can be installed, which is essential for cloning the honeypot repository from GitHub. To accomplish this, follow the sequence of commands provided below:

    sudo apt update sudo apt upgrade 5 

    sudo apt install git

Once git is installed clone the repository using: 

    sudo git clone https :// github . com / telekom - security / tpotce . git 

Go to the recently generated ”tpotce” directory and execute the installation script: 

    cd tpotce sudo ./ install . sh --type = user 

After the installation process is completed, select the Standard option and press the ”Enter” key to confirm. 

Create a username and a password: 

The username and password credentials will grant access to the web administration portal of the honeypot. It is important to note that after this step, the SSH connection may be lost due to the installer remapping various ports, including SSH. Moving 6 forward, the configuration of security groups is necessary. Return to the EC2 console, locate and select your instance, and proceed to the Security tab. From there, click on the provided hyperlink under the Security groups section and then edit inbound rules. Remove the existing rule currently in place, and create three new rules to:

    • Enable SSH access to the instance. 

    • Facilitate login to the web admin portal. 

    • Allow attackers to access ports 1-64,000. 

For all three rules, select ”Custom TCP” as the Type. For the first rule, enter ”64295” as the Port range. The tpotce installer has changed the SSH port from 22 to 64295. Choose ”My IP” from the Source drop-down menu to automatically assign your IP address, granting only you SSH access. Feel free to add a description like ”For SSH” for easier identification. 

To configure the rule for the web admin portal, follow a similar process as before. Click on ”Add rule” and select ”Custom TCP” as the Type. Enter ”64297” as the Port range. Once again, choose ”My IP” for the Source and, if desired, provide a description such as ”Web Admin Portal” for better organization. 

Finally, create a rule to allow all traffic. Click on the ”Add rule” button. Specify the port range as ”1-64000” and select ”Anywhere-IPv4” as the source. Once you have entered the information, click on ”Save rules” to apply the changes.

Now, you should be able to access the web admin portal through your web browser using the following URL: 

    https ://<instance-public-ip_address>:64297

After successfully setting up a research honeypot, you now have the opportunity to explore the web admin portal, which provides access to various features and tools like Kibana, Elasticsearch, Spiderfoot, etc.