The T-Pot Honeypot framework is a multi-use Honeypot framework that deploys custom Docker containers to a set of protocols that emulate common exploitable services. The T-Pot Framework collects all logs from each container and centralises them in an elastic stack that provides the administrator with a front-end view of all attacks against each service. Malware samples are also captured so that attacks can be analysed in more detail.
Preparation of T-Pot Installation Environment
T-Pot installation in this article will be performed via Google Cloud.
After creating a new project on Google Cloud, go to Computer Engines -> VM Instances in the left menu and create a new machine.
The machine to be created must have a minimum of 8GB RAM and 128 GB storage.
After the virtual machine is created, your IP address, which is open to the outside, is located under the External IP section.
Before connecting to the virtual machine, a Firewall rule must be written so that all Honeypot ports can be accessed from the internet. For this, a new firewall rule must be added by going to the VPC Network -> Firewall section from the left menu. The relevant settings must be made as shown in the figure below.
T-Pot Installation
SSH can be used to connect to the machine created through Google Cloud. To install T-Pot, a copy of the Github source code needs to be downloaded. Since git is not pre-installed on the created machine, it must be installed with apt-get.
To install T-Pot, the source files must be copied from the Github repository. T-Pot will be installed on the root directory in this article.
The “y” option must be selected during installation.
Then select which version of T-Pot to install on the next screen. Here “Standard” version will be installed.
In order to access the web panels, a user name and password must be set. The password entered here must be complex and difficult to guess.
More packages and Docker images will then be installed. This process may take up to 10–15 minutes depending on the download speed. After the installation is finished, the system will reboot itself and the SSH connection will be disconnected.
SSH port has been moved from port 22 to port 64295. It is now necessary to connect from this port to access the system.
Accessing the T-Pot Honeypot Framework
After all honeypots are installed, the web interface can be accessed. For this, it is necessary to go to “https://<external IP>:64297” and enter the username and password specified during the installation phase.
All services provided by T-Pot can be accessed by going to the “Dashboards” section.
By clicking on the Dashboard option on the second page, an overview can be captured.
An Nmap scan can be initiated to ensure that the warning is dropped. In this way it can be determined whether the T-Pot is actively running.
As you can see, Suricata recognises attacks and gives us warnings.
Suricata helps to list the CVE codes of incoming attacks by understanding which IP addresses the attacks come from and where they come from.
