It took just 12 seconds - Catching hackers with a honey pot!

00:00

12 seconds. That’s how long it took  for the computer I directly exposed  

00:03

to the Internet to get attacked. Within  an hour, the system experienced nearly 17  

00:08

thousand attacks, and within a 24-hour  period, the system logged nearly 263  

00:14

thousand different attacks. All of those attacks  were across a variety of different ports,  

00:17

protocols, and services, and I captured  all of that information with a honeypot,  

00:21

and in this video, I’m going to show  you how to set up your own using T-Pot.

00:26

Welcome, homelabbers and self-hosters, Rich  here. We all know the internet is a dangerous  

00:31

place. Any computer directly exposed to the  Internet without a firewall is at extreme  

00:34

risk to compromise. But few users understand  how dangerous it really is. The idea for this  

00:40

video was actually born from another video I was  working on regarding firewall security, and when  

00:43

I came across the T-pot honeypot project, I just  had to show you. But what is a honey pot anyway?

00:48

In simple terms, a honey pot is a system  used to trap or deceive hackers and  

00:54

malicious actors. It works like a digital  trap that appears as a tempting target,  

00:58

such as a vulnerable computer or network  but is actually designed to monitor and  

01:02

gather information about the  activities of the attackers.

01:04

Honey pots are a key component of cybersecurity  research and provide valuable information about  

01:09

what techniques the bad guys around the world are  using to hack into real systems. That information  

01:14

learned helps companies and businesses create  processes, software, and tools to mitigate those  

01:18

attacks and keep everyone safe. And the super  cool part is you can set up your own honey pot  

01:23

at home in your homelab as well! Let’s talk  about T-pot CE and why I decided to use it.

01:27

While I was searching for a honey pot to  host and begin collecting data, I quickly  

01:31

discovered that there are a ton of different  open-source honey pot projects out there,  

01:35

which makes sense. There are honeypots for  practically every conceivable network service,  

01:40

protocol, and system that are in use today.

01:51

friendly user interface and analytics.  And that’s what I discovered T-pot CE.

01:56

T-Pot CE is the answer to all of my needs.  From the website, T-pot CE is described as  

02:02

“The all in one, optionally distributed,  multiarch honeypot plattform, supporting  

02:06

20+ honeypots and countless visualization  options using the Elastic Stack, animated  

02:11

live attack maps and lots of security tools  to further improve the deception experience.”

02:15

T-pot CE provides all of the things you  would want in a single appliance-like system,  

02:19

and the visualizations it  creates are impressive. Like,  

02:22

show your boss at work levels  of impressive. Check these out:

02:25

This is the live map visualization  feature that shows you, in real-time,  

02:29

all of the attacks against the 20-plus  different honeypots hosted in it. Each  

02:33

dot that appears on the worldmap is an attacker  reaching out to attack my honeypot. Down below,  

02:38

we have a live-updating color-coded table of the  protocols and services, the source IP addresses  

02:44

and countries the attacks are coming from, and  the honeypots being attacked. I could stare  

02:48

at this thing for hours, watching the little  attack lines zip back and forth. It’s stunning.

02:53

I am a huge data visualization nerd,  

02:56

and T-pot has some incredibly well-crafted  kibana dashboards built-in to visualize  

03:00

all of the different data coming into  the different honeypots. check this out!

03:03

T-Pot has 27 different prebuilt Kibana  dashboards that provide an incredible  

03:08

amount of information from the different  honeypots running on the system. There  

03:12

are literally too many dashboards to walk  through, so I’m going to show you a few of  

03:15

my favorites to give you an idea of what  information is collected and displayed.

03:19

Let’s swing over to the Cowrie dashboard. Cowrie  is a honeypot specific to trapping SSH and Telnet  

03:25

attempts. The Cowrie dashboard shows you  baseline stuff like where an attacker came from,  

03:30

what their IP address was, a visual  map of their geolocation in the world,  

03:34

and then really digs in on fascinating details  like what the remote side reported its client  

03:38

was and unique detection fingerprints like  HAASH. Further down, we get two awesome word  

03:43

cloud of the most commonly attempted user  names and passwords. Looks like 123456 and  

03:48

password are still big targets, and then  the thing that really blows me away a list  

03:52

of the commands executed when the attacker  logged in. This is just a top-10 list, but if  

03:57

you want to dig in deep, it’s all stored in the  elastic instance in T-pot if you’re interested.

04:02

Suricata is an open-source based  intrusion detection system and  

04:05

intrusion prevention system.  While not a honeypot itself,  

04:08

T-pot pipes the data consumed from different  honeypots