-
Notifications
You must be signed in to change notification settings - Fork 27
AWS ECS Setup for ModSecurity Honeypot
Located in the repo's Wiki section
WARNING: ALL LINKS PROVIDED ARE FOR THE DEFAULT REGION ON AWS CONSOLE, PLEASE MAKE SURE YOU SELECT YOUR DESIRED REGION.
-
Install aws-cli
-
Go to https://console.aws.amazon.com/iam/home#/security_credentials
-
Create or use an Access Key from the "Access Keys" section
You need:
-
Access Key ID
-
Secret Access Key
-
Default Region ID - what is displayed at the region selection, like "eu-west-1"
-
Default output format (can be none)
-
Configure aws-cli:
aws configureThe docker image used for this task can be found here:
-
Edit the following entries in
honeytraps/waf_modsec/aws-ecs-container-definition.json:-
Change "LOGSTASH_HOST" env value to your logstash server IP and port
-
Change "awslogs-region" in "logConfiguration" to your region
-
-
Create the task:
cd ~/Honeypot-Project/honeytraps/waf_modsec aws ecs register-task-definition --cli-input-json "$(cat aws-ecs-container-definition.json | tr '\n' ' ')"
You can observe the created task here. Note that running this command creates a new revision for the Task definition automatically instead overwriting it.
-
Create log group for the task
aws logs create-log-group --log-group-name "/ecs/honeytrap-modsec"
Creating a cluster to run services in:
aws ecs create-cluster --cluster-name "modsec-honeytrap"You can observe the created cluster here
This is a specific example, the IP and subnet ranges can be changed freely.
-
Create a Virtual Private Cloud (vpc) if you need a separate one (reference):
aws ec2 create-vpc --cidr-block 10.0.0.0/16 #note vpc-id aws ec2 create-internet-gateway #note internetGateway-id # Add internet-gateway to private cloud aws ec2 attach-internet-gateway --internet-gateway-id <internetGateway-id> --vpc-id <vpc-id> # Find route table id aws ec2 describe-route-tables --filters Name=vpc-id,Values=<vpc-id> # note the route-table-id # Add route to gateway in the route-table aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block 0.0.0.0/0 --gateway-id <internetGateway-id>
Please note the "VpcId" in the output.
-
Create a subnet in the vpc what the service will use:
aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.0.0.0/24
Please note the "Subnetid" fiels's value in the ouput.
-
Create a Security group (port rules) for the Virtual Private Cloud what the Service will use.
This is not necessary as a default group is created for the VPC upon creation but it is good practice to separate the services
aws ec2 create-security-group --group-name "EC2Container-honeytrap" --description "Port rules for the Honeytrap Docker Container" --vpc-id <vpc-id> # Adding the required rules aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --cidr 0.0.0.0/0 --port 80 aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --cidr 0.0.0.0/0 --port 8080 aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --cidr 0.0.0.0/0 --port 8000 aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --cidr 0.0.0.0/0 --port 8888
Please note the group ID.
aws ec2 create-network-interface --description "HoneyTrap Network Interface" --subnet-id <subnet-id> --groups <group-id>
Note: You can most (not all) of this on through the Web UI here as well.
This will be added to the Cluster and ran there using FARGATE (serverless).
-
Create Service using the Subnet ID and the Security Group ID:
aws ecs create-service \ --service-name "honeytrap-service" \ --cluster "modsec-honeytrap" \ --task-definition "honeytrap" \ --desired-count 1 \ --launch-type "FARGATE" \ --network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],securityGroups=[<securitygroup-id>],assignPublicIp=ENABLED}"
If all went well the Service is created and can be observed here.
-
Select "Tasks" tab
-
Select the running task (Click on the Task id)
-
Observe the Public IP adress
-
Expand the Containter and click on "View logs in CloudWatch" to see the docker output
-