Project - Honey Pot

Now that I have my OVH test environment, I decided to download and install a Honey Pot. I did this because I am curious how easily an IP is crawled and attacked and the quantity of attacks. Even before starting in my security role, I obviously knew services were attacked but I had no idea of the scale nor did I know how quickly scanners/attackers begin!

I am using https://github.com/telekom-security/tpotce as my Honey Pot, aka T-Pot. I purchased some additional IPs from OVH and then setup a ‘dirty’ network to ensure it was entirely segregated from my normal demo/testing environment.

Setting up T-Pot was pretty easy although, setting up the NAT rules did take a while as there’s a lot of ports which need to be open! To speed up the process, I found the quickest way to do this was to use Port Aliases, this allowed me to create a group of ports which could then be used within NAT.

I then moved onto the NAT/Port Forwards. See below for some of the port forwards, you can see the port alias as the blue hyper-linked text.

Now that was done, I created the Firewall rules. As this is a test environment, I decided to allow anything from ports 1 - 64289 (excluding management ports) but then used NAT to only allow the ports which are needed. I found this was the fastest approach.

That’s the networking side done. T-Pot itself was setup using the ISO on the Github page. It really did not take long and only required action from me for small things such as usernames and passwords etc.

I assigned it 2vCPUs, 8GB RAM and 200GB (I had to change all of this as soon as the attacks started ramping up!)

Once it was installed, I was greeted by a pretty cool ‘Welcome Screen’ which looks like this:

The first thing I did was check out the attack map.

The attack map is designed to show you all of the current attacks such as the IP, service, location and honeypot. As seen below:

It is pretty cool seeing all of the attacks as they’re happening!

Next I browsed to the Kibana tool which is a data visualisation dashboard which has a bunch of useful dashboards that use Elasticvue as the GUI. Below are a handful of the available dashboards.

Although all of the dashboards are useful, T-Pot and T-Pot Live Attack Map are my most used as it contains information I believe to be most valuable. They both give a good overview rather than doing a deep dive into each individual honeypot.

T-Pot dashboard looks like the following:

The above T-Pot view is my favourite however, I use the Live Attack Map as a quick view to see how many attacks are happening.

It has now been setup for almost 2 weeks. Within that time, it has been attacked 4,397,067 times!!!

It collects around 6gb of logs each day, I’ve had to increase the resources on it as it was being obliterated.