Skip to content

AWS ECS Setup for ModSecurity Honeypot

Attila Greguss edited this page Jan 6, 2020 · 3 revisions

Basic AWS Amazon Elastic Container Service (ECS) Setup for Modsecurity Honeypot

This setup is purely command line with aws-cli. It shows how to create a task for the docker image, then to create an Elastic Container Service (ECS) Service. This tutorial also shows how to setup a Cluster with a Virtual Network Cloud from ground up for the Service, but only a cluster id, subnet id and network security group id is needed for the Service (and the task id we created) if you know what you are doing.


This tutorial assumes you cloned the repository in you home folder.

0. Install and Set up aws-cli (if not installed)

  1. Install aws-cli on your system

  2. Go to

  3. Create or use an Access Key from the "Access Keys" section

    You need:

    • Access Key ID

    • Secret Access Key

    • Default Region ID - what is displayed at the region selection, like "eu-west-1"

    • Default output format (can be none)

Configure aws-cli:

aws configure
#follow the steps

1. Set up the AWS Task for docker container

The docker image used for this task can be found here:

  1. Edit the following entries in honeytraps/waf_modsec/aws-ecs-container-definition.json:

    • Change "LOGSTASH_HOST" env value to your logstash server IP and port

    • Change "awslogs-region" in "logConfiguration" to your region

  2. Create the task:

cd ~/Honeypot-Project/honeytraps/waf_modsec
aws ecs register-task-definition --cli-input-json $(cat aws-ecs-container-definition.json | tr '\n' ' ')

You can observe the created task here. Note that running this command creates a new revision for the Task definition automatically instead overwriting it.

2. Create Cluster for the Honeypot (if you want to use it in an existing one just skip this)

Creating a cluster to run services in:

aws ecs create-cluster --cluster-name "modsec-honeytrap"

You can observe the created cluster here

3. Create a Networking for the cluster and service

This is a specific example, the IP and subnet ranges can be changed freely.

  1. Create a Virtual Private Cloud (vpc) if you need a separate one (reference):

    aws ec2 create-vpc --cidr-block
    #note vpc-id
    aws ec2 create-internet-gateway
    #note internetGateway-id
    # Add internet-gateway to private cloud
    aws ec2 attach-internet-gateway --internet-gateway-id <internetGateway-id> --vpc-id <vpc-id>
    # Find route table id
    aws ec2 describe-route-tables --filters Name=vpc-id,Values=<vpc-id>
    # note the route-table-id
    # Add route to gateway in the route-table
    aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block --gateway-id <internetGateway-id>

    Please note the "VpcId" in the output.

  2. Create a subnet in the vpc what the service will use:

    aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block

    Please note the "Subnetid" fiels's value in the ouput.

  3. Create a Security group (port rules) for the Virtual Private Cloud what the Service will use.

    This is not necessary as a default group is created for the VPC upon creation but it is good practice to separate the services

    aws ec2 create-security-group --group-name "EC2Container-honeytrap" --description "Port rules for the Honeytrap Docker Container" --vpc-id <vpc-id>
    # Adding the required rules
    aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --cidr --port 80 
    aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --cidr --port 8080
    aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --cidr --port 8000
    aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --cidr --port 8888

    Please note the group ID.

    aws ec2 create-network-interface --description "HoneyTrap Network Interface" --subnet-id <subnet-id> --groups <group-id>

Note: You can most (not all) of this on through the Web UI here as well.

4. Create Service responsible for the Task created above and link them together

This will be added to the Cluster and ran there using FARGATE (serverless).

  1. Create Service using the Subnet ID and the Security Group ID:

    aws ecs create-service \
    --service-name "honeytrap-service" \
    --cluster "modsec-honeytrap" \
    --task-definition "honeytrap" \
    --desired-count 1 \
    --launch-type "FARGATE" \
    --network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],securityGroups=[<securitygroup-id>],assignPublicIp=ENABLED}"

    If all went well the Service is created and can be observed here.

    • Select "Tasks" tab

    • Select the running task (Click on the Task id)

    • Observe the Public IP adress

    • Expand the Containter and click on "View logs in CloudWatch" to see the docker output

Clone this wiki locally