I was looking for a honeypot install that had great reporting and was easy to deploy. I ran across T-Pot honeypot (https://github.com/dtag-dev-sec/tpotce). It runs on Ubuntu 16.04 and docker. They have an auto install script that sets everything up very nicely. If this is your first time using docker or the Elastic stack, this is a great way to get started with it.
They have setup dockers for conpot, cowrie, dionaea, elasticpot, emobility, glastopf, honeytrap, mailoney, rdpy and vnclowpot. All this is tied together with elastic and Suricata. It's a very slick architecture in a very small package.
Follow the auto install information for the github site. https://github.com/dtag-dev-sec/t-pot-autoinstall
Once installed SSH is on port 64295 and the web dashboard is on port 64297. The default dashboard does a really great job of breaking down what's going on quickly. Here you can see that Cowrie, the SSH honeypot, is getting the most hits. While the number of unique IP’s seems consistent, the number of events is dynamic.
98 percent of IP’s that scanned my system were already known attackers or a had a bad reputation.
Having Suricata also analyzing the traffic is a nice touch because you get a more indepth look at what type of attacks are hitting your systems and allows for better searching if you are looking for specific attacks.
If you want to see specific breakdown by each honeypot, click on the dashboard with more specific information .
I can't say enough how easy to deploy this project is. Give it a shot and you want be disappointed. My next post about T-pot will cover how to set it up to report to Dshield! Let me know what ya think of it.
-- Tom Webb @twsecblog |
Tom 58 Posts ISC Handler Nov 9th 2018 |
Thread locked Subscribe |
Nov 9th 2018 2 years ago |
I've been using T-Pot for a few years now and really love it. From time to time I scratch it and reinstall fresh just to make sure.
I use their ISO which makes installing it as a virtual a breeze. Been thinking of sending all logs offsite for analysis and building a RTBH based on the data coming from the T-Pot 'appliance', but that's still in the design phase ;) |
rubencreasa.be 1 Posts |
Quote |
Nov 9th 2018 2 years ago |
Thank you Tom, great post
|
Netmanzim 64 Posts |
Quote |
Nov 9th 2018 2 years ago |
Nice write up Tom! I made a tutorial about this back in June on deploying T-Pot on AWS. It was a good experience and a great way to see internet scan trends and behaviors.
Shameless plug? https://medium.com/@sudojune/deploying-a-honeypot-on-aws-5bb414753f32 |
Anonymous |
Quote |
Nov 9th 2018 2 years ago |
Hi Tom,
I am running T-POT for few days now. I am looking forward to read your post about reporting to Dshield |
JMB 1 Posts |
Quote |
Dec 3rd 2018 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!