T-Pot Terraform

T-Pot is a multi-honeypot platform that runs on Ubuntu.

This repository contains Terraform and cloud-init configuration that will allow you to very quickly provision a T-Pot instance on Amazon EC2. This configuration can be easily extended to support other providers such as Google Compute Engine or DigitalOcean if desired.

Credit: Deploying a Honeypot on AWS by Steve Gathof for the manual write up.

What is T-Pot?

T-Pot is a multi-honeypot platform that runs on Ubuntu and includes dockerized versions of the following honeypots:

• ciscoasa
• conpot
• cowrie
• dionaea
• elasticpot
• glastopf
• glutton
• heralding
• honeytrap
• mailoney
• medpot
• rdpy
• snare
• tanner

Required Configuration Changes

Terraform Variables

In ec2/variables.tf, change the following variables to correspond to your existing EC2 infrastructure:

• admin_ip - source IP address(es) that you will use to administer the system. Connections to ports 64294, 64295 and 64297 will be allowed from this IP only. Multiple IPs or CIDR blocks can be specified in the format: ["127.0.0.1/32", "192.168.0.0/24"]
• ec2_vpc_id
• ec2_subnet_id
• ec2_region

Admin Credentials

In tpot.conf, change the following variables:

myCONF_WEB_USER='webuser'
myCONF_WEB_PW='w3b$ecret'

This will be used to configure credentials for the T-Pot Kibana interface. Refer to Options for more information.

Initialising

The terraform init command is used to initialize a working directory containing Terraform configuration files.

$ cd ec2
$ terraform init

Initializing provider plugins...
- Checking for available provider plugins on https://releases.hashicorp.com...
- Downloading plugin for provider "aws" (1.26.0)...

The following providers do not have any version constraints in configuration,
so the latest version was installed.

To prevent automatic upgrades to new major versions that may contain breaking
changes, it is recommended to add version = "..." constraints to the
corresponding provider blocks in configuration, with the constraint strings
suggested below.

* provider.aws: version = "~> 1.26"

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Applying the Configuration

The terraform apply command is used to apply the changes required to reach the desired state of the configuration, or the pre-determined set of actions generated by a terraform plan execution plan.

$ terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  + aws_instance.tpot
      ...
      ...

  + aws_security_group.tpot
      ...
      ...

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

This will perform the following actions:

1. Create EC2 security group
2. Start an Ubuntu instance
3. Update all packages and reboot if necessary
4. Install T-Pot and required dependencies
5. Reboot

Connecting to the Instance

SSH

Prior to the final reboot, you will temporarily be able to SSH to port 22 as per standard. Following the reboot, port 22 is used for the honeypot. The real SSH server is listening on port 64295

Browser

https://www.example.com:64297/

Replace with the FQDN of your EC2 instance. Refer to the T-POT documentation for further details.