It took just 12 seconds - Catching hackers with a honey pot!
Summary
TLDRThis video demonstrates the rapid vulnerability of an exposed computer to the internet, illustrating how a system can be attacked within seconds. The presenter introduces T-Pot CE, an all-in-one honeypot platform that traps hackers to gather data on their methods. With over 20 honeypots and powerful visualization tools, T-Pot CE helps in understanding and mitigating cyber threats. The video guides viewers through setting up their own honeypot, emphasizing the importance of home network security with a modern firewall.
Takeaways
- đ The script describes a demonstration where a computer exposed to the internet was attacked within 12 seconds, highlighting the vulnerability of unprotected systems.
- đ„ Within an hour, the system faced nearly 17,000 attacks, and in a day, it recorded 263,000 different attacks, emphasizing the constant threat of cyber attacks on exposed systems.
- đ The attacks were diverse, targeting various ports, protocols, and services, indicating the wide range of techniques used by malicious actors.
- đȘ€ The script introduces a honeypot, a system designed to trap hackers and gather information about their methods, playing a crucial role in cybersecurity research.
- đ The T-Pot CE project is highlighted as a comprehensive, open-source honeypot platform supporting over 20 honeypots and offering extensive visualization options.
- đ T-Pot CE includes impressive live attack maps and Kibana dashboards that provide real-time insights into the attacks and the techniques used by attackers.
- đ ïž T-Pot CE is maintained by Telekom Security, a division of Deutsche Telekom, showcasing the project's maturity and the company's commitment to cybersecurity.
- đ» T-Pot CE can be deployed on various platforms including virtual machines, standalone hardware, or in the cloud, with minimum system requirements that are practical for most users.
- đ The project is actively updated and maintained, with quick responses to issues reported on the GitHub page, demonstrating the support and development behind T-Pot CE.
- đ T-Pot CE provides a wealth of data visualization tools, such as the Cowrie dashboard for SSH and Telnet attempts, and the Suricata dashboard for intrusion detection and prevention.
- đ The script concludes with a reminder of the importance of securing home networks with modern firewalls and regular updates, advocating for proactive cybersecurity measures.
Q & A
How long did it take for the computer exposed to the Internet to get attacked?
-It took 12 seconds for the computer to get attacked after being exposed to the Internet.
What is the purpose of a honeypot in cybersecurity?
-A honeypot is a system used to trap or deceive hackers and malicious actors. It acts as a digital trap that appears as a tempting target, such as a vulnerable computer or network, but is designed to monitor and gather information about the activities of the attackers.
What does T-Pot CE stand for and what does it include?
-T-Pot CE stands for T-Pot Community Edition. It is an all-in-one, optionally distributed, multiarch honeypot platform that supports over 20 honeypots and countless visualization options using the Elastic Stack, animated live attack maps, and various security tools.
How does T-Pot CE help in understanding cybersecurity threats?
-T-Pot CE collects data on attacks from various honeypots, which provides valuable information about the techniques used by attackers worldwide. This information helps companies and businesses create processes, software, and tools to mitigate attacks and improve security.
What are the minimum requirements for deploying T-Pot CE?
-The minimum requirements for deploying T-Pot CE include 8-16GB of RAM, at least 128GB of storage space, and unfiltered, direct access to the Internet.
How can one visualize the data collected by T-Pot CE?
-T-Pot CE includes 27 prebuilt Kibana dashboards that provide a wealth of information from the different honeypots running on the system, offering visualizations such as live map visualizations and color-coded tables of attack data.
What is the significance of the live map visualization feature in T-Pot CE?
-The live map visualization feature in T-Pot CE shows real-time attacks against the honeypots hosted in it. Each dot on the world map represents an attacker reaching out to the honeypot, providing a visual representation of the global scope of cyber threats.
What is the role of Suricata in T-Pot CE?
-Suricata is an open-source intrusion detection and prevention system. While not a honeypot itself, T-Pot CE pipes data from different honeypots into Suricata for threat detection, enhancing the system's security capabilities.
