Honey, I Containerized the Kids: Deploying Honeypots on Azure 🍯

Utilizing your £150 free Azure credits using honeypots as a learning tool for Exam AZ-900: Microsoft Azure Fundamentals.

Stephen Chapendama
Oct 2 · 7 min read

If you’re new to cloud computing and are looking to gain knowledge in this space, one of the most recommended certifications you can get is the Microsoft Azure Fundamentals: AZ-900. If you have never used Microsoft Azure, you’re in luck. For creating your account, new users will get £150 cloud credits which you can use on the Azure Portal. If you are looking to pursue your Data Science Microsoft accreditation like I am, you have to start somewhere right?

For AZ-900, you will need to be able to (amongst other things):

  • Describe cloud concepts
  • Describe core Azure services
  • Describe security, privacy, compliance, and trust

And by deploying a honeypot, it actually gives you the perfect experience to play around with some of the services, config and also understand budgeting cloud resources and utilizing some more complex setups (Bastion).

Resources we will need:

  • A Microsoft Azure account (preloaded with the £150 Azure free subscription)
  • T-Pot Honeypot
  • A Standard build virtual machine running Debian 10 “Buster”

So let’s begin!

When you log in to Azure Services, you can visit the Marketplace and search for “Debian,” as of writing this (01/10/2020) we are currently on Debian 10 Buster. It’s up to you if you want the version with backports kernel. As you go through the config settings, as this is just a quick install, you can go about and create a resource group, setup networking, SSH and also tinker with the ports. These are some of the topics covered in AZ-900 and it’s a perfect opportunity to understand how this is setup. For my test box, I chose not to attach a disk as the 30GB standard build will be enough for testing. But if you choose to attach a disk, understand that it will cost more.

You should now be able to SSH directly to your host using the settings you set up.

Recommended Microsoft Documentation 📚

What is a honeypot?

Honeypot is a system, whose sole purpose is to attract potential intruders and record their activity, to further analyse and investigate security breaches. In practice, a lot of devices can be classified as honeypots. By being enticing (i.e open ssh ports, unsecured S3 buckets etc), it is possible to generate logs from this into a SIEM platform like Graylog or Elastic and perform some threat intel. More often, honeypots 🤝 bot networks. — You can read more on my previous post on honeypots.

As we will be using T-Pot, it will utilize docker and encapsulate over 30 different honeypots into our system.

Once the installer starts, you will be able to choose the setup of your choosing. Standard is the recommended stable build, but for my test box, I’ve chosen NextGen as it’s the latest release. You can find out more about the different versions of T-Pot here.

Upon completion, the system will reboot and you will now be locked out. Please don’t try SSH back in as the system now has Fail2Ban installed and after 3 attempts, it will blacklist your IP address. What you now need to do is return to Azure Portal, and now it’s time for Networking!

T-Pot is designed to be deployed and left to run on its own. During the creation process, it created over 30 honeypots using Docker and containerized them. You won’t need to change any of the configs as, after reboot, everything will work as needed. But sometimes we might want to monitor the host and see if we are utilizing resources or perhaps install other monitoring tools to the host server. But with SSH Port 22 now disabled on the honeypot, we will have to open up a port on Azure. As per the config, the following ports will become available for the management of your honeypot:

TCP Port 64295 will be used for SSH

TCP Port 64297 will be used for the T-Pot web UI landing page: https://<your.ip>:64297

The last rule will also open up TCP Port 64294 which gives you access to the Web Admin portal where you can run the VM and monitor the containers.

Let’s see what’s inside 🤲🏿

You will now be able to access the VM via SSH again. To access it:

To maintain the system and get a good overview, I tend to use Glances, a cross-platform system monitoring tool written in Python. As we only have 30GB of storage, it’s worth keeping an eye on the honeypot and Glances gives you that nice view and other system metrics which will be necessary in case the 16GB of RAM isn’t enough.

Installation of Glances:

And for the Dockers? I use lazydocker. I’m able to access Docker logs and system performance and also try to understand why a docker went down before I reboot it.

Installation of lazydocker:

24 hours later…

And the system is live! T-Pot utilizes Elasticsearch, Logstash and Kibana so if you’re looking to get to grips with the ELK Stack, this is one of the best ways to learn some of the most basic features, as you have a constant stream of fresh logs, access to dashboards for inspiration. It’s also worth remembering that as this system only has 30GB storage…you will need to set up a policy to delete data after like 5 days or so, as it’s a single node container system. With this VM hosted in the UK region, I was surprised to see the top attackers of the honeypot. The usual suspects, Russia, China and North Korean bots often always feature heavily in the top 5. But in its instance, over a 24 hour period, most of the attacks originated from Ireland 🇮🇪.

Honeypot Resources

If you are interested in deploying and exploring honeypots further, I’ve written the following guide for Google Cloud Platform:

Key Learnings

AZ-900 plus the credits is a really great way to be introduced to cloud management concepts and resourcing. I was able to get hands-on experience of deploying a VM, managing it’s network resource group and also make some mistakes without hitting my wallet. It also made me more comfortable navigating Azure Portal, getting to know the different deployment methods and also start exploring aspects of managing an Azure environment as I prepare to continue my journey in Azure. Whilst this article has focused on building a honeypot, there are so many tools you can build from the Azure Market place. Microsoft offers a Learning Path module which walks you through Azure in a Sandbox environment and this was a great start off point, but like all Sandboxes, it comes to an end. Where ever you can, I highly recommend going through the course material from Microsoft, getting practical experience even if it’s via Sandbox and then answering sample exam questions. I found this method of learning worked best for me as I was able to remember course material as I got lost and navigated my way around Azure Portal.

Recommended Resources for AZ-900

AZ-900 focuses specifically on Cloud, but if you are interested in AI and Data Science, you can take the Microsoft Azure AI Fundamentals which focuses on deploying VMs, working and training machine learning models and also getting a better grasp of AI in Azure.

The Startup

Medium's largest active publication, followed by +719K people. Follow to join our community.

Stephen Chapendama

Written by

Cyber Security & Africa | Technology Manager @ Foundervine.com & Senior Software Engineer in Cyber & Intelligence 🚀

The Startup

Medium's largest active publication, followed by +719K people. Follow to join our community.

Stephen Chapendama

Written by

Cyber Security & Africa | Technology Manager @ Foundervine.com & Senior Software Engineer in Cyber & Intelligence 🚀

The Startup

Medium's largest active publication, followed by +719K people. Follow to join our community.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store