What is T-Pot?
T-Pot is a collection of dockerized versions of 18 honeypots (in T-Pot version 20.06) in combination with some powerful tools like the ELK stack for beautiful visualisation of all events captured by T-Pot.
Why is it of interest?
T-Pot is an easy way to collect all kind of information about ongoing cybersecurity threats without the hazzle of setting up a large amount of different systems by your own. The honeypots will pretend to be vulnerable servers and by doing so, invite automated attacks as well as manually hacking attempts.
You can use the collected data to learn more about common attack vectors and upcoming threats, by analyzing the data with Kibana or going through the log files.
How to set it up?
I decided to launch my T-Pot instance in the AWS cloud, to learn more about AWS and it’s oppurtunities in general. An additional advantage is a relative secure setup without risking to much of our own infrastructure. We can simply pull the plug from the system if something bad happens without losing anything of value.
During this project I enjoyed the fact that AWS simply allows us to create and destroy instances with just a couple of clicks. That is a big time saver. But you could set T-Pot up wherever you want, like on DigitalOcean or inside the Google Cloud Platform.
What you need
- AWS account
- a working internet connection
- SSH client on Linux or MacOS, or something like Putty on Windows
- some Linux command line skills
- basic networking knowledge
Creating the EC2 Instance
We need to choose an AWS region where our instance will be located. I decided for Europe Frankfurt, because I life in Germany and so I’m interessted in current threats attacking Europe.
You will collect different data depending on the region you choose. You could also decide to launch different instances of T-Pot in different regions, after collecting some initial data.
Inside the AWS Management Console enter „EC2" into the search field and navigate to the EC2 service by clicking on the first hit.
Now click on the orange „Launch instance” button.
T-Pot requires at least Debian 9, so we need to choose the correct Amazon Machine Image (AMI). Type „debian 9 stretch” into the search box and select the item shown in this image.
You could go with the default t2.micro instance type in the next step, but this won’t make much fun when using the T-Pot webinterface later. According to the T-Pot developers it requires at least 8 GB of RAM to run ELK smoothly and 128 GB of harddisk to collect enough data. So I decided to use a t2.large instance and this seems to work fine.
This setup will generate some costs over time. So have an eye on it within the AWS cost explorer!
We will go with the default settings in step 3.
As described above I use 128 GB of disk storage, but you could also go with less, if you want to save smaller amounts of data.
The next step is crucial for the basic security of your system. By default port 22 (SSH) is open to inbound connections coming from any source. You don’t want to invite attackers bruteforcing SSH logins and should change the source field to „My IP”.
We will change this later, but for now this setting is okay.
Now you are ready to click the blue „Review and launch” button.
Don’t share this keyfile with anyone, it is the entry key to your AWS instance and you don’t want that anyone is doing malicous things with your account and money.
You can create a new public and private key pair in step 7. This is neccessary to log into your new machine.
So choose „Create a new key pair” in the dialog and save the file on a secure place.
After creating and launching your new EC2 instance, you are able to use the EC2 dashboard within the AWS management console to edit it’s configuration and state.
You need the public IP address to connect to the machine and can find this information from the instance details.
Use the dropdown menu on the left to start, stop, reboot or terminate (= destroy) an instance.
Now you are ready to connect to your new Linux machine!
Setting up T-Pot
Open your terminal and navigate to the folder which contains the private keyfile you have downloard during the instance configuration.
At first we will remove any permissions from the key file, but read permission for our user.
chmod 400 aws-key.pem
Now we can use the key file to connect to our EC2 instance with ssh. The default username for this Debian image is admin. (You need to replace the IP address with your instance.)
ssh -i aws-key.pem firstname.lastname@example.org
It’s good practise to run a system update after installing debian to benefit from the latest updates and security patches.
sudo apt update sudo apt upgrade -y
We need to install the git version management system and will pull the latest T-Pot version afterwards.
sudo apt install git -y git clonehttps://github.com/dtag-dev-sec/tpotce
It’s time to run the auto installer script.
sudo ./install.sh --type=user
It will take a while until the system has downloaded all neccessary files and went through all steps of the setup. After all that magic the system will automatically reboot. This will also take some time, so be patient.
Connecting to T-Pot
During the setup the auto installer changed many things on the system to make it way more attractive for potential attackers. On thing that has changed is the way to log into to. You can not use port 22 for connecting via SSH any longer and so need to change the network security rule inside the AWS management console.
Navigate to the „Security” tab and click on the existing security group to edit it.
We will use port 64297 to connect via https and port 64295 to connect with SSH. So delete the current existing rule for port 22 and add the following rules, with your IP adress by selecting „My IP”.
From now on you are able to connect to the dashboard by visiting https://<your EC2 instance public IP> :64297
Log in with the username and password you have chosen during the setup routine.
I will provide some interesting findings and ways to analyze the collected data in a future post. So stay tuned and have fun with your new tool.
Originally published at https://www.andreaswienes.de.