Who maintains the T-Pot project and what is its background?
-The T-Pot project is maintained by Telekom Security, a division of Deutsche Telekom, one of the world's leading integrated telecommunications companies. They have been working on the honeypot project since 2015, and it is built on top of Debian 11.
How can one contribute to the T-Pot project and what are the privacy considerations?
-By default, the T-Pot project sends logs to Telekom Security to add to their global honeypot network. However, if a user is not comfortable sharing their data, the project provides instructions on how to disable that sharing.
Outlines
đ Rapid Cyber Attacks on Exposed Systems
This paragraph details the vulnerability of a computer system exposed to the internet without a firewall. Within 12 seconds of exposure, the system was attacked, and within 24 hours, it experienced nearly 263,000 different attacks across various ports, protocols, and services. The author introduces the concept of a honeypot, a system designed to trap and deceive hackers, and emphasizes its importance in cybersecurity research. The video aims to demonstrate setting up a honeypot using T-Pot, an all-in-one honeypot platform with over 20 honeypots and extensive visualization options.
đ T-Pot CE: A Comprehensive Honeypot Solution
The author discusses the T-Pot CE project, an open-source honeypot platform developed by Telekom Security. T-Pot CE is described as a multiarch, multi-honeypot platform with over 20 honeypots and numerous visualization tools, including live attack maps and Kibana dashboards. The platform is built on Debian 11 and requires a system with at least 8-16GB of RAM and 128GB of storage, along with direct internet access. The project is actively maintained, with updates and support provided by the developers. The author also highlights the project's educational goals and the option to disable data sharing with Telekom Security.
đ Setting Up T-Pot CE for Cybersecurity Monitoring
The paragraph outlines the process of setting up T-Pot CE, from downloading the ISO file to installing it on physical hardware. The author provides a step-by-step guide, including creating a bootable USB stick using Rufus, selecting the correct geographical location and keyboard layout during installation, and choosing the full deployment edition of T-Pot CE. The installation process involves setting up a user account, downloading necessary packages, and configuring Docker containers. After installation, the system reboots and provides access to various tools such as the attack map, Kibana dashboards, and administrative interfaces.
đ Enhancing Home Network Security with T-Pot CE
In the final paragraph, the author discusses the importance of home network security and the role of T-Pot CE in monitoring and understanding cyber threats. The video concludes with a demonstration of the T-Pot CE web interface, highlighting tools like Cockpit for system management, CyberChef for data analysis, Elasticvue for data retrieval, and Spiderfoot for footprinting and discovery. The author also emphasizes the need for regular updates to home firewalls and invites viewers to join their Discord community for further support.
Mindmap
Keywords
đĄHoneypot
đĄCybersecurity Research
đĄT-Pot CE
đĄElastic Stack
đĄSuricata
đĄCVE
đĄIoT Devices
đĄDebian
đĄDocker
đĄpfSense
đĄKibana Dashboards
Highlights
A computer exposed to the Internet without a firewall is extremely vulnerable, experiencing nearly 17,000 attacks within an hour.
In a 24-hour period, the system logged nearly 263,000 different attacks from a variety of ports, protocols, and services.
Honeypots are used to trap and deceive hackers, gathering valuable information about their techniques for cybersecurity research.
T-Pot CE is an all-in-one, optionally distributed, multiarch honeypot platform supporting over 20 honeypots and visualization options.
T-Pot CE provides impressive live attack maps and detailed Kibana dashboards for data visualization.
Cowrie dashboard offers insights into SSH and Telnet attempts, including attempted usernames, passwords, and executed commands.
Suricata, integrated with T-Pot, is an intrusion detection system that helps identify threats and CVEs used in attacks.
T-Pot CE can be deployed on various platforms including virtual machines, stand-alone hardware, or in the cloud.
The project is maintained by Telekom Security, emphasizing its maturity and commitment to cybersecurity.
