Preparation is key in most industries but for cybersecurity it is a must. Understanding your threats so you can stay one step ahead of your adversaries is important to progress throughout this industry. An effiecient way of gaining this information is by setting up a honeypot. Honeypots are designed to lure attackers and gather valuable information about their tactics. To gain information about diverse variety of vulnerablities (SSH, Malware, Telnet, etc) I will be deploying T-Pot, a multi honeypot system.
- A virtual machine or physical server with a fresh installation of Debian 11
- PuTTY
- At least 4 GB of RAM, 128 GB of storage, and a stable internet connection.
- Basic knowledge of Linux command-line operations
T-pot is resource intensive due to the multiple honeypots and the elastic stack(Elasticsearch,Kibana etc) that collects logs and analyses them. For this I chose 16 GiB ram with 4 vCPUs. This configuration runs at £0.15 an hour which can accumualte to 109.23 a month so be aware of costs.
Under the Networking setting for your virtual machine, add an inbound rule to cover all possible ports. Inbound rules controls traffic entering ports making it easier to attract attackers. Next, we'll configure the VM's boot process. First, download PuTTY, a free SSH client. Open PuTTY Key Generator and load your private key.This creates a public-private key pair for secure authentication. Then, launch PuTTY Configuration. Navigate to Connection > SSH > Auth, browse to and select your newly generated private key file. This allows you to use key-based authentication, which is more secure than password-based login . Finally, click "Open" to establish a secure connection to your VM.
You can run some basic commands to update your system and then install Git to install T-Pot to your virtual machine.You can visit the T-Pot repository if you want to learn more necessary information about which docker images are installed , the system requirements and etc.The commands are below:
sudo apt update
sudo apt upgrade -y
sudo apt install git
sudo git clone https://github.com/telekom-security/tpotce
sudo cd tpotce/iso/installer/
sudo ./install.sh --type=userThe installation script will guide you through the process, including setting up a password for the web interface and choosing honeypot services.
Once T-Pot is installed, it’s important to verify that all services are running smoothly:
sudo apt update && sudo apt upgrade -y
sudo docker-compose pull
sudo systemctl restart tpot
Whilst checking the status of my T-Pot I came across an error.
Jun 22 19:07:16 HoneyPot docker[248837]: tpotinit |
Jun 22 19:07:16 HoneyPot docker[248837]: tpotinit | # Error: WEB_USER is not set The web user interface should be set up during the installation but if thsat fails you can manually set up your password and login to access the web interface. This involves editing the enviroment file. Below is the command:
sudo nano ~/tpotce/docker/.envThe file should look like this:
# Set Web usernames and passwords here. This section will be used to create / update the Nginx password file nginxpasswd.
# <empty>: This is the default
# <base64 encoded htpasswd usernames / passwords>:
# Use 'htpasswd -n -b "username" "password" | base64 -w0' to create the WEB_USER if you want to manually deploy T-Pot, run 'install.sh' to automatically add a user during installation, or 'genuser.sh' if you just want to add a web user.
# Example: 'htpasswd -n -b "tsec" "tsec" | base64 -w0' will print dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo=
# Copy the string and replace WEB_USER=dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo=
# Multiple users are possible:
# WEB_USER=dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo= dHNlYzokYXByMSR6VUFHVWdmOCRROXI3a09CTjFjY3lCeU1DTloyanEvCgo=
WEB_USER=
# Set Logstash Web usernames and passwords here. This section will be used to create / update the Nginx password file lswebpasswd.
# The Lostsash Web usernames are used for T-Pot log ingestion via Logstash, each sensor should have its own user.
# <empty>: This is empty by default.
# <'htpasswd encoded usernames / passwords'>:
# Use 'htpasswd -n -b "username" "password" | base64 -w0' to create the LS_WEB_USER if you want to manually deploy the sensor.
# Example: 'htpasswd -n -b "sensor" "sensor" | base64 -w0' will print c2Vuc29yOiRhcHIxJGVpMHdzUmdYJHNyWHF4UG53ZzZqWUc3aEFaUWxrWDEKCg==
# Copy the string and replace / add LS_WEB_USER=c2Vuc29yOiRhcHIxJGVpMHdzUmdYJHNyWHF4UG53ZzZqWUc3aEFaUWxrWDEKCg==
# Multiple users are possible:
# LS_WEB_USER=c2Vuc29yMTokYXByMSQ5aXhNRk5yMCR6d3F2dGFwQ2x0cFBhU1pqMm9ZemYxCgo= c2Vuc29yMjokYXByMSRtYTlOS1J2NCQvU3dsVVBMeW5RaVIyM3pyWVAzOUkwCgo=
LS_WEB_USER=After following the instructions you should be able to access the web interface.
