Setting Up T-Pot Honeypot on Microsoft Azure: A Comprehensive Threat Monitoring Guide

Cyb3rSecCyb3rSec
4 min read

Table of contents

Hey Everyone , After long time and a lot of laziness i get an opportunity to create a little interesting project, that is setting up a honeypot on microsoft azure.

Microsoft azure is very impressive and easy to use cloud platform. I had 100$ credits on azure , so i thought, why i am wasting them. That’s why I decided to make their better use.

So what is T-POT:

T-Pot is an open-source, multi-honeypot platform developed by the Deutsche Telekom Security Team. It integrates various honeypot frameworks like Cowrie, Dionaea, and Honeytrap into a single, user-friendly system. T-Pot is designed to attract and analyze diverse cyberattacks, offering a centralized interface for monitoring and managing honeypot activity, as well as data visualization and interactive attack maps.

Lets start shall we ?

  1. Prerequisites:

    • Azure cloud account (u need CC to verify your account) BTW for practice u can still setup this on your home network as well. But you have to perform attacks :)

    • Internet offcourse.

    • Just a desire to learn and troubleshoot.

Deploy azure vm

So create an account on azure and deploy an azure VM like this :

and the specs should be we just need atleast 8GB RAM.

There are a lot of content availaible about how to create an azure VM or ask chatGPT or any AI. By doing this u will learn so much.

SSH into azure VM

okay after successful creation of your VM , we should copy its public IP:

and connect with ssh.

ssh username@public-ip 

-> yes to fingerprint 
-> enter password u choose password based authentication
-> enter passpharase u choose this at a time of VM creation ( good security practice BTW)

after that we will do our standard procedure of update repositories and upgrading packages .

sudo apt update && sudo apt upgrade

Install git

sudo apt install git

Clore T-POT repo :

Now we will clone T-POT repo from the github.

sudo git clone https://github.com/dtag-dev-sec/tpotce

Now we will run the installer and start the installation process of our honey pot.

  • This is will ask for what playbook u want to install choose 1.Hive one

User creation:

Now it will ask for u to create a new user : U must choose a very strong password for it.

and wait for installation from now on.

It will install all the applcations and programs via docker.

Port migration

After successful installation we can see our main ssh port will be changed to 64295.

REBOOT YOUR VM:

MOST IMPORTANT CONFIGs:

Okay, everything was easy till this process and very straight forward. But from now we have to do some network configration on Microsoft Azure portal. Because our ssh port was changed after T-POT installation.

Step 1:

On Azure Portal , navigate to your VM and then SELECT the “Networking Tab”

  • Note that ssh port 22 is still open.

    But all ports are closed.

  • The installation reconfigured the SSH service of the VM to use a different port, hence, we now need to adjust the inbound port rules to reflect this. You will have to remove the SSH rule, and add the following inbound rules using the “Add inbound port rule” button:

    after that we also add 2 more rules like this :

    - carefully see 1. honeypot-ssh-in allow (ssh) connection my IP from any destination on 64295. T-POT ssh is running on this we had seen at a time of installation.

    - next, 2. Honeypot-web running on 64297 only allowed from my IP . Here we will access elastic seach , kibana , spiderfoot .

    - last, 3. honeypot-Everything allow every connection from any source or destination in b/w ports 0-63293,64298-65535

    See , first two rules are for us that we will user to analyse their logs and other info via various platforms , last rule is for attackers who will perform attack on our honeypot.

Login:

Now open your favourite browser and visit : https://your-vm-public-ip:64297

https://your-vm-public-ip:64297

Enter your username and password your created at a time of T-POT installation and experience this great , osm thing. man

We have various platform to analyse real time attacks and data.

see real-time attacks on our honeypot:

This is amazing right :

  • After some time elastic search also start showing data how cool is this :

    → see all these IOCs :

  • - CVE they are trying to exploit :)

    Okay so I setup this and forget for one day u could do the same and tell me how much attacks , IOC , CVEs your got man. I love to listen about it. and Just remember. Troubleshoot is the key. :)

At last ,I collect this much after one day :

GoodBye all , meet me in next blog, until then Keep hunting , keep yourself healthy and curious :)

#honeyport #T-POT #threat-intel #cybersecurity #Fun

1
Subscribe to my newsletter

Read articles from Cyb3rSec directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#T-POTHoneypot#cybersecurityAzure

Written by

Cyb3rSec
Cyb3rSec

if you dont ask me , I won't tell you