So I wanted to do something which has been done many times before and that was to create an SSH honeypot for some threat intelligence collection purposes. The twist to this is that I want to send the results to MISP and I came across a few hicups along the way. Ive previously blogged about Fail2Ban and it got me thinking, what if I added a secondary action to send the resulting banned ip into MISP.
Docker is something that i’ve not fully embraced to date, I know, I know… I’m a little late off the mark, but as I get to know Docker more, I can see that it has some worthwhile advantages for me in some of the projects I use and generally getting to know technology is never a bad thing. For instance, why spin up a single server for a service that only has 1 of the 65535 ports used when 99% of the time that server will most likely be idle.
In the previous article I covered all the steps and code that was required so that I can add a contact form with a reCaptcha on this very blog. These are the actual implementation steps I took to include them. Don’t worry the hard part has been done in part 1! Create contact form Using the client side HTML code I created the /content/contact.html file ensuring that I included the correct API Gateway URL’s for the post requests and the reCaptcha site key.
“You need to add reCaptcha to your webforms” - Its advice I’ve given out to security teams each time I see a malicious link or some spam pusher in the resulting email. Its the poor user who cops the brunt of them, increasing the chance of a click, increasing that chance of compromise. Reading through formspam is just a waste of time for everyone. I recall an instance where an internal securiy team miscofigured a tool they were using, set it to run overnight and that mailbox ended up with 35k+ emails in it.
Last month in AWS saw me rack up a bill of US$0.86 and with the terrible US/AUD exchange rate I’m out of pocket a whole AUD$1.30. As im playing around with new technology and integrating various services that AWS provides, I touched a few services this month, and discovered I should probably decommission services I’m not actually using anymore. No surpise to me that I excceded the free tier limits for S3.
This is a project that I have wanted to get working for some time now, but everytime I tried it, it failed on me. There was always some dependency error or some random obscure error. I’ve used url2png.com in the past to capture screenshots of malicious and unknown websites, and while I have scripts that replicate this functionality via PowerShell, I’m not comfortable running that script on a production machine at work.
OK - so way too much time has passed since ive updated this blog. Way too much time. I guess its easy to become so bogged down with home life, study and work and ive had a bit on my plate of recent. In all this time that has passed sadly I feel like I don’t have much to show for it. On the work front, I’m nearly 6 months into a job i’m really loving, working with great people, awesome tech and a heaps to learn.
Last month in AWS saw me rack up a bill of US$3.52 and while I expected this to be lower compared to last month, it turns out I got a little trigger happy with EC2 and S3. This was primarily due to the Detection Lab infrastructure that I was playing with. EBS stored volumes caused by AMI’s will cause your bill to shoot up quite quickly. I was also still performing some other lab based stuff and introduced SES into my permanent list of services ill be using.
With the local lab built these are the instructions for getting the Detection Lab into the AWS. How to stand up DetectionLab in AWS - Part II Pre-requisites Part I - Local Install Terraform installation Export VM’s as OVA’s Shutdown each VM and open up the VirtualBox GUI. Select each VM and select “File, Export Appliance”. Select the VM to export Select the output file Enter in any additional product information.
Recently I was made aware of a GitHub project by Chris Long named “Detection Lab” which allows blue teams to see what a particular piece of malware does in an environment and conversely allows the red team to see what breadcrumbs their software may leave behind. Its a 4 lab server consisting of: Microsoft Windows AD Server Splunk Logging A Windows Event Forwarding Server Client Win10 machine Based off the back of last weeks CyberGym training and the fact that there are TerraForm templates for this setup, I decided to give this a shot.
Email for the blog? well that was the next thing I was wanting to tick off the list. Not only for the blog (I’m 99.99% certain I wont ever get an email), but I’ve always wanted to just pass out throw away email addresses for when I attend conferences - just to see who’s giving my email address around. Luckily AWS have a solution called Simple Email Service (SES) which is designed for just this use case.
Last month in AWS saw me rack up a bill of $3.40 and I expect this to be much lower next month now that I have abandoned Lightsail. The cost breakdown was as follows: As you can see, I did hit a wide range of services for the month and most of the stuff I played with had a free tier limit applied. Its great for spinning up a lab or three and the cost really was minimal.