Adventures in Running a Honeypot Hive

Lately, I have been working on one of the more fun hobby projects that I have decided to attempt. Since I spend a lot of my day thinking about and managing information security processes and tools, I thought going through the exercise of setting up my own honeypot on the Internet would be a great learning experience. Of course, I didn't want just one honeypot, I wanted a distributed series of honeypots all over the world so that I could have solid threat coverage. Luckily, there is a perfect tool for doing this, T-Pot.

T-Pot is a complete suite of honeypot tools created by Deutsche Telekom Security and distributed to the community via their GitHub repository for the "tpotce" project. The project bundles all of the various honeypot tools, log analysis tools, visualization tools, and management tools into a series of easy-to-deploy Docker containers that can be installed with one command. You can run the honeypot either as a standalone monolithic install or deploy the honeypot sensors separately from the reporting and analysis components. For my deployment, I chose to do the latter so that I could spread out my honeypot coverage and have one central reporting facility.

The Setup

For my setup, I wanted broad geographical coverage but I didn't want to break the bank by deploying dozens of sensors all over the place. To accomplish this I figured one sensor in Asia, one in the US, and one in the EU would be sufficient. Therefore, I picked cloud data centers in St. Louis, Dusseldorf, and Singapore.

VPS Technical Details

Hive Sensors (the honeypots)

• 4 vCPUs
• 8 GB of RAM
• 200 GB SSD
• 32 TB bandwidth/month

Hive Central Reporting

• 8 vCPUs
• 400 GB SSD
• 32 TB bandwidth/month

The Setup Process

The Hive

The first step is to provision the VPS for the Hive central reporting. To do this, I followed T-Pot's comprehensive setup guide located in their GitHub repository. One important note is that I didn't find their ISO installer to be particularly useful for my VPS provider, so instead I first performed a minimal install of Debian 11 and then went through and used the instructions for the "Post Install User Method"

The installer can take quite a while to finish so be patient. Note that you need to be logged in as the root user for this installation to succeed. There are some interactive prompts that you will need to answer as well, so don't walk away from the keyboard. When prompted for the installation type, be sure to select the "Hive" option.

Once the installation is complete, the system will automatically reboot.

I recommend enabling 2FA for your Cockpit login using the instructions found here. You don't want anyone logging into your system and causing trouble with the OS.

The Sensors

The setup for your hive sensors is going to be largely the same as what you did for the hive itself. You will start with a minimal Debian 11 installation and then run the scripts referenced in the Post Install User Method above. Instead of selecting the hive installation option when prompted, you will select the hive sensor option instead.

Once the installation completes and the system reboots, you now need to run the deploy script referenced in the "Distributed Installation" instructions. You will need to the IP address of your hive server along with the password for the tsec user to complete the deployment. Also, note that you will need to be logged in as root to run the deployment script.

Making Sure It All Works

Once you have deployed the hive and the sensors, you can run the dps.sh command as root on each of the VPS installs to make sure the docker containers are all functional.

Watching the Hive

Now it is time to watch the fun begin. The hive is going to start receiving data from all the sensors and you will start seeing the attacks. It will take only a few minutes before the known attackers and mass scanners hit the IP(s) your sensors are setup on. The two best ways to look at this are the attack map and the Kibana "T-Pot" dashboard. You can access the landing page at https://<your.ip>:64297 to get to both of these tools.