Email Alerts for Amazon AWS Honeypots (ubuntu postfix)

Hello,

in my last post: Oh yes, wait a minute Mister Postman – OpenWRT as Mailrelay/MTA I explained how to set up an email relay in your local network to send email alerts on Honeypot activity.

A couple of days ago I also Reblogged an Article about how to set up an honeypot in die Amazon AWS cloud.

So what if you want to get alerted via email on the Amazon AWS based Honeypot?
The logical step would be to set up the Amazon Simple Email Service as mailrelay:

How to configure Amazon based Ubuntu Server (Honeypot) to relay email via Amazon SES:

1. Enable SES Email targets

If you have signed up for a free Amazon AWS account you are also already signed up for SES. You only need to activate an email address to serve as an Sender and Recipient address:

Log into Amazon AWS and go to the Amazon SES Dashboard:

amazon ses dashboard

Klick on Verify a New Sender and you will see:

amazon ses senders

Klick on Verify a New Email Address and follow the activation procedure. Add your email address you want to get alerted on when0 honeypot activity is registered and confirm the activation email you get. After this is Done you will see a new entry in the Verified Senders Menu. This email Adress will serve as Senders as Well as receipient for your Alert emails.

This kind of restricted Setup will also protect you from becoming a Spam relay for someone who managed to hack your honeypot somehow. He would only be able to send emails to you and you could easily shut down the Amazon Virtual Machine instance if that would occour.

2. Save SMTP Credentials

Still in the Amazon SES Dashboard go to the SMTP Settings tab and create a SMTP User there. The username you chose is not important. Make sure that you store the credentials we will need them later on:

amazon smtp credentials

3. Install the MTA on your Honeypot: postfix

Now you can setup up the MTA to relay emails via the Amazon mail relay. You can use any sendmail/MTA you want. I chose postfix and will focus on the configuration of postfix on ubuntu in the following.

First we need to install postfix and a couple of other packages:

apt-get install postfix
apt-get install libsasl2-2
apt-get install libsasl2-modules
apt-get install ca-certificates

During the postfix setup you will be prompted for the basic settings. Chose “Satellite system” as postfixe type. Leave the default for System mail name and insert 127.0.0.1 as SMTP relay host (we will change it in the next step).

4. Configure postfix

Edit the main postfix configuration file “/etc/postfix/main.cf”:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = ip-10-249-44-247.us-west-2.compute.internal
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = ip-10-249-44-247.us-west-2.compute.internal, localhost.us-west-2.compute.internal, localhost
relayhost = email-smtp.us-east-1.amazonaws.com:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = localhost

I edited/added the following lines:

  • smtp_sasl_auth_enable = yes
  • smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
  • smtp_sasl_security_options = noanonymous
  • smtp_tls_CAfile = /etc/postfix/cacert.pem
  • smtp_use_tls = yes
  • relayhost = email-smtp.us-east-1.amazonaws.com:587

Note that the relayhost is take from the Amazon SES Dashboard. If you have chosen another location (eg Dublin the relayhost might be different for you!).

No create the sasl_passwd file:

touch hash:/etc/postfix/sasl_passwd

And insert the smtp credentials you saved earlier:

echo "email-smtp.us-east-1.amazonaws.com:587 AKI...IKQ:AmXF3...5IC" > /etc/postfix/sasl_passwd

Note that I censored my password with “…” in the middle and that a “:” seperates username and password. Again also keep in mind that the relayhost at the beginning could be different if you have chosen another location for your Virtual machine.

Now lets secure the credentials file (so that only root can read it):

chomd 0400 /etc/postfix/sasl_passwd

Now we need to create the userdatabase for postfix:

postmap /etc/postfix/sasl_passwd

and create a certificate for postfix:

cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem

As a last step we need to restart postfix to load the new config:

/etc/init.d/postfix restart

Now we can send a testmail to the email Adress we activated earlier:

user@server:/# sendmail -f activated-emailaddress@provider.tld -F Amazon-Honeypot activated-emailaddress@provider.tld
Some Test text
CTRL+D

Note again: we need to put the earlier activated email address as receipient and sender, else the Amazon SES mailrelay will reject the email!

If you encounter problems pull up a second ssh session and follow your syslog to see what postfix is logging to it after you issue the sendmail command:

tail -f /var/log/syslog

So thats it. You are now able to send mails via sendmail. You can create what ever scripts you like and pipe their output into sendmail for an email alert.

5. Configure Email Alerts for Kippo

As described in my last Blogpost under section 8:

I use swatch to monitor the lastlog.txt file and let it send real time email alerts to get notified when the action is going down (last line of the file contains IP Adress and duration of interaction).

swatch is also in the ubuntu repositories and a simple swatch file can look like this:

kippo.swatch:

watchfor /./
exec tail -n 1 /home/kippo/kippo/data/lastlog.txt | sendmail -f activated-emailaddress@provider.tld -F Amazon-Honeypot activated-emailaddress@provider.tld

The first line is basically the command “watchfor” followed by an regex what changes to look for. /./ stands for everything in this case.

The second line pipes the last line of kippos lastlog.txt to sendmail.

You could also put the following line in your rc.local to begin the watch on boot up:

swatch -c /home/kippo/kippo/data/kippo.swatch -t /home/kippo/kippo/data/lastlog.txt

Now you will receive the last line of kippos lastlog.txt whenever someone tried to connect to your honeypot:

mailscreen

6. Disclaimer

The usual: Make sure what you are doing! Take all necessary steps to not set up yet another open spam email relay! Make sure that you have set up the Amazon Firewall correct and monitor your Honeypot!

7. Sources

http://dhirajt.com/using-amazons-ses-with-postfix-as-a-smarthost-forwarder-mail-relay/

Props to the author!

Regards

Sebastian

Advertisements

About SebastianB

read it in my blog
This entry was posted in miscellaneous and tagged , , , , , , . Bookmark the permalink.

One Response to Email Alerts for Amazon AWS Honeypots (ubuntu postfix)

  1. Pingback: Analyzing Malware at home – Introduction | IT-Unsecurity

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s