diff --git a/README.md b/README.md index df453b1..7aecbeb 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,36 @@ -# honeynet -Develop a scalable, cloud-native honeypot deployment framework that leverages Terraform to provision and manage honeypot instances across multiple geographic regions. +# Cloud-Native Honeynet Platform + +A distributed, adaptive honeynet platform with centralized control, dynamic deception, and cloud-native deployment. + +## Quick Start + +### Prerequisites +- Terraform >= 1.0 +- AWS CLI configured with credentials +- SSH key pair + +### Initial Setup +```bash +cd infrastructure/terraform +terraform init +terraform plan +terraform apply +``` + +### Verification +```bash +# Get the public IP +terraform output public_ip + +# SSH into the VM +ssh -i ~/.ssh/your-key.pem ec2-user@$(terraform output public_ip) +``` + +## Architecture +This is the foundational setup for a distributed honeynet system. Current implementation provisions a single VM as the building block for future multi-region deployments. + +## Next Steps +- Honeypot installation and configuration +- Multi-region deployment +- Logging and monitoring setup +- Automation and orchestration diff --git a/docs/elk-verification.md b/docs/elk-verification.md new file mode 100644 index 0000000..77f7711 --- /dev/null +++ b/docs/elk-verification.md @@ -0,0 +1,113 @@ +# ELK Stack Verification Guide + +## 🎯 Issue #18: Setup ELK Stack for Honeypot Log Collection + +### Changes Made + +1. **Elasticsearch Module** + - Single-node cluster configuration + - Security groups for HTTP (9200) and transport (9300) + - Memory-optimized settings + - Auto-discovery configuration + +2. **Logstash Module** + - JSON log parsing for Cowrie format + - GeoIP enrichment for attacker location + - Elasticsearch output configuration + - Pipeline for honeypot log processing + +3. **Kibana Module** + - Web interface configuration + - Elasticsearch integration + - Security settings for development + - Public access for dashboard + +4. **Filebeat Integration** + - Honeypot agent configuration + - JSON log shipping from Cowrie + - Template configuration for honeypot logs + +### Deployment Steps + +1. **Deploy ELK Infrastructure** + ```bash + cd infrastructure/terraform + terraform init + terraform apply -var="create_elk_stack=true" + ``` + +2. **Verify Elasticsearch** + ```bash + # Get Elasticsearch endpoint + terraform output elasticsearch_endpoint + + # Test connection + curl http://:9200/_cluster/health + ``` + +3. **Verify Logstash Pipeline** + ```bash + # Check Logstash status + ssh -i ~/.ssh/key.pem ec2-user@ + sudo systemctl status logstash + + # Test pipeline + echo '{"timestamp":"2024-01-01T12:00:00Z","srcip":"1.2.3.4"}' | + curl -XPOST http://:5044 -H 'Content-Type: application/json' + ``` + +4. **Verify Filebeat** + ```bash + # Check Filebeat on honeypot + ssh -i ~/.ssh/key.pem ec2-user@ + sudo systemctl status filebeat + + # Test log shipping + sudo tail -f /var/log/filebeat/filebeat + ``` + +5. **Access Kibana Dashboard** + ```bash + # Get Kibana URL + terraform output kibana_endpoint + + # Open in browser + http://:5601 + ``` + +### Expected Results + +- Elasticsearch cluster responds to health checks +- Logstash processes Cowrie JSON logs correctly +- Filebeat ships honeypot logs to Logstash +- Kibana dashboard displays honeypot data +- GeoIP enrichment shows attacker locations + +### Success Criteria + +- ✅ Elasticsearch cluster runs on port 9200 +- ✅ Logstash processes logs and forwards to Elasticsearch +- ✅ Filebeat ships honeypot logs within 30 seconds +- ✅ Kibana dashboard displays attack data +- ✅ GeoIP enrichment shows geographic attack patterns + +### Dashboard