Deploying a DShield Honeypot on AWS

1️⃣ Setting Up the AWS EC2 Instance

Select a Region

Log in +to AWS and select your preferred region at the top-right corner of the AWS Console.

Create a New EC2 Instance

 

    1. Navigate to EC2 and select Launch Instance.

2. Under “Names and tags”, enter a name for the instance.

3. Under Application and OS Images, select Ubuntu Server 22.04 LTS.

Use the default instance type: t2.micro (free-tier eligible).

Create a new key pair for secure access.

Configure security group settings to allow SSH access.

For our use case can leave the default settings for configure storage

Launch the Instance

Click Launch Instance and wait for it to start

Navigate to the EC2 dashboard to monitor the instance status.

2️⃣ Connecting to the Instance via SSH

 

    • Retrieve the public IP of your instance from the EC2 dashboard.

    • Open a terminal and connect using SSH:

ssh -i Dshield.pem ubuntu@your-instance-ip

#If on Windows and running into "permission denied (publickey)instead of pem name use the pem name's path

3️⃣ Installing DShield Honeypot

Update the System

Run the following command to update Ubuntu and install dependencies:

sudo apt update && sudo apt full-upgrade -y

📸 Insert Image: Terminal output after system update

Install Required Packages

Ensure Python, Git, and dependencies are installed:

sudo apt update && sudo apt install python3-pip git -y

Clone and Install DShield

Create a directory and clone the DShield repository:

mkdir install && cd install
git clone https://github.com/DShield-ISC/dshield.git
cd dshield/bin

Run the installation script:

sudo ./install.sh

4️⃣ Configuring Security Group for Honeypot Traffic

 

    • Navigate to your EC2 instance summary.

    • Under Security settings, edit Inbound rules:

       

        • Change SSH port to 12222 for enhanced security.

        • Allow all inbound traffic to capture attack data.

📸 Insert Image: Security group inbound rules before and after changes

Navigate to your EC2 instance summary.

OUTBOUND RULES

inbound

Edit inbound rules

5️⃣ Monitoring and Analyzing Attacks

Once installed, the honeypot will begin logging traffic. You can monitor logs using:

tail -f /var/log/dshield.log

Final Thoughts & Lessons Learned

Deploying this honeypot provided hands-on experience with:
Cloud Security – Setting up an EC2 instance securely.
Network Security – Configuring firewall rules and monitoring traffic.
Threat Analysis – observing real-world attack patterns.