How to create and deploy a T-Pot Honeypot using Amazon Web Services
In this tutorial, I will be showing you how to create a honeypot using Amazon Web Services (AWS). A honeypot is a controlled environment used to monitor attacks from malicious actors. It is used as a way to lure attackers to an intentionally vulnerable network where we can analyze different types of threats and monitor their movement. With the advancement and change in technology, we must have a way to learn the techniques of these threat actors in a controlled environment to securely protect our devices and networks.
So let us begin setting up this honeypot in AWS by creating and launching an EC2 instance.
First, log in to your AWS account. Then on the top right next to your username is your current availability zone. Mine was set to Ohio by default however you can change it to any available zones by clicking and selecting from the drop-down menu. I selected the Mumbai availability zone (ap-south-1) to host the EC2 instance.
On the top of the webpage search for “EC2” in the search bar. An EC2 instance is like a virtual server that helps you run web applications. We will be using an EC2 instance to host our T-Pot, a multi-honeypot platform.
Now on the left panel, click on Instances and then click the Launch Instance button. This will open up a new window where we will configure our instance.
Let’s first name our honeypot server under the Name and tags field. I named my server HoneyPot to keep things simple.
Under the Application and OS Images (Amazon Machine Image) search bar we want to look for the Debian 11 AMI. Debian 11 is the operating system we will be using for our honeypot platform. Combined with the EC2 instance it creates our virtual machine.
Type in “Debian 11” in the search bar then click enter. A new pop-up window opens with no results however clicking on the AWS Marketplace AMIs tab the Debian 11 instance appears.
Click the select button to continue.
Under Instance type select the t2.xlarge to handle the honeypots that we will be using to monitor attacks. The larger size will allow a larger load to support APIs for cyber threat intelligence or OSINT.
Let’s generate a new key pair to connect to the instance securely. Click on the create new key pair link, enter the key pair name, keep the RSA type and .pem selections the same, and click Create Key pair. Your .pem file will automatically download. Keep this file somewhere safe because you will need it if you want to log into the system via ssh.
Under the Network settings and Configure storage keep the default settings and make sure the Auto-assign Public IP is enabled.
Finally, click on Launch Instance.
Click on Instances to take you back to the instances page on the left panel. From there, wait until the instance is running. You may need to refresh it until you see two green checkmarks indicating system checks passed.
For this part of the tutorial, I will be setting up the TpotCe repository in Kali Linux. First, let’s spin up our Kali Linux machine and log in. Open a terminal and create a new directory called HoneyPot. You don’t need to do this step however I like to keep things organized to make things simple and easy to find.
Once in the HoneyPot directory, I typed in the following command
sudo apt-get update -y && sudo apt-get upgrade -y.
The “apt-update” command will download package information from all configured sources which let our system know which packages are available for upgrades. The “apt-upgrade” will use this information to upgrade all packages to the latest versions. The flag “-y” makes it so we don’t have to keep typing in “yes” during the installation.
Once the update and upgrades are complete, install Git by using the following command
sudo apt-get install git -y
The Git command will let us clone a TpotCE repository to run the honeypot. Run the following git clone command
git clone https://github.com/telekom-security/tpotce.git
Once complete a new directory will be created called “tpotce”. Move into the new directory and run the command
sudo ./install.sh — type=users
A new window will appear, select the Standard configuration, and then click the enter button.
Create a username and password to log in on the web panel once it is up and running.
While it is installing, let us go back to the AWS console and configure the security groups.
On the instance page, click on the box next to the HoneyPot name, and on the bottom select the Security tab. Click the link under security groups which will take you to the security group for this honeypot.
Scroll down and click on the Edit inbound rule button located on the bottom left of the screen.
There is a security group rule by default however delete the rule. We need to create three new rules for this honeypot. Click the delete button on the right to delete the rule.
Click on Add rule three times then enter the following rules:
Rule one: Port range: 64297 | Source: My IP | “Enter your IP address” | Description: Web Panel for Admin
Rule two: Port range: 64295 | Source: My IP | “Enter your IP address” | Description: SSH for Admin
Rule three: Port range : 1–64000 | Source: Custom | 0.0.0.0/0 | Description: Honeypot
The 1–64000 port range will be used to monitor the attacks happening to the honeypots. These ports are meant to be open to attract malicious actors. Click save once you are done entering the rules.
Let’s go back to the instance page and copy the public IPv4 address of the HoneyPot instance.
Open a new window on your browser and type in the following link
https://<copied public IPv4 address>:64297
The 64297 port is the same port that we entered on the security group rules to allow Web Panel access.
An invalid certificate warning appears on the page. Click the Advanced button and the link to proceed to the site.
A small pop-up window will appear. Enter the username and password you created earlier.
We did it, we are now logged in to the T-Pot web panel!
From this page, we can click on the options provided to view the live attack map, add API keys, and view logs for individual honeypots. Happy exploring.
Thank you for reading my blog. I hope you found it informational and helpful. I will be adding more content on threat analysis for this T-Pot in the future.
