Deploying T-Pot — The All In One Honeypot Platform on AWS EC2
I recently became interested in deploying a honeypot to see what type of traffic and attacks would occur and how quickly.
A honeypot is essentially a system that mimics a vulnerable target to entice attackers. These systems do not, at least they shouldn’t, have any valuable information. Instead, they are configured to thoroughly log what an attacker is doing to gain insight into attacks and techniques.
I did some research into what honeypot I would use and came across T-Pot.
T-Pot is an all in one honeypot platform that takes several honeypots and puts them all into a nice package with some insightful reporting.
I then decided to document my experience deploying T-Pot on an Amazon Web Services (AWS) EC2 instance (virtual machine).
Below are the steps that I took to successfully create an AWS EC2 instance, install and configure T-Pot, and display the results through T-Pot’s built-in web interface.
AWS Disclaimer: There is a cost associated with using AWS. Please understand the cost behind any resources you are deploying. I am not responsible for the costs you incur.
General Disclaimer: The steps in this guide expose your server to the public internet. Please do not do this on a production system. I wouldn’t recommend doing this on your home network at all. I am not responsible for your actions.
Prerequisites:
- Amazon Web Services (AWS) Account
- AWS EC2 Instance
- T-Pot
- SSH Client (PuTTy)
- Basic Linux CLI Experience
Step 1 — Create an AWS Account
You will need to create an AWS account to provision the EC2 instance.
Today, AWS offers 12 months of free tier access. This means that certain tiers of EC2 instances can be created at no charge and used for a specified time. Read the full offer terms for more details. Typically, these instances are very small (1CPU, .5GB RAM) and should not be used for any production environments.
Unfortunately, the free tier instances are too small to properly run T-Pot.
After you have created your account and signed in, you’ll land on the AWS Management Console page.
There are several security-related things you can and should do to make your AWS account more secure. While we won’t cover these here, I have linked an AWS Security Blog post on Following Security Best Practices as You Configure Your AWS Resources.
Step 2 — Creating AWS EC2 Instance
From the AWS Management Console, select Services and then EC2 located under the Compute section.
Find the Launch Instance section and click Launch Instance in the orange box and then Launch Instance again.
You will now be brought to the first step of the process to create an EC2 instance which is Choosing an Amazon Machine Image (AMI).
I decided to use Debian 10 as my OS. There are articles out there using Ubuntu. I started out using Ubuntu but ran into unexpected errors throughout the process. Switching to Debian cleared these up. Your mileage may vary but we’ll be using Debian throughout this process.
Start by typing Debian 10 into the search bar and press enter.
Select the AWS Marketplace option on the left.
I Selected the Debian 10 Buster OS By Debian.
The pricing details will now be displayed. There are no software costs for using Debian. Debian is a free operating system.
EC2 rates are also displayed and will vary based on your instance type.
Select Continue.
You will now move on to step 2 and Choose an Instance Type
Note: Your choices in this section may have an associated cost. EC2 pricing can be found here.
Amazon has many different EC2 Families and Types that each have a differing number of vCPUs and Memory.
The free tier option doesn’t seem to have enough horsepower to run T-Pot with stability. I started with choosing the General purpose t2.medium. This EC2 instance has 2 vCPUs and 4GB RAM. After T-Pot was installed my memory utilization was entirely too high and the system became unstable. I had to change my instance to a t2.large. Again, your mileage may vary. I’d start smaller and increase based on your experience.
Make your selection and press Next: Configure Instance Details
I won’t pretend to be an AWS expert and this was more of a lab/project for me. Therefore, I kept all of the Instance Details default. Look them over yourself and decide on changing any options.
Press the Next: Add Storage button.
T-Pot documentation recommends 128GB of SSD for storing events. I chose to start with 50GB of SSD space to keep my costs lower. Depending on your usage you may need to adjust the amount of storage available to your VM.
Enter in the Size and Volume Type for your EC2 storage.
I chose 50GB using General Purpose SSD (gp2).
Click the Next: Add Tags button.
Feel free to add tags. I did not.
Click the Next: Configure Security Group button
I chose to create a new security group. I did not change the name and description.
A security group is a set of firewall rules that control the traffic for your instance. At a minimum, you want to change the Source IP on the SSH rule. By default, this rule allows any IP address to SSH to your EC2 instance. AWS even throws a warning telling you to lock this down.
You can do so by entering a specific IP/network, or there is an option in the drop-down menu that allows you to choose My IP. This will auto-populate your public IP address.
Note: Installing T-Pot will change your SSH port from 22 to 64295. Keep that in mind when trying to SSH into your EC2 instance AFTER T-Pot is installed. You’ll use 22 up until then.
Click the Review and Launch button.
Review all of the options to ensure everything is configured to your liking and to reduce/eliminate any unintended costs.
The estimated cost at the time I created my instance was around $50 per month for the t2.large instance. I knew going in that I wasn’t going to have this instance long-term so it seemed like a good cost for the knowledge and experience I was gaining.