T-Pot CE is built on Debian 11 and requires 8-16GB of RAM and at least 128GB of storage space for full deployment.
The project is actively updated and maintained, with quick resolution to issues reported on GitHub.
T-Pot CE logs can be shared with Telekom Security by default, but users have the option to disable this feature.
Installation of T-Pot CE is straightforward, with detailed instructions provided for both physical and virtual deployments.
T-Pot CE comes with a variety of security tools, including CyberChef for data analysis and Elasticvue for raw data exploration.
Spiderfoot, included with T-Pot, is a powerful tool for conducting deep searches into IP addresses, websites, and domains.
The video emphasizes the importance of home network security, recommending the use of modern firewalls like pfSense.
Transcripts
12 seconds. Thatâs how long it took for the computer I directly exposed Â
to the Internet to get attacked. Within an hour, the system experienced nearly 17 Â
thousand attacks, and within a 24-hour period, the system logged nearly 263 Â
thousand different attacks. All of those attacks were across a variety of different ports, Â
protocols, and services, and I captured all of that information with a honeypot, Â
and in this video, Iâm going to show you how to set up your own using T-Pot.
Welcome, homelabbers and self-hosters, Rich here. We all know the internet is a dangerous Â
place. Any computer directly exposed to the Internet without a firewall is at extreme Â
risk to compromise. But few users understand how dangerous it really is. The idea for this Â
video was actually born from another video I was working on regarding firewall security, and when Â
I came across the T-pot honeypot project, I just had to show you. But what is a honey pot anyway?
In simple terms, a honey pot is a system used to trap or deceive hackers and Â
malicious actors. It works like a digital trap that appears as a tempting target, Â
such as a vulnerable computer or network but is actually designed to monitor and Â
gather information about the activities of the attackers.
Honey pots are a key component of cybersecurity research and provide valuable information about Â
what techniques the bad guys around the world are using to hack into real systems. That information Â
learned helps companies and businesses create processes, software, and tools to mitigate those Â
attacks and keep everyone safe. And the super cool part is you can set up your own honey pot Â
at home in your homelab as well! Letâs talk about T-pot CE and why I decided to use it.
While I was searching for a honey pot to host and begin collecting data, I quickly Â
discovered that there are a ton of different open-source honey pot projects out there, Â
which makes sense. There are honeypots for practically every conceivable network service, Â
protocol, and system that are in use today.
friendly user interface and analytics. And thatâs what I discovered T-pot CE.
T-Pot CE is the answer to all of my needs. From the website, T-pot CE is described as Â
âThe all in one, optionally distributed, multiarch honeypot plattform, supporting Â
20+ honeypots and countless visualization options using the Elastic Stack, animated Â
live attack maps and lots of security tools to further improve the deception experience.â
T-pot CE provides all of the things you would want in a single appliance-like system, Â
and the visualizations it creates are impressive. Like, Â
show your boss at work levels of impressive. Check these out:
This is the live map visualization feature that shows you, in real-time, Â
all of the attacks against the 20-plus different honeypots hosted in it. Each Â
dot that appears on the worldmap is an attacker reaching out to attack my honeypot. Down below, Â
we have a live-updating color-coded table of the protocols and services, the source IP addresses Â
and countries the attacks are coming from, and the honeypots being attacked. I could stare Â
at this thing for hours, watching the little attack lines zip back and forth. Itâs stunning.
I am a huge data visualization nerd, Â
and T-pot has some incredibly well-crafted kibana dashboards built-in to visualize Â
all of the different data coming into the different honeypots. check this out!
T-Pot has 27 different prebuilt Kibana dashboards that provide an incredible Â
amount of information from the different honeypots running on the system. There Â
are literally too many dashboards to walk through, so Iâm going to show you a few of Â
my favorites to give you an idea of what information is collected and displayed.
