Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: Playing with T-POT SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Playing with T-POT

I was looking for a honeypot install that had great reporting and was easy to deploy. I ran across T-Pot honeypot (  It runs on Ubuntu 16.04 and docker. They have an auto install script that sets everything up very nicely. If this is your first time using docker or the Elastic stack, this is a great way to get started with it.


They have setup dockers for conpot, cowrie, dionaea, elasticpot, emobility, glastopf, honeytrap, mailoney, rdpy and vnclowpot. All this is tied together with elastic and Suricata. It's a very slick architecture in a very small package.



Follow the auto install information for the github site.


Once installed SSH is on port 64295 and the web dashboard is on port 64297.

The default dashboard does a really great job of breaking down what's going on quickly. Here you can see that Cowrie, the SSH honeypot, is getting the most hits.  While the number of unique IP’s seems consistent, the number of events is dynamic.



98 percent of IP’s that scanned my system were already known attackers or a had a bad reputation.


Having Suricata also analyzing the traffic is a nice touch because you get a more indepth look at what type of attacks are hitting your systems and allows for better searching if you are looking for specific attacks.




If you want to see specific breakdown by each honeypot, click on the dashboard with more specific information .




I can't say enough how easy to deploy this project is.  Give it a shot and you want be disappointed. My next post about T-pot will cover how to set it up to report to Dshield!  Let me know what ya think of it.



Tom Webb @twsecblog


58 Posts
ISC Handler
Nov 9th 2018
I've been using T-Pot for a few years now and really love it. From time to time I scratch it and reinstall fresh just to make sure.
I use their ISO which makes installing it as a virtual a breeze.

Been thinking of sending all logs offsite for analysis and building a RTBH based on the data coming from the T-Pot 'appliance', but that's still in the design phase ;)

1 Posts
Thank you Tom, great post

69 Posts
Nice write up Tom! I made a tutorial about this back in June on deploying T-Pot on AWS. It was a good experience and a great way to see internet scan trends and behaviors.

Shameless plug?
Hi Tom,

I am running T-POT for few days now.
I am looking forward to read your post about reporting to Dshield

1 Posts

Sign Up for Free or Log In to start participating in the conversation!