What is a honeypot?
Why even have a honeypot?
For companies, having a honeypot can be a useful data resource and also an excellent threat hunting exercise to understand the threat landscape and which IPs to block on their internal networks based on honeypot activities. It is also possible to build personalised honeypots mimicking a companies environment to further entice attackers by hosting a fake active directory for example. Understanding who wants to attack you, will also help you prepare your defences.
Which honeypots can I use?
<iframe class="airtable-embed" src="https://airtable.com/embed/shr8iwURPGxrthCkJ?backgroundColor=gray" frameborder="0" onmousewheel="" width="100%" height="533" style="background: transparent; border: 1px solid #ccc;"></iframe>
Okay how do I install it?
- Debian 9.7 or newer— For this I utilised the standard Debian 10(Stretch) build available in GCP (Google Cloud Platform).
- 4 GB RAM — I opted for 7.5GB
- 32 GB of free storage — I opted for 40 GB
- A working internet connection
- A Google Cloud account (with credits)
As T-Pot comes with a Universal Installer, this will upgrade the system to Debian (Sid) and also install the required dependencies.
git clone https://github.com/dtag-dev-sec/tpotce cd tpotce/iso/installer/ ./install.sh --type=user
There’s different variations of T-Pot depending on what you’re looking for. Based on the server I have provisioned, I’ll be selecting the standard build which includes all the honeypots and access to the ELK dashboard.
The installer will also then ask you for a username and password, this will be used to access Kibana and view the honeypot data. After all the dependencies are installed, the server will reboot.
After the reboot, as port 22 (ssh),port 80 (http) and port 443 (https) are now being utilised by the honeypot, you will find you won’t be able to access the honeypot anymore. But all we need to do is amend the firewall rules in GCP.
From the main console page on GCP compute engine page, click on the VM instance you wish to manage and click on view network details.
Click on firewall rules and you will find the SSH is still set to 80 and so will the https port. You can delete or amend the rules and add the following:
SSH: Port 64295
These will be the ports used to connect to the honeypot. As I don’t see myself needing to SSH regularly to the honeypot, I have disabled the rule for SSH. You are also welcome to amend the firewall rules so that only your IP address will be accepted into the honeypot via SSH or https. You will now be able to connect to Kibana using:
Using the credentials you created during setup, you will now be able to log into Kibana and view the data coming in from your honeypot. It took 16 minutes before I had my first attack. On Kibana, the team at T-Pot have developed dashboards already which you can use based on the honeypot data you wish to view. You will also have access to the following tools with your deployment:
Spiderfoot — A reconnaissance tool that automatically queries over 100 public data sources (OSINT) to gather intelligence