Letâs swing over to the Cowrie dashboard. Cowrie is a honeypot specific to trapping SSH and Telnet Â
attempts. The Cowrie dashboard shows you baseline stuff like where an attacker came from, Â
what their IP address was, a visual map of their geolocation in the world, Â
and then really digs in on fascinating details like what the remote side reported its client Â
was and unique detection fingerprints like HAASH. Further down, we get two awesome word Â
cloud of the most commonly attempted user names and passwords. Looks like 123456 and Â
password are still big targets, and then the thing that really blows me away a list Â
of the commands executed when the attacker logged in. This is just a top-10 list, but if Â
you want to dig in deep, itâs all stored in the elastic instance in T-pot if youâre interested.
Suricata is an open-source based intrusion detection system and Â
intrusion prevention system. While not a honeypot itself, Â
T-pot pipes the data consumed from different honeypots into Suricata for threat detection.
The Suricata dashboard is just incredible. Like the Cowrie dashboard and others, Â
at the top you get the basic information about where attackers came from, Â
event quantities and histograms, but then you get into really meaty details like alert categories, Â
destination ports, and country histograms. Hey Ukraine! Weâre on your side! Knock it off!
And further down we get more details about alert signatures that were triggered, Â
all of which have clickable links to Suricataâs forums for you to Â
research if youâre interested, and below known CVEs used in attacks.
Every dashboard is built to show you things at a high level, but the system collects a Â
ton of information. As an example, letâs drill down into some of this data. Letâs Â
dig into an alert category and letâs choose âAttempted Administrative privilege gain.â Â
On the right side of that category, weâll click the 3 dot ellipses and select âFilter Â
for value,â and instantly, we can see all of the attacks of this alert type. At the bottom, Â
we can see the Suricata alert signatures seen. See those Mirai entries? Mirai is Â
malware that infects smart devices like IP cameras, home routers, and other IoT devices Â
and turns them into zombie devices that participate in a massive botnet. Amazing.
Before we walk you through setting up your own T-Pot CE instance, Â
letâs talk about the project and give credit where credit is due.
The T-pot project is an open-source project maintained by Telekom Security, Â
a division of Deutsche Telekom, one of the world's leading integrated telecommunications companies, Â
with some 245 million mobile customers, 25 million fixed-network lines, and 21 million Â
broadband lines in service. As you can expect, this is a company that takes security seriously.
Theyâve been working on this honeypot project since 2015, Â
and the maturity of it shows. T-Pot CE can be deployed as an appliance on a virtual machine, Â
stand-alone hardware, or in the cloud and is currently built on top of Debian 11. Â
The team is also working on an official docker-only deployable stack that would Â
allow you to bring your own OS of choice. Itâs in testing now and not generally available, Â
but they do walk you through testing it if you absolutely must run T-Pot on another OS instead.
Minimum requirements are reasonable and depend on your deployment needs. For the Â
fully deployed project, youâll need 8-16GB of RAM, at least 128GB of storage space, Â
and of course, unfiltered, direct access to the Internet.
The project website goes into deep detail on all of the honeypots, including their function Â
and purpose, and also goes into detail about other security tools and features included.
The project is actively being updated and maintained. In fact, Â
I ran into an issue and posted about it on their GitHub page, and within a day, Â
they had resolved the issue and pushed an update. And since everything is docker based, Â
all I needed to do was run one of their update scripts, and the fix was live on my system.
So whatâs the catch? Something this nice feels like it should cost money. And surprisingly, Â
there is no catch. This entire project is all about learning, Â
protecting, and understanding the threats on the Internet. By default, Â
the project ship logs to Telekom Security to add to their global honeypot network, Â
which I think is fair for all of the work and effort poured into this. But, if youâre not Â
down to share, they provide instructions on how to disable that sharing as well.
By this point, Iâm sure Iâve sold you on T-pot CE, so letâs walk through getting it installed.
Your first stop is to swing over to the T-pot CE GitHub page and download the ISO Â
file for your architecture. Weâre going to be running T-pot CE on x86 hardware, Â
so weâll download the tpot_amd64.iso. The entire iso is only 46 megabytes.
