T-Pot Honeypot Framework Installation

The T-Pot honeypot system is a multiuse honeypot framework deploying a range of protocol specific docker containers emulating common exploitable services. The T-Pot framework gathers all the logs from each container and centralises into an elastic stack providing the administrator a front-end view of all attacks against each service. Samples of malware are also captured providing the ability to further analyse the attacks. The T-Pot framework architecture can be illustrated as per below.

Figure 1 – T-Pot Framework

T-Pot framework can be found at: https://github.com/dtag-dev-sec/tpotce . This guide provides a step by step guide to create a virtual machine on the Google Cloud Platform and install a standard edition of the T-Pot Framework. If you are a new user to GCP you can sign up at: https://cloud.google.com/ , GCP currently offer $300 worth of credit to use within a year free during registration.

Virtual Machine Provisioning

Once signed into GCP create a new project, this project container will be used to store the virtual machine and firewall rules into.

Figure 2 – Creating a project name

Once the project container has been created navigate to Compute -> Compute Engine -> VM Instances and click “Create” to start to build a virtual machine.

Figure 3 – Virtual Machine creation path

To cater for most installations this guide will select the standard installation and following the recommended system requirements of:

  • 128 GB Storage
  • 8 GB RAM

Creating a virtual machine in GCP is simple, select to use the standard template “N1-standard-2” to provision roughly the amount of processing power to host the T-Pot framework. A change to the default disk space of 10Gb to 128GB and select Debian 10 as the boot image completes the provision of the virtual machine. Press “Create” to complete the process.

Figure 4 – Virtual Machine provision

Once created the virtual machine will be built by GCP and appear in the VM instances section. Here the zone and external IP address are displayed along with the health status of the virtual machine.

Figure 5 – Newly created Virtual Machine

Before connecting to the new virtual machine, a firewall rule will need to be opened to allow for all the honeypot ports to be accessible from the internet. Navigate to Networking -> VPC Network -> Firewall rules.

Figure 6 – Firewall rule path

Click “Create Firewall Rule”, provide a name and allow all IP addresses to come in. Its up to the reader if they want to lock down on the certain ports but for demonstration, I will allow all ports inbound.

Figure 7 – Firewall rule addition

Installing T-Pot Framework

Click SSH to connect to the machine. A fully functional Debian 10 virtual machine is now deployed and managed within the GCP, now for the installation of the T-Pot framework. The framework will install all our dependences automatically including docker. In order to get T-Pot a copy of the Github source code must be downloaded. As Debian is not pre packaged with git, a quick apt-get can get us the package.

Figure 8 – Git install via apt-get

Executing the download and installation commands will start the T-Pot installation off.

Figure 9 – Downloading TPOT and starting to install

Once packages have been downloaded a review of the running listening ports are displayed, as this is a new server continue by pressing “y”. Continuing presents a screen of the different setups of how to deploy T-Pot, as discussed in the introduction continue to select “standard”.

Figure 10 – T-Pot edition panel

Following the edition panel, a panel requiring a web front end username is requested.

Figure 11 – Web username panel

A password will also be required for the new web user. Ensure the password is complex as the frontend dashboard is accessible from anyone on the internet.

Figure 12 – Web user password panel

One the account has been defined the installation will continue and more packages will be installed.

Figure 13 – Continued installation

Once the packages have been installed T-Pot will start to build itself.

Figure 14 – Web user install

Following this the Docker images of the honeypots will start to be pulled and installed.

Figure 15 – Container pulling

Finally, the system will clean up and reboot.

Figure 16 – Planned clean-up and reboot

In order to remote access the server the SSH port has been moved from 22 to 64295. Once connected again via the console or SSH, check the status of the containers these are the honey pots.

Figure 17 – Docker Images

Configuration changes to the honeypots can be changed at the folder: /opt/tpot/docker . However, for demonstration I will not be changing them. All malware samples and logs are stored within /data/ within their respective honeypot.

Accessing the T-Pot Honeypot Framework

Now the honeypots are set up, lets look at the front-end portal. This can be found at https://<external IP address>:64297 . Log in with the Webtsec account created during the setup.

Figure 18 – Front-end dashboard

By selecting “dashboard” on the menu, global view dashboards and honeypot specific dashboards can be viewed. New dashboards can also be created here.

Figure 19 – default dashboards

The “T-Pot” dashboard contains information grouping all the attacks into different views such as port number or country. This Dashboard can also be used to track common usernames and passwords used in brute forces.

Figure 20 – T-Pot dashboard

T-Pot also packages a web GUI driven management console, this can used to manage the Virtual server and the docker images. To access this page first create an account on the virtual machine and then navigate to https://<external IP address>:64294 and log in.

Figure 21 – Virtual machine management

Closing Thoughts

The T-Pot framework provides a excellent single package to start to monitor real life attacks in real time on a range of different services. The front end dashboards provide a great correlated and structured method of seeking patterns within the attacks and build visually and powerful views of the front line of the internet.
Reach out to me via twitter @PR3R00T for any feedback or questions