Manage Learn to apply best practices and optimize your operations.

Learn where your environment is at risk with an AWS honeypot

Security is a constant concern for cloud users, so it's important to understand your environment's vulnerabilities. A honeypot can help users visualize the weaknesses that leave them open to attack.

Honeypots emulate a vulnerable system to attract hackers. Once the honeypot system identifies a potential attack, it studies the behavior and characteristics of the intruder. You can then use this information to prevent attacks from harming the actual cloud environment.

In this video tutorial, Adam Listek, applications analyst at Illinois State University and a TechSnips contributor, shows AWS users how to install and configure T- Pot, an open source honeypot platform. With an AWS honeypot, you'll have more insights into the security of your cloud systems.

How to install and run T-Pot

To get started, create a VM to host the T-Pot instance. Log into the AWS Console and click Launch Instances in EC2. Then, search for Debian -- the latest version of T-Pot requires this Linux OS. For the purposes of this demo, we'll choose Debian 9. T-Pot tends to need larger VMs.

Next, provision your storage and configure your initial security group. Then, create a key pair and connect it to the VM, which is done via Secure Socket Shell (SSH) and a private key. You can use the default Debian admin username.

When you are connected to the VM, make sure all the packages are up to date with any necessary upgrades. Then, install the Git client, which will pull data from the T-Pot repository. After that, run the installer and complete the questions prompted by T-Pot. After installation is complete, choose your preferred level of access. You'll need to open all ports to bind them and better collect the data.

Now, you're all set to put this AWS honeypot to use. Navigate to the web interface to access the T-Pot dashboard. From the dashboard, you can monitor any attacks T-Pot detects and discover where your environment is at risk.

View All Videos

Transcript - Learn where your environment is at risk with an AWS honeypot

You may have heard the term Honeypot before and wondered what is this? It's simply a security setup meant to detect attacks by emulating a legitimate system. It's a great way to learn about the types of attacks and security risks out there.

There is a fantastic open source Honeypot system called T-Pot. That's what we're going to install today, in this case, in the AWS environment.

After you log into the AWS Console, navigate to EC2, as we're going to create a virtual machine to host our T-Pot install. Once there, click on Launch Instances, and then we're going to search for Debian. Prior to 19.03, the current latest version, T-Pot was normally installed on Ubuntu. Starting with 19.03, you will need to install this on Debian, and it won't work on Ubuntu anymore.

With that in mind, we are going to pick Debian 9, otherwise known as Stretch. Although you might be able to get T-Pot running on a VM with smaller resources, it really seems to need a minimum of 6 to 8 gigs. So, we're going to use the large-size VM. Most of the provisioning screens are going to use a default, but we are going to increase the size of storage to a 30 gig disk. Also, we're going to configure in the initial security group. Let's just open up Port 22 for SSH, but only into our IP. Finally, let's go ahead and start creating the VM.

It will ask us to create a key pair. In this case, I've already done so. And I highly recommend you use public-private keys or authentication. Once the VM is created, let's connect to it. We are going to connect via SSH, using the public DNS, [or domain name system], address that the console provided us. You'll notice that we are using admin for the username, which is the Debian default. And I'm going to use a private key to connect.

First thing we want to do is update and upgrade all of the packages, as, oftentimes, these images aren't fully up to date. After that, we need to install the Git client so that we can pull down the data from the T-Pot repository. By pulling from the Git repository, we are getting the latest code available as well. That does mean sometimes that we may get more bleeding-edge code, but, generally, that really shouldn't be too much of a problem. So, all we're doing right now is cloning a copy of the repository to our local system. And then we'll just change the directory so that we can run the installer. And honestly, that's all you have to do to get started.

Next, let's go ahead and run the installer. You'll notice that we passed in the type of user. This is because we are interactively choosing options, not that there are that many. You can also set the type to Auto and pass in a configuration file if you already know how you want it configured. One note here is that I am using WSL, or the Windows subsystem for Linux, and the hyper terminal for interacting with the VM. The dialog boxes presented in the install don't always render correctly, but you can still proceed without issue.

The first question that T-Pot asks for is to review the running network services. This is because beyond SSH, T-Pot will essentially take over all the other services on box, so they can present a fake version to the world. We'll say yes to proceed knowing that just our SSH service will be changed in here. T-Pot has a few different installation options. In this case, we are choosing the first standard option, which is plenty for us to get started with. Next, it asks for a user account for use with the system. In this case, we'll just pick the same admin username. Finally, it asks for a password. And once entered, that's it. T-Pot can take 15 to 30 minutes to install, as there are a lot of packages in configuration. So, take a break, grab some coffee.

All right, at the end of the installation process, T-Pot will go ahead and reboot. At this point, once all the services come back up, it can take about 5 to 10 minutes, we'll have a fully functioning Honeypot. Well, almost. If you recall in the beginning, we limited outside network access to just Port 22 and RIP. That won't do much good now, so let's go back and open that up.

For this demo, we are just going to fully open this to the world. But you can limit the access further if you want. Just remember that, virtually, every port does need to be open as T-Pot will bind to them to collect data. Let's make sure we can still SSH into our VM.

You'll notice that the SSH port has changed, though. It is now 64295. You can actually SSH into port 22, but it's a fake environment intended to trick attackers, so it won't do you much good to actually administer the system. Switching back to our browser, we can navigate to the web interface or the Honeypot, which is powered by Elasticsearch and Kibana. If you pull up an SSL, [or Secure Sockets Layer], connection to your VM's IP and port 64297, then you can get into the dashboard. You'll have to log in with the same username and password as you defined in the T-Pot installation.

The main dashboard to use is the one at the bottom of the list here called T-Pot. When we first loaded up, there won't be anything here because it hasn't collected any attacks yet. T-Pot needs to be running for a bit before it really has any data.

So, you might notice at the top of the web interface, there are a few links. If you click on the cockpit link, it will take you to another web interface that you can use to control the server via GUI. So, let's go ahead and log in with that same username and password from before.

Oh, wait a second. Why didn't this work? Well, this login is using an actual Linux user account, whereas the Kibana one did not. We need to flip back over to our VM and actually set a password for this account. By default, the user account created with the Debian VM does not have a password. We use pseudo because just using a password tool itself will not accept the blank password as the current one. By using pseudo we can force a change. After that's done, we can head back over to Cockpit and log in. And, hey, now it works.

Going back to our dashboard screen, let's click on CyberChef. So, this is a general toolkit that is provided with this package, and it just has a ton of different useful tools. You can see the variety here, and they can be used in any number of situations. Take a look through and see what might be useful, not critical for the Honeypot install, but really useful for learning and analyzing data and attacks.

Finally, the tool SpiderFoot is a data collection and analysis tool, usually you target an IP or range of IPs, and it will gather all sorts of data about the target for you. Again, not necessarily for the Honeypot, but useful nonetheless.

All right, we have given it some time, so let's see if we have any attacks. Well, hey, look at that, a couple have already come across. This illustrates just how quickly these types of machines are scanned and potentially compromised. You really don't need an unprotected system on the network or long before it's scanned. Honeypots are a great way to learn about what threats are out there. It lets you visualize where and how these attacks come from, which you can then turn around and use that data to filter it from your production systems. So, check out T-Pot and learn more about security today.

+ Show Transcript