T-pot CE can be deployed on physical hardware or a virtual machine. What Â
you choose is going to depend on your home lab, your network configuration, Â
and your level of comfortable risk. And that last part is important. If youâre running in Â
a virtualized environment, itâs up to make sure that your virtual switches and your management Â
interfaces are configured in a way that youâre not risking exposure of your hypervisor to the Â
Internet. And itâs for this reason, weâre going to be showing you how to set up T-pot Â
CE on a single physical PC over walking you through creating this as a virtual machine.
Now that weâve got our ISO, we need to write it to a USB stick so we can install it on our hardware. Â
We use Rufus for all our ISO to USB needs, you can grab a copy of Rufus from the link below. Anyway, Â
Rufus is up and running, weâve inserted our USB stick in our PC, and weâll click Â
âSelectâ to select our freshly downloaded ISO, select it from our file system, and click Open. Â
Now weâll click âstartâ below, say OK to the âwrite in ISO modeâ prompt, Â
say OK to the warning on data wiping, and away it goes. The boot stick process shouldnât take Â
too long to complete but will depend on your hardware. All done, letâs get T-pot CE installed!
Weâll be installing T-pot CE onto this little Lenovo right here. Itâs running a modest Â
8th-generation Intel Core i7-8700 CPU running at 3.2 GHz. The box also has 64GB of RAM in it - this Â
is overkill, 16GB is the max youâd need for T-pot, and the box also has a 500GB NVMe disk.
As I mentioned earlier, this system needs to be connected directly to the Internet with no Â
firewalling or filtering in front of it. You can build your T-pot instance behind your firewall Â
and then move it directly to the Internet if youâd like. Weâll be installing T-Pot CE Â
while the host is directly connected to the Internet via a 1-gig Ethernet connection.
Once booted off the USB stick, weâre greeted by the grub boot loader, Â
and weâll select T-pot 22.04.0 and hit enter.
The first screen is the location selection screen, Â
weâre in the US so, weâll choose the United States.
The next screen is all about keyboard layout, find your keyboard layout and press enter.
T-pot CE uses the Debian 11 netinstall image, which is light on drivers, so if youâre greeted Â
with a message like this asking if you want to load in drivers for the NICs it doesnât have Â
support for, you can do so. Our little test box has multiple NICs in it, and weâre missing drivers Â
for the 10Gig card. Thankfully weâre not using that card, so weâll select No and press enter.
The next few screens are the Debian installer Â
attempting to activate NICs and obtain an IP address.
Alright, now we need to select the closet mirror to download more of the Debian 11 Â
OS for T-pot. We want to see the list of mirrors for the US cause Â
thatâs where we are, so weâll leave it on United States and press enter.
Now weâre presented with a list of Debian mirrors to grab the OS. The Â
default is deb.debian.org, if you know of a closer mirror to you, Â
navigate and select it, but weâll stick with the default here and hit enter.
We donât have an HTTP proxy, and IÂ doubt you do as well, so just hit enter.
And away it goes. The system will download a few necessary files off the Internet, Â
automatically partition and format your hard drive, and reboot when complete.
After the reboot, the system will continue with the second half of the install process. This Â
will take a while to complete as well, so be patient and allow it to finish.
Alright, this screen is where we get to choose which edition of T-pot CE we want Â
to install. There are quite a few different options, Standard being the full deployment Â
with all the bells and whistles, which is the one weâll be installing because Â
we want to everything! If youâre interested in the other editions, I encourage you to Â
read more about them and their focus on T-potâs GitHub site. Letâs hit enter to kick this off!
Now we need to set the password for the tsec account. Tsec is your one and only Â
user on the OS. When you interact with your T-pot in an administrative capacity, Â
youâll be using the tsec user. Enter a password and hit enter.
And do it again to confirm.