Setup + +1. **Create Index Pattern** + - Pattern: `honeypot-logs-*` + - Time field: `@timestamp` + +2. **Visualizations** + - World Map: Attack source locations + - Timeline: Attack frequency over time + - Top IPs: Most active attackers + - Usernames: Most attempted credentials + +### Troubleshooting + +**Common Issues**: +- Elasticsearch won't start: Check Java installation +- No logs in Kibana: Verify Filebeat → Logstash → Elasticsearch flow +- GeoIP not working: Install GeoIP database on Logstash + +This enables real-time attack visibility and threat intelligence extraction from honeypot logs. diff --git a/docs/terraform-setup.md b/docs/terraform-setup.md new file mode 100644 index 0000000..38f0701 --- /dev/null +++ b/docs/terraform-setup.md @@ -0,0 +1,51 @@ +# Terraform Setup Guide + +## Prerequisites +1. Install Terraform >= 1.0 +2. Configure AWS CLI with credentials +3. Create SSH key pair in AWS + +## Setup Steps + +### 1. Initialize Terraform +```bash +cd infrastructure/terraform +terraform init +``` + +### 2. Plan Deployment +```bash +terraform plan -var="key_name=your-key-name" +``` + +### 3. Apply Configuration +```bash +terraform apply -var="key_name=your-key-name" -auto-approve +``` + +### 4. Verify Deployment +```bash +# Get public IP +terraform output public_ip + +# Test SSH connection +ssh -i ~/.ssh/your-key.pem ec2-user@$(terraform output public_ip) +``` + +### 5. Cleanup (if needed) +```bash +terraform destroy -auto-approve +``` + +## Troubleshooting + +### Common Issues +- **SSH Key Not Found**: Ensure key pair exists in AWS region +- **Permission Denied**: Check SSH key permissions (chmod 400) +- **Instance Not Accessible**: Verify security group allows SSH + +### Next Steps +Once VM is accessible, proceed with: +1. Honeypot installation +2. Logging configuration +3. Multi-region setup diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf new file mode 100644 index 0000000..9494ec2 --- /dev/null +++ b/infrastructure/terraform/main.tf @@ -0,0 +1,34 @@ +terraform { + required_version = ">= 1.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } + + backend "local" { + path = "terraform.tfstate" + } +} + +provider "aws" { + region = var.aws_region +} + +# Call the VM module +module "honeypot_vm" { + source = "./modules/vm" + + instance_type = var.instance_type + ami_id = var.ami_id + key_name = var.key_name + subnet_id = var.subnet_id + + tags = { + Name = "honeynet-platform-initial" + Project = "honeynet-platform" + Environment = "development" + Purpose = "initial-setup" + } +} \ No newline at end of file diff --git a/infrastructure/terraform/modules/elasticsearch/main.tf b/infrastructure/terraform/modules/elasticsearch/main.tf new file mode 100644 index 0000000..422e5ac --- /dev/null +++ b/infrastructure/terraform/modules/elasticsearch/main.tf @@ -0,0 +1,49 @@ +# Elasticsearch Module +resource "aws_instance" "elasticsearch" { + ami = var.ami_id + instance_type = var.instance_type + key_name = var.key_name + subnet_id = var.subnet_id + + vpc_security_group_ids = [aws_security_group.elasticsearch_sg.id] + associate_public_ip_address = false + + tags = merge(var.tags, { + Name = "honeynet-elasticsearch" + }) +} + +# Security Group for Elasticsearch +resource "aws_security_group" "elasticsearch_sg" { + name = "elasticsearch-sg" + description = "Security group for Elasticsearch cluster" + vpc_id = var.vpc_id + + ingress { + description = "Elasticsearch HTTP" + from_port = 9200 + to_port = 9200 + protocol = "tcp" + cidr_blocks = [var.vpc_cidr] + } + + ingress { + description = "Elasticsearch transport" + from_port = 9300 + to_port = 9300 + protocol = "tcp" + cidr_blocks = [var.vpc_cidr] + } + + egress { + description = "Allow all outbound traffic" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "elasticsearch-sg" + } +} diff --git a/infrastructure/terraform/modules/elasticsearch/outputs.tf b/infrastructure/terraform/modules/elasticsearch/outputs.tf new file mode 100644 index 0000000..d6678c4 --- /dev/null +++ b/infrastructure/terraform/modules/elasticsearch/outputs.tf @@ -0,0 +1,14 @@ +output "elasticsearch_endpoint" { + description = "Elasticsearch endpoint URL" + value = "http://${aws_instance.elasticsearch.private_ip}:9200" +} + +output "elasticsearch_private_ip" { + description = "Private IP of Elasticsearch node" + value = aws_instance.elasticsearch.private_ip +} + +output "elasticsearch_id" { + description = "Instance ID of Elasticsearch" + value = aws_instance.elasticsearch.id +} diff --git a/infrastructure/terraform/modules/elasticsearch/user_data.sh b/infrastructure/terraform/modules/elasticsearch/user_data.sh new file mode 100644 index 0000000..d82a50f --- /dev/null +++ b/infrastructure/terraform/modules/elasticsearch/user_data.sh @@ -0,0 +1,37 @@ +#!/bin/bash +set -e + +# Update system +yum update -y + +# Install Java (required for Elasticsearch) +yum install -y java-1.8.0-openjdk + +# Install Elasticsearch +yum install -y https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.11.1-x86_64.rpm + +# Configure Elasticsearch +cat > /etc/elasticsearch/elasticsearch.yml << EOF +cluster.name: honeynet-cluster +node.name: ${HOSTNAME} +network.host: 0.0.0.0 +http.port: 9200 +discovery.type: single-node + +# Memory settings +bootstrap.memory_lock: true +xpack.security.enabled: false + +EOF + +# Create data directory +mkdir -p /var/lib/elasticsearch +chown -R elasticsearch:elasticsearch /var/lib/elasticsearch + +# Start Elasticsearch +systemctl enable elasticsearch +systemctl start elasticsearch + +echo "Elasticsearch installed and configured!" +echo "Node running on http://$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4):9200" +echo "Cluster: honeynet-cluster" diff --git a/infrastructure/terraform/modules/elasticsearch/variables.tf b/infrastructure/terraform/modules/elasticsearch/variables.tf new file mode 100644 index 0000000..5d129c0 --- /dev/null +++ b/infrastructure/terraform/modules/elasticsearch/variables.tf @@ -0,0 +1,36 @@ +variable "ami_id" { + description = "AMI ID for Elasticsearch nodes" + type = string +} + +variable "instance_type" { + description = "Instance type for Elasticsearch" + type = string + default = "t3.medium" +} + +variable "key_name" { + description = "SSH key name" + type = string +} + +variable "subnet_id" { + description = "Subnet ID for Elasticsearch" + type = string +} + +variable "vpc_id" { + description = "VPC ID" + type = string +} + +variable "vpc_cidr" { + description = "VPC CIDR block" + type = string +} + +variable "tags" { + description = "Tags to apply to resources" + type = map(string) + default = {} +} diff --git a/infrastructure/terraform/modules/filebeat/main.tf b/infrastructure/terraform/modules/filebeat/main.tf new file mode 100644 index 0000000..aec3494 --- /dev/null +++ b/infrastructure/terraform/modules/filebeat/main.tf @@ -0,0 +1,60 @@ +# Filebeat Configuration Template +resource "aws_instance" "honeypot" { + count = var.honeypot_count + + ami = var.ami_id + instance_type = var.instance_type + key_name = var.key_name + subnet_id = var.subnet_id + + vpc_security_group_ids = [aws_security_group.honeypot_sg.id] + associate_public_ip_address = true + user_data = templatefile("${path.module}/user_data.sh") + + tags = merge(var.tags, { + Name = "honeynet-honeypot-${count.index}" + }) +} + +# Security Group for Honeypot with Filebeat +resource "aws_security_group" "honeypot_sg" { + name = "honeypot-with-filebeat-sg" + description = "Security group for honeypot with Filebeat" + vpc_id = var.vpc_id + + ingress { + description = "SSH management" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = [var.allowed_ssh_cidr] + } + + ingress { + description = "Cowrie SSH honeypot" + from_port = 2222 + to_port = 2222 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + description = "Cowrie Telnet honeypot" + from_port = 2223 + to_port = 2223 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + description = "Allow all outbound traffic" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "honeypot-with-filebeat-sg" + } +} diff --git a/infrastructure/terraform/modules/filebeat/user_data.sh b/infrastructure/terraform/modules/filebeat/user_data.sh new file mode 100644 index 0000000..e4f848b --- /dev/null +++ b/infrastructure/terraform/modules/filebeat/user_data.sh @@ -0,0 +1,52 @@ +#!/bin/bash +set -e + +# Update system +yum update -y + +# Install Filebeat +yum install -y https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.11.1-x86_64.rpm + +# Configure Filebeat for Cowrie logs +cat > /etc/filebeat/filebeat.yml << EOF +filebeat.inputs: +- type: log + enabled: true + paths: + - /opt/honeypot/cowrie/log/cowrie.json + +output.elasticsearch: + hosts: ["${elasticsearch_endpoint}:9200"] + index: "honeypot-logs-%{+yyyy.MM.dd}" + +processors: + - add_host_metadata: + when.not.contains.tags: forwarded + - dissect: + tokenizer: "%{TIMESTAMP_ISO8601} %{LOGLEVEL} %{EVENTID} %{SESSION} %{SENSOR} %{SRCIP} %{DSTIP} %{SRCPORT} %{DSTPORT} %{USERNAME} %{PASSWORD} %{COMMAND} %{VERSION} %{INPUT} %{OUTPUT}" + field: "message" + target_prefix: "cowrie." + +setup.kibana: + host: "${kibana_endpoint}" + +logging.level: info +logging.to_files: true +logging.files: + path: /var/log/filebeat + name: filebeat + keepfiles: 7 + permissions: 0644 + +EOF + +# Create log directory +mkdir -p /var/log/filebeat + +# Start Filebeat +systemctl enable filebeat +systemctl start filebeat + +echo "Filebeat installed and configured for Cowrie logs!" +echo "Shipping logs to Elasticsearch at ${elasticsearch_endpoint}" +echo "Kibana dashboard available at ${kibana_endpoint}" diff --git a/infrastructure/terraform/modules/filebeat/variables.tf b/infrastructure/terraform/modules/filebeat/variables.tf new file mode 100644 index 0000000..2aaeaf4 --- /dev/null +++ b/infrastructure/terraform/modules/filebeat/variables.tf @@ -0,0 +1,52 @@ +variable "ami_id" { + description = "AMI ID for honeypot instances" + type = string +} + +variable "instance_type" { + description = "Instance type for honeypot" + type = string + default = "t3.micro" +} + +variable "key_name" { + description = "SSH key name" + type = string +} + +variable "subnet_id" { + description = "Subnet ID for honeypot" + type = string +} + +variable "vpc_id" { + description = "VPC ID" + type = string +} + +variable "allowed_ssh_cidr" { + description = "CIDR block for SSH access" + type = string +} + +variable "elasticsearch_endpoint" { + description = "Elasticsearch endpoint" + type = string +} + +variable "kibana_endpoint" { + description = "Kibana endpoint" + type = string +} + +variable "honeypot_count" { + description = "Number of honeypot instances" + type = number + default = 1 +} + +variable "tags" { + description = "Tags to apply to resources" + type = map(string) + default = {} +} diff --git a/infrastructure/terraform/modules/kibana/main.tf b/infrastructure/terraform/modules/kibana/main.tf new file mode 100644 index 0000000..1286a4b --- /dev/null +++ b/infrastructure/terraform/modules/kibana/main.tf @@ -0,0 +1,41 @@ +# Kibana Module +resource "aws_instance" "kibana" { + ami = var.ami_id + instance_type = var.instance_type + key_name = var.key_name + subnet_id = var.subnet_id + + vpc_security_group_ids = [aws_security_group.kibana_sg.id] + associate_public_ip_address = true + + tags = merge(var.tags, { + Name = "honeynet-kibana" + }) +} + +# Security Group for Kibana +resource "aws_security_group" "kibana_sg" { + name = "kibana-sg" + description = "Security group for Kibana" + vpc_id = var.vpc_id + + ingress { + description = "Kibana HTTP" + from_port = 5601 + to_port = 5601 + protocol = "tcp" + cidr_blocks = [var.allowed_cidr] + } + + egress { + description = "Allow all outbound traffic" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "kibana-sg" + } +} diff --git a/infrastructure/terraform/modules/kibana/user_data.sh b/infrastructure/terraform/modules/kibana/user_data.sh new file mode 100644 index 0000000..518b237 --- /dev/null +++ b/infrastructure/terraform/modules/kibana/user_data.sh @@ -0,0 +1,28 @@ +#!/bin/bash +set -e + +# Update system +yum update -y + +# Install Kibana +yum install -y https://artifacts.elastic.co/downloads/kibana/kibana-8.11.1-x86_64.rpm + +# Configure Kibana +cat > /etc/kibana/kibana.yml << EOF +server.host: "0.0.0.0" +server.port: 5601 +elasticsearch.hosts: ["${ELASTICSEARCH_HOSTS}"] + +# Security settings +xpack.security.enabled: false +xpack.monitoring.ui.container.elasticsearch.enabled: false + +EOF + +# Start Kibana +systemctl enable kibana +systemctl start kibana + +echo "Kibana installed and configured!" +echo "Dashboard available at http://$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4):5601" +echo "Connected to Elasticsearch at ${ELASTICSEARCH_HOSTS}" diff --git a/infrastructure/terraform/modules/kibana/variables.tf b/infrastructure/terraform/modules/kibana/variables.tf new file mode 100644 index 0000000..d2e00f0 --- /dev/null +++ b/infrastructure/terraform/modules/kibana/variables.tf @@ -0,0 +1,37 @@ +variable "ami_id" { + description = "AMI ID for Kibana" + type = string +} + +variable "instance_type" { + description = "Instance type for Kibana" + type = string + default = "t3.small" +} + +variable "key_name" { + description = "SSH key name" + type = string +} + +variable "subnet_id" { + description = "Subnet ID for Kibana" + type = string +} + +variable "vpc_id" { + description = "VPC ID" + type = string +} + +variable "allowed_cidr" { + description = "CIDR block for Kibana access" + type = string + default = "0.0.0.0/0" +} + +variable "tags" { + description = "Tags to apply to resources" + type = map(string) + default = {} +} diff --git a/infrastructure/terraform/modules/logstash/main.tf b/infrastructure/terraform/modules/logstash/main.tf new file mode 100644 index 0000000..8e6eddc --- /dev/null +++ b/infrastructure/terraform/modules/logstash/main.tf @@ -0,0 +1,49 @@ +# Logstash Module +resource "aws_instance" "logstash" { + ami = var.ami_id + instance_type = var.instance_type + key_name = var.key_name + subnet_id = var.subnet_id + + vpc_security_group_ids = [aws_security_group.logstash_sg.id] + associate_public_ip_address = false + + tags = merge(var.tags, { + Name = "honeynet-logstash" + }) +} + +# Security Group for Logstash +resource "aws_security_group" "logstash_sg" { + name = "logstash-sg" + description = "Security group for Logstash" + vpc_id = var.vpc_id + + ingress { + description = "Logstash HTTP" + from_port = 5044 + to_port = 5044 + protocol = "tcp" + cidr_blocks = [var.vpc_cidr] + } + + ingress { + description = "Logstash Beats input" + from_port = 5044 + to_port = 5044 + protocol = "tcp" + cidr_blocks = [var.vpc_cidr] + } + + egress { + description = "Allow all outbound traffic" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "logstash-sg" + } +} diff --git a/infrastructure/terraform/modules/logstash/pipeline/cowrie.conf b/infrastructure/terraform/modules/logstash/pipeline/cowrie.conf new file mode 100644 index 0000000..193a7f2 --- /dev/null +++ b/infrastructure/terraform/modules/logstash/pipeline/cowrie.conf @@ -0,0 +1,48 @@ +input { + beats { + port => 5044 + } +} + +filter { + # Parse Cowrie JSON logs + json { + source => "message" + } + + # Add GeoIP enrichment + geoip { + source => "srcip" + target => "geoip" + } + + # Parse timestamp + date { + match => [ "timestamp", "ISO8601" ] + target => "@timestamp" + } + + # Extract key fields + mutate { + add_field => { + "log_type" => "honeypot" + "sensor_type" => "cowrie" + "environment" => "production" + } + } + + # Clean up fields + mutate { + remove_field => [ "host", "agent", "ecs", "input", "log" ] + } +} + +output { + elasticsearch { + hosts => ["${ELASTICSEARCH_HOSTS}"] + index => "honeypot-logs-%{+YYYY.MM.dd}" + template_name => "honeypot" + template_pattern => "honeypot-*" + template_overwrite => true + } +} diff --git a/infrastructure/terraform/modules/logstash/user_data.sh b/infrastructure/terraform/modules/logstash/user_data.sh new file mode 100644 index 0000000..f4c8e05 --- /dev/null +++ b/infrastructure/terraform/modules/logstash/user_data.sh @@ -0,0 +1,42 @@ +#!/bin/bash +set -e + +# Update system +yum update -y + +# Install Java (required for Logstash) +yum install -y java-1.8.0-openjdk + +# Install Logstash +yum install -y https://artifacts.elastic.co/downloads/logstash/logstash-8.11.1-x86_64.rpm + +# Create Logstash directories +mkdir -p /etc/logstash/conf.d +mkdir -p /opt/logstash/pipeline + +# Configure Logstash +cat > /etc/logstash/logstash.yml << EOF +path.data: /var/lib/logstash +path.config: /etc/logstash/conf.d +pipeline.workers: 2 +pipeline.batch.size: 125 +pipeline.batch.delay: 50 + +http.host: "0.0.0.0" +http.port: 9600 + +EOF + +# Copy pipeline configuration +cp /opt/logstash/pipeline/cowrie.conf /etc/logstash/conf.d/ + +# Create log directory +mkdir -p /var/log/logstash + +# Start Logstash +systemctl enable logstash +systemctl start logstash + +echo "Logstash installed and configured!" +echo "Processing Cowrie logs from Filebeat on port 5044" +echo "Elasticsearch output configured for ${ELASTICSEARCH_HOSTS}" diff --git a/infrastructure/terraform/modules/logstash/variables.tf b/infrastructure/terraform/modules/logstash/variables.tf new file mode 100644 index 0000000..f13c7ea --- /dev/null +++ b/infrastructure/terraform/modules/logstash/variables.tf @@ -0,0 +1,41 @@ +variable "ami_id" { + description = "AMI ID for Logstash" + type = string +} + +variable "instance_type" { + description = "Instance type for Logstash" + type = string + default = "t3.medium" +} + +variable "key_name" { + description = "SSH key name" + type = string +} + +variable "subnet_id" { + description = "Subnet ID for Logstash" + type = string +} + +variable "vpc_id" { + description = "VPC ID" + type = string +} + +variable "vpc_cidr" { + description = "VPC CIDR block" + type = string +} + +variable "elasticsearch_hosts" { + description = "Elasticsearch hosts" + type = string +} + +variable "tags" { + description = "Tags to apply to resources" + type = map(string) + default = {} +} diff --git a/infrastructure/terraform/modules/vm/main.tf b/infrastructure/terraform/modules/vm/main.tf new file mode 100644 index 0000000..83e5c2e --- /dev/null +++ b/infrastructure/terraform/modules/vm/main.tf @@ -0,0 +1,74 @@ +# Get default VPC +data "aws_vpc" "default" { + default = true +} + +# Get default subnets +data "aws_subnets" "default" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } +} + +# Use