Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Playing with T-POT - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Playing with T-POT

I was looking for a honeypot install that had great reporting and was easy to deploy. I ran across T-Pot honeypot (https://github.com/dtag-dev-sec/tpotce).  It runs on Ubuntu 16.04 and docker. They have an auto install script that sets everything up very nicely. If this is your first time using docker or the Elastic stack, this is a great way to get started with it.

 

They have setup dockers for conpot, cowrie, dionaea, elasticpot, emobility, glastopf, honeytrap, mailoney, rdpy and vnclowpot. All this is tied together with elastic and Suricata. It's a very slick architecture in a very small package.

 

 

Follow the auto install information for the github site.

https://github.com/dtag-dev-sec/t-pot-autoinstall


 

Once installed SSH is on port 64295 and the web dashboard is on port 64297.
 

The default dashboard does a really great job of breaking down what's going on quickly. Here you can see that Cowrie, the SSH honeypot, is getting the most hits.  While the number of unique IP’s seems consistent, the number of events is dynamic.

 

 

98 percent of IP’s that scanned my system were already known attackers or a had a bad reputation.


 

Having Suricata also analyzing the traffic is a nice touch because you get a more indepth look at what type of attacks are hitting your systems and allows for better searching if you are looking for specific attacks.

 

 

 

If you want to see specific breakdown by each honeypot, click on the dashboard with more specific information .

 

 

 

I can't say enough how easy to deploy this project is.  Give it a shot and you want be disappointed. My next post about T-pot will cover how to set it up to report to Dshield!  Let me know what ya think of it.

 

--

Tom Webb @twsecblog

Tom

50 Posts
ISC Handler
I've been using T-Pot for a few years now and really love it. From time to time I scratch it and reinstall fresh just to make sure.
I use their ISO which makes installing it as a virtual a breeze.

Been thinking of sending all logs offsite for analysis and building a RTBH based on the data coming from the T-Pot 'appliance', but that's still in the design phase ;)
rubencreasa.be

1 Posts
Thank you Tom, great post
Netmanzim

21 Posts
Nice write up Tom! I made a tutorial about this back in June on deploying T-Pot on AWS. It was a good experience and a great way to see internet scan trends and behaviors.

Shameless plug? https://medium.com/@sudojune/deploying-a-honeypot-on-aws-5bb414753f32
Anonymous

Sign Up for Free or Log In to start participating in the conversation!