Next, we need to create a user for the web interface. This user is only for accessing the Â
T-pot websiteâs maps, Kibana dashboards, and other security tools. You can create anything youâd Â
like for a user, weâll be using the user name âtpotceâ, so weâll enter that and press enter.
Then weâll confirm that, yes, we want tpotce as our username.
Now weâll create a password just for our newly minted web user
And do it again to confirm and hit enter
Alright, now T-pot is installing on the host. During this process, the installer Â
will download and install docker, pull in all necessary supporting packages on the OS, Â
and execute the creation of the docker containers, network configurations, Â
and so on for the system. Again, this can take a while, depending on your hardware, Â
your connection speed to the Internet, and so on. It took about 8 full minutes Â
to complete the installation, and the system will reboot after itâs completed.
After reboot, weâre presented with the console screen giving us the links to access our T-pot Â
CE installation and begin seeing all the attacks and attempts happening to Â
your system right now. Letâs head over to the web interface and have a quick look around.
Once you head over to the web site for your new T-pot CE instance and Â
log in with the user you create for the web site, Â
youâll be greeted by the T-pot landing page. From here you can start digging into Â
the data coming in. Iâve already shown you the Attack Map and some of the Kibana dashboards.
Cockpit is the Administrative interface you can use to manage your system, Â
youâll need the tsec user and the password you set for that account to log into there.
Cyberchef is a useful tool for analysing, converting, and decoding data of different Â
types easily. There are around 200 different operations in CyberChef you can use from Â
converting date and time, to decompressing gzipped data or parsing an x.509 certificate. Itâs a Â
useful tool for some of the information youâll be collecting in your honeypots.
Elasticvue is a user interface to dig into the raw data collected Â
from your honeypots. If you want to search for a specific bit of data, Â
youâd use elasticvue to get at the data stored in Logstash in T-pot.
And lastly, Spiderfoot is a footprinting and Â
discovery tool that allows you to run deep searches into IP addresses, Â
websites, and domains. Its footprinting tools allow you to learn everything Â
you can thatâs publicly available about your search query. Another fantastic security tool.
Thatâs really all there is to the entire thing. Now you can Â
just sit back and watch the attacks come in.
This is a good time to talk about the security of your home network, Â
regardless of whether youâre a homelabber, self-hoster, or you just have a simple ASUS Â
router running at home, Itâs important that you have something in between your home network, Â
and the Internet. Weâre big fans of pfSense as a firewall for protection against all the Â
bad guys on the ânet, and weâve made quite a few videos around building and setting Â
up your own pfSense firewall. No matter what you choose, make sure youâre using a modern firewall Â
and make sure itâs updated regularly with firmware updates or patches. Unfortunately, Â
there is no such thing as a one-and-done solution for protecting your home network, so make sure you Â
check for updates for your firewall often and get them installed as soon as you can.
And as always, consider joining our Discord community if you have questions Â
about network design, firewall configurations, Â
or anything homelab and self-hosting related. Weâre always happy to help.
And that friends will do it for this video! If you liked it throw us a thumbs up and a sub, Â
and if you have a beef with anything we said, please leave it in a comment below! Special thanks Â
to our YouTube subscribers for supporting what we do here on the channel, you guys are awesome. If Â
youâd like to support us, check out our YouTube membership, or buy some swag, all of it helps us Â
keep making videos. And now that youâve finished watching this video, how about checking out this Â
playlist here of other great homelab and self-hosting videos weâve done in the past, Â
If youâre looking to get into virtualization, homelab, or self-hosting we can help!
Weitere Àhnliche Videos ansehen
What is a Firewall?
Meet the NetGotchi: A New Firmware for ESP32 boards Packed with Defensive Tools
Introduction to Cryptography and Network Security
Installing and Configuring Logstash to Ingest Fortinet Syslogs
What is VPN | How VPN Works đ”ïžââïž| Virtual Private Network (VPN) with Real Life Examples
Computer & Technology Basics Course for Absolute Beginners
5.0 / 5 (0 votes)