provided subnet or default to first available subnet +locals { + subnet_id = var.subnet_id != "" ? var.subnet_id : data.aws_subnets.default.ids[0] +} + +# Security group for SSH access +resource "aws_security_group" "honeypot_sg" { + name = "honeypot-ssh-sg" + description = "Security group for honeypot VM with SSH access" + vpc_id = data.aws_vpc.default.id + + ingress { + description = "SSH access" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = [var.allowed_ssh_cidr] + } + + egress { + description = "Allow all outbound traffic" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + description = "Honeypot access" + from_port = 2222 + to_port = 2222 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + description = "Honeypot access" + from_port = 2223 + to_port = 2223 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "honeypot-ssh-sg" + } +} + +# EC2 Instance +resource "aws_instance" "honeypot" { + ami = var.ami_id + instance_type = var.instance_type + key_name = var.key_name + subnet_id = local.subnet_id + vpc_security_group_ids = [aws_security_group.honeypot_sg.id] + associate_public_ip_address = true + + tags = merge(var.tags, { + Name = "honeynet-platform-vm" + }) +} diff --git a/infrastructure/terraform/modules/vm/output.tf b/infrastructure/terraform/modules/vm/output.tf new file mode 100644 index 0000000..0551970 --- /dev/null +++ b/infrastructure/terraform/modules/vm/output.tf @@ -0,0 +1,14 @@ +output "public_ip" { + description = "Public IP address of the VM" + value = aws_instance.vm.public_ip +} + +output "instance_id" { + description = "Instance ID of the VM" + value = aws_instance.vm.id +} + +output "honeypot_status" { + description = "Status of Cowrie honeypot installation" + value = "Cowrie SSH honeypot installed on port 2222, Telnet on port 2223" +} diff --git a/infrastructure/terraform/modules/vm/outputs.tf b/infrastructure/terraform/modules/vm/outputs.tf new file mode 100644 index 0000000..a855b91 --- /dev/null +++ b/infrastructure/terraform/modules/vm/outputs.tf @@ -0,0 +1,19 @@ +output "public_ip" { + description = "Public IP address of the VM" + value = aws_instance.honeypot.public_ip +} + +output "instance_id" { + description = "Instance ID of the created VM" + value = aws_instance.honeypot.id +} + +output "private_ip" { + description = "Private IP address of the VM" + value = aws_instance.honeypot.private_ip +} + +output "security_group_id" { + description = "Security group ID" + value = aws_security_group.honeypot_sg.id +} diff --git a/infrastructure/terraform/modules/vm/user_data.sh b/infrastructure/terraform/modules/vm/user_data.sh new file mode 100644 index 0000000..4bd924a --- /dev/null +++ b/infrastructure/terraform/modules/vm/user_data.sh @@ -0,0 +1,77 @@ +#!/bin/bash +set -e + +# Update system +yum update -y + +# Install Docker +yum install -y docker +systemctl start docker +systemctl enable docker + +# Install git +yum install -y git + +# Create honeypot directory +mkdir -p /opt/honeypot +cd /opt/honeypot + +# Clone Cowrie +git clone https://github.com/cowrie/cowrie.git +cd cowrie + +# Install Python dependencies +yum install -y python3 python3-pip +pip3 install -r requirements.txt + +# Create cowrie user +useradd -m -s /bin/bash cowrie +chown -R cowrie:cowrie /opt/honeypot/cowrie + +# Copy configuration template +cp etc/cowrie.cfg.dist etc/cowrie.cfg + +# Configure Cowrie to listen on port 2222 +sed -i 's/ssh_port = 2222/ssh_port = 2222/' etc/cowrie.cfg +sed -i 's/telnet_port = 2223/telnet_port = 2223/' etc/cowrie.cfg + +# Enable JSON output +sed -i 's/\[output_json\]/\[output_json\]/' etc/cowrie.cfg +sed -i 's/# enabled = false/enabled = true/' etc/cowrie.cfg + +# Create log