Playing with T-POT

Published: 2018-11-09
Last Updated: 2018-11-09 02:23:12 UTC
by Tom Webb (Version: 1)
4 comment(s)

I was looking for a honeypot install that had great reporting and was easy to deploy. I ran across T-Pot honeypot (https://github.com/dtag-dev-sec/tpotce).  It runs on Ubuntu 16.04 and docker. They have an auto install script that sets everything up very nicely. If this is your first time using docker or the Elastic stack, this is a great way to get started with it.

 

They have setup dockers for conpot, cowrie, dionaea, elasticpot, emobility, glastopf, honeytrap, mailoney, rdpy and vnclowpot. All this is tied together with elastic and Suricata. It's a very slick architecture in a very small package.

 

 

Follow the auto install information for the github site.

https://github.com/dtag-dev-sec/t-pot-autoinstall


 

Once installed SSH is on port 64295 and the web dashboard is on port 64297.
 

The default dashboard does a really great job of breaking down what's going on quickly. Here you can see that Cowrie, the SSH honeypot, is getting the most hits.  While the number of unique IP’s seems consistent, the number of events is dynamic.

 

 

98 percent of IP’s that scanned my system were already known attackers or a had a bad reputation.


 

Having Suricata also analyzing the traffic is a nice touch because you get a more indepth look at what type of attacks are hitting your systems and allows for better searching if you are looking for specific attacks.

 

 

 

If you want to see specific breakdown by each honeypot, click on the dashboard with more specific information .

 

 

 

I can't say enough how easy to deploy this project is.  Give it a shot and you want be disappointed. My next post about T-pot will cover how to set it up to report to Dshield!  Let me know what ya think of it.

 

--

Tom Webb @twsecblog

Keywords: Honeypot TPOT
4 comment(s)

Comments

I've been using T-Pot for a few years now and really love it. From time to time I scratch it and reinstall fresh just to make sure.
I use their ISO which makes installing it as a virtual a breeze.

Been thinking of sending all logs offsite for analysis and building a RTBH based on the data coming from the T-Pot 'appliance', but that's still in the design phase ;)
Thank you Tom, great post
Nice write up Tom! I made a tutorial about this back in June on deploying T-Pot on AWS. It was a good experience and a great way to see internet scan trends and behaviors.

Shameless plug? https://medium.com/@sudojune/deploying-a-honeypot-on-aws-5bb414753f32
Hi Tom,

I am running T-POT for few days now.
I am looking forward to read your post about reporting to Dshield

Diary Archives