Once you are satisfied you can click the Launch button.
A window will popup stating that you either need to select an existing key pair or create a new one.
This public/private key pair is what allows you to securely SSH to your EC2 instance. If you have an existing key pair you can use that, but we will create a new key pair.
Select Create a new key pair from the drop-down list.
Enter in a Key pair name.
Press the Download Key Pair button and save the .pem file to a safe location. You only get one chance to download it!
You will not be able to access your EC2 instance without this key.
Press the Launch Instances button.
Your EC2 instance will now begin to be configured in the Instances section of AWS. It will be ready to go when you see the Instance State show running.
Congrats, you now have an AWS EC2 Instance deployed running Debian 10!
Note: You will be charged while this EC2 instance is running. Please be cost conscience.
Step 3 — Connecting to Your New AWS EC2 Instance
Select your EC2 instance and select Connect for detailed connection instructions.
Amazon tailors these instructions based on the EC2 instance that you selected.
To use PuTTy to connect to your instance, you have to convert the .pem file you downloaded/saved using PuTTygen.
Launch PuTTygen.
Click Load and select the .pem file you created/saved when creating your EC2 instance.
It is recommended you enter in a Key passphrase.
Confirm your passphrase.
Click Save private key and save your key to a secure location. You can give it any name you want.
Close PuTTygen.
We are now ready to SSH to your new EC2 instance.
Launch PuTTy.
Enter the Public DNS or IP address of your EC2 instance in PuTTy. Leave the port at 22.
You need to have PuTTy use your private key to connect to your EC2 instance.
Go to Connections > SSH > Auth in PuTTy.
Select the Browse button for Private key file for authentication.
Select the .ppk file you created with PuTTygen and click Open. Your private key will now be used when you connect to your EC2 instance.
Click Open to connect and select Yes to the PuTTy Security Alert.
Log in as admin.
Enter the passphrase for your private key if you created one.
Congrats! You are now connected to your EC2 instance.
Step 4 — Installing T-Pot
I like to start by doing an update and upgrade on a new OS. Run the following commands:
sudo apt updatesudo apt upgrade
I didn’t have anything that needed to be updated. Your mileage may vary.
My version of Debian did not come with git installed. You will need GIT to clone the T-Pot repo. Run the following to see if GIT is installed:
which git
No output means that git is not installed. Run the following command to install GIT:
sudo apt-get install git -yAfter GIT installs you can run “which git” again and you should see the following output:
We now need to clone the repo where T-Pot resides and run the installer. Run the following commands:
git clone https://github.com/dtag-dev-sec/tpotcecd tpotce/iso/installer/sudo ./install.sh — type=user
The install script for T-Pot will now begin to run.
You will be prompted to review any running services. Since this is a fresh install you can enter “y” to proceed.
You will now be prompted to select the T-Pot edition you wish to use.
Select STANDARD and press enter to choose OK.
You will now be prompted to enter a username. This username will be used for the web interface.
Enter in a Username and choose OK and choose Yes to confirm your name.
Enter a secure password.
Enter your secure password again.
You will be prompted to confirm if your password is not secure. Press Yes to continue.
T-Pot will continue to install. This may take a bit of time.
After the installation, your EC2 instance will be automatically rebooted.
You will lose your SSH connection and the SSH port has been changed to 64295. Remember this if you try to SSH to your EC2 instance.
Congrats! T-Pot has been installed!
Step 5 — Updating AWS EC2 Security Group
The T-Pot installation automatically changed your SSH port to 64295. To SSH back into your server, you will need to go into the AWS EC2 security group assigned to your EC2 instance and edit the rules.
While you’re doing this you also need to expose ports 1–64000 to the public internet so T-Pot can start tracking attacks.
Go back to AWS and select Security Groups under Network & Security located in the left panel.
Select the Security Group assigned to your EC2 instance.
You’ll need to edit the inbound rules to allow:
· TCP port 64295 for SSH (Limit this to only your IP address)
· TCP port 64297 for the T-Pot web interface (Limit this to only your IP address)
· TCP ports 1–64000 for everything else (Allow this for everyone)
Step 6 — Connecting to the T-Pot Web Interface
You can now connect to the T-Pot Web Interface using your EC2 instance IP address and port 64297 with your web browser.
https://ec2-ip-addr:64297Continue past the certificate warning and use the credentials you created during the T-Pot installation to log into the Web Interface.
The T-Pot Dashboards will now be displayed.
Click the first dashboard in the list called >T-Pot
This is the overall T-Pot dashboard. All of your data will be displayed here.
I’ve had about 7,000 hits from multiple countries in about 30 minutes.
Wrapping Up
T-Pot’s visualizations on the number of attacks are quite astounding. Seeing the different attack types and origin of attack should instill in all of us that attackers are trying to get into our systems. Keep your systems patched and stay vigilant.
I hope you found this helpful and good luck!
If you have any questions feel free to Tweet or PM me @mrkmety
