Terraform to stand up a splunk server and a honeypot and just log all the things.
Fred Damstra [io2]
f1e0488e58
Appears to be updated to latest tf and aws provider
|
3 gadi atpakaļ | |
|---|---|---|
| bin | 7 gadi atpakaļ | |
| .gitignore | 7 gadi atpakaļ | |
| AWS_AMI_MAPS.j | 3 gadi atpakaļ | |
| Makefile | 7 gadi atpakaļ | |
| README.md | 7 gadi atpakaļ | |
| banner.txt | 7 gadi atpakaļ | |
| honeypot.j | 3 gadi atpakaļ | |
| network_acl.j | 3 gadi atpakaļ | |
| provider.j | 7 gadi atpakaļ | |
| security.j | 3 gadi atpakaļ | |
| splunk_server.j | 3 gadi atpakaļ | |
| variables.include | 3 gadi atpakaļ | |
| variables.j | 3 gadi atpakaļ | |
| vpcs_and_subnets.j | 3 gadi atpakaļ | |
| z_nextsteps.j | 7 gadi atpakaļ |
README.md
Splunk HoneyPot
Creates a public AWS instance with a public facing interface that listens on all ports. It logs any incoming data on those ports (using https://github.com/fdamstra/python_multithreaded_socket_logger).
Creates a second AWS instance with Splunk on it to share the data that was ingested.
!!! These should not be considered secure. !!!
A server with open ports is an attractive target to a lot of things. While I've taken precautions to try to minimize the risk, I suggest you keep any personal information off these servers. And while you should never reuse passwords, I suggest it's especially important here.
Design
There are two VPCs. The "untrusted" VPC contains the honeypot itself with two interfaces.
The first interface on the honeypot is a management interface. It has a public IP opened to the IPs specified in your configuration that allows only SSH.
The second interface is open to all IP addresses and protocols, but runs no real services. The only services on this interface are from the daemon.
Lastly, there is second instance for splunk itself. This instance resides in a separate VPC and allows SSH, HTTP, and HTTPS traffic.