Updated August Project Description Notes - RidwanHaque/CyberSecurityLab-SOC-Honeynet-on-Azure GitHub Wiki

set up two virtual machines (one Windows and one Linux) in the same virtual network/subnet

setup network security groups (firewalls in the cloud)

delete RDP inbound security rule to make our system vulnerable.

Do this for both the Windows Virtual Machine and the Linux Virtual Machine

  • RDP port 3389 is exposed to the Internet. This is only recommended for testing. For production environments, we recommend using a VPN or private connection.
  • SSH port 22 is exposed to the Internet. This is only recommended for testing. For production environments, we recommend using a VPN or private connection.
  • MS SQL DB port 1433 is exposed to the Internet. We do not recommend exposing database ports to the Internet and suggest only exposing them to your front-end tier inside your virtual network.
  • Oracle DB port 1521 is exposed to the Internet. We do not recommend exposing database ports to the Internet and suggest only exposing them to your front-end tier inside your virtual network.
  • Mysql DB port 3306 is exposed to the Internet. We do not recommend exposing database ports to the Internet and suggest only exposing them to your front-end tier inside your virtual network.
  • Postgres DB port 5432 is exposed to the Internet. We do not recommend exposing database ports to the Internet and suggest only exposing them to your front-end tier inside your virtual network.

We then add an inbound security rule that dangerously allows any inbound traffic

Inbound security rules control which incoming traffic can reach your cloud resources. They are essential for securing Azure VMs and services by enforcing only the access you specifically permit.

1. TCP (Transmission Control Protocol)

  • Connection-oriented: Establishes a connection before transmitting data.
  • Reliable: Ensures all data arrives, in order, and retransmits if something is lost.
  • Used for: Web browsing (HTTP/HTTPS), email (SMTP/IMAP/POP3), SSH, RDP, FTP, etc.
  • Speed: Slightly slower due to reliability features like error checking, flow control, and acknowledgements.
  • When to use: For applications where accuracy is more important than speed—like transferring files, logging into remote servers, or database communication.
  • Example ports: 22 (SSH), 3389 (RDP), 80/443 (HTTP/HTTPS).

2. UDP (User Datagram Protocol)

  • Connectionless: No “handshake” before sending data.
  • Unreliable: No guarantee data will arrive, arrive in order, or even arrive at all. No automatic retransmission of lost packets.
  • Fast and lightweight.
  • Used for: Streaming media, online gaming, DNS lookups, VoIP phone calls.
  • When to use: For time-sensitive applications where speed is more important than reliability—like live video, voice, or games.
  • Example ports: 53 (DNS), 67/68 (DHCP), 123 (NTP)

SSH stands for Secure Shell. It is a network protocol that allows you to securely connect to and control remote computers—like your Azure virtual machine—over the internet. Here’s an overview to clarify what SSH is and why you might delete its rule:

  • SSH lets you securely log into your VM over the internet using port 22.
  • Leaving SSH open makes your VM a target for hackers and automated attacks.
  • Deleting the SSH rule or restricting it to only trusted sources is a security best practice—minimizing your VM’s risk of compromise.

sql server to send logs to our windows event viewer which we can export to our log analytics and to our siem

We have now created our sql database, and now we want to log all login attempts (first through event viewer)

Setting up the Linux VM

ping 172.206.114.21 The ping command sent small packets to the IP address of your Linux VM.

The responses (“Reply from 172.206.114.21: bytes=32 time=27ms...”) mean:

The VM is online, reachable, and responding on the network.

No packets were lost (Lost = 0 (0% loss)), so the connection is good.

Round-trip times (23–30ms) indicate the time needed for the packets to travel, which is normal for virtual network infrastructure.

  1. SSH into the Linux VM You ran:

text ssh [email protected] ssh is a secure protocol that lets you connect to Linux machines remotely.

The first time you connect to a new machine, SSH shows a warning about the authenticity of the host (the fingerprint). This is to make sure you’re connecting to the correct machine, not an imposter (“man-in-the-middle” protection).

You typed yes to trust this host, and SSH saved the key so you won’t see the warning again next time.

now we setup the attacker machine and tried to RDC into our windows vm from there to replicate failed connection attempts. then we downloaded sql server into our attacker vm and replicated login attempts into our windows vm sql server. then we successfully logged into the windows vm sql server from our attacker vm.

This below showcases the log for login attempts to our linux machine and shows how vulnerable a linux machine is with open nsgs is.