After running my honeypot for a week, I accessed the web interface to review the collected data. The interface provides an overview of the activities and logs recorded during this period. It includes real-time monitoring and detailed insights into various aspects of the attacks.
The attack map is a crucial feature that visualizes ongoing attacks on the honeypot. It displays real-time data on the geographical origins of the attacks, highlighting the countries from which the highest number of attacks originate. The map also differentiates the types of attacks using various colors, helping in identifying patterns and potential threats.
Below the map, there are detailed logs listing the IP addresses involved and the corresponding attack types. This section is instrumental in understanding the attack landscape and assessing the severity of each incident.
To mitigate risks, suspicious IP addresses can be reported on platforms like abuseipdb.com, which helps in notifying relevant authorities and potentially blacklisting malicious actors.
ElasticVue provides comprehensive metrics on the cluster hosting the honeypot. It includes information such as RAM usage and disk space utilization, which are critical for maintaining optimal performance and avoiding resource bottlenecks.
The tool also offers insights into system health, including the status of various nodes and indices. On the shards page, users can observe data distribution and storage efficiency, crucial for understanding how the system handles and processes the captured logs.
Kibana is a powerful tool used to visualize and analyze the data collected by the honeypot. It simplifies complex datasets into understandable charts and graphs, making it easier to identify trends and anomalies. Kibana supports a variety of data visualizations, including time-series analysis, heat maps, and pie charts, each serving different analytical needs.
The visualizations help in quickly pinpointing attack peaks, unusual activity patterns, and the overall volume of traffic hitting the honeypot. This level of analysis is essential for making informed decisions about security measures and response strategies.
Spiderfoot is used to gather more detailed information about specific IP addresses. It can identify the ISPs, domains associated with these IPs, and whether the IP have been reported for malicious activities. This tool provides a comprehensive view of potential threats and helps in profiling the attackers.
By using Spiderfoot, one can enrich the data collected from the honeypot, adding context to the raw IP information. This enriched data is invaluable for understanding the nature of the attacks and for developing targeted mitigation strategies.
In this project, I set up a T-Pot honeypot in Microsoft Azure to gain insights into potential threats and attack patterns. By integrating tools like Kibana, ElasticVue, and Spiderfoot, I could effectively monitor and analyze the collected data. The attack map provided real-time visualization of attack origins, while Kibana offered detailed metrics and trends analysis. ElasticVue ensured optimal performance monitoring of the honeypot system.
To assess the impact of this setup, I observed the honeypot over a week, gathering valuable data on attack frequencies, types, and origins. Spiderfoot provided detailed information on malicious IP addresses, aiding in threat profiling. Reporting these IPs to services like abuseipdb.com further contributed to broader cybersecurity efforts.
The data gathered highlighted current threats and helped refine security strategies. It's important to note that while this honeypot setup provides valuable insights, the volume of security events can be influenced by factors such as network usage patterns and the honeypot's visibility to potential attackers.
In summary, this project demonstrates the effective use of a multi-honeypot system integrated with robust analysis tools to enhance threat detection and understanding. As a cybersecurity analyst, I recognize the importance of continuous monitoring and contextual analysis of security events. This approach allows for accurate threat identification and helps in developing and optimizing incident response strategies to combat evolving cyber threats.
The server I chose for this project was based in eastern US, expecting the threat actors to be Chinese and Russian . Implementing multiple honeypots across different geographical locations would provide a broader view of attack patterns but would increase operational and infrastructure costs due to additional cloud resources.
As the honeypot was maximised ram usage filled nearly half my VM's disk, expanding storage capacity for long-term data retention would enable historical trend analysis, but would also increase storage costs and require more powerful data processing capabilities.
Developing automated systems that respond to threats in real time could reduce the response time to incidents. This would involve additional development work and could raise the costs due to the need for more sophisticated software and hardware.
Continuously updating the honeypot to counteract new vulnerabilities and evolving attack techniques would be essential for maintaining its effectiveness. This would incur ongoing costs related to personnel time and software updates.
By investing in these improvements, the honeypot system could provide more comprehensive threat intelligence and more effectively support cybersecurity defenses, though at the cost of increased financial and resource commitments.