directory +mkdir -p /opt/honeypot/cowrie/log +chown cowrie:cowrie /opt/honeypot/cowrie/log + +# Create systemd service +cat > /etc/systemd/system/cowrie.service << EOF +[Unit] +Description=Cowrie Honeypot +After=network.target docker.service + +[Service] +Type=simple +User=cowrie +WorkingDirectory=/opt/honeypot/cowrie +ExecStart=/usr/bin/python3 /opt/honeypot/cowrie/bin/cowrie start +Restart=always +RestartSec=10 + +[Install] +WantedBy=multi-user.target +EOF + +# Enable and start Cowrie +systemctl daemon-reload +systemctl enable cowrie +systemctl start cowrie + +# Configure firewall +firewall-cmd --permanent --add-port=2222/tcp +firewall-cmd --permanent --add-port=2223/tcp +firewall-cmd --reload + +echo "Cowrie honeypot installed and configured!" +echo "SSH honeypot listening on port 2222" +echo "Telnet honeypot listening on port 2223" +echo "Logs available at /opt/honeypot/cowrie/log/" diff --git a/infrastructure/terraform/modules/vm/variables.tf b/infrastructure/terraform/modules/vm/variables.tf new file mode 100644 index 0000000..458fba8 --- /dev/null +++ b/infrastructure/terraform/modules/vm/variables.tf @@ -0,0 +1,31 @@ +variable "instance_type" { + description = "EC2 instance type" + type = string +} + +variable "ami_id" { + description = "AMI ID for the VM" + type = string +} + +variable "key_name" { + description = "SSH key pair name" + type = string +} + +variable "subnet_id" { + description = "Subnet ID for VM deployment" + type = string +} + +variable "allowed_ssh_cidr" { + description = "CIDR blocks allowed for SSH access" + type = string + default = "0.0.0.0/0" +} + +variable "tags" { + description = "Tags to apply to resources" + type = map(string) + default = {} +} \ No newline at end of file diff --git a/infrastructure/terraform/outputs.tf b/infrastructure/terraform/outputs.tf new file mode 100644 index 0000000..51ae2cc --- /dev/null +++ b/infrastructure/terraform/outputs.tf @@ -0,0 +1,14 @@ +output "public_ip" { + description = "Public IP address of the honeypot VM" + value = module.honeypot_vm.public_ip +} + +output "instance_id" { + description = "Instance ID of the created VM" + value = module.honeypot_vm.instance_id +} + +output "ssh_connection_command" { + description = "Command to connect via SSH" + value = "ssh -i ~/.ssh/${var.key_name}.pem ec2-user@${module.honeypot_vm.public_ip}" +} \ No newline at end of file diff --git a/infrastructure/terraform/provider.tf b/infrastructure/terraform/provider.tf new file mode 100644 index 0000000..26aea0e --- /dev/null +++ b/infrastructure/terraform/provider.tf @@ -0,0 +1,11 @@ +provider "aws" { + region = var.aws_region + + default_tags { + tags = { + Project = "honeynet-platform" + ManagedBy = "terraform" + Environment = "development" + } + } +} \ No newline at end of file diff --git a/infrastructure/terraform/variables.tf b/infrastructure/terraform/variables.tf new file mode 100644 index 0000000..bbcbf4a --- /dev/null +++ b/infrastructure/terraform/variables.tf @@ -0,0 +1,34 @@ +variable "aws_region" { + description = "AWS region for deployment" + type = string + default = "us-east-1" +} + +variable "instance_type" { + description = "EC2 instance type" + type = string + default = "t2.micro" +} + +variable "ami_id" { + description = "AMI ID for the VM" + type = string + default = "ami-0c02fb55956c7d316" # Amazon Linux 2 +} + +variable "key_name" { + description = "SSH key pair name" + type = string +} + +variable "subnet_id" { + description = "Subnet ID for VM deployment" + type = string + default = "" +} + +variable "allowed_ssh_cidr" { + description = "CIDR blocks allowed for SSH access" + type = string + default = "0.0.0.0/0" +} \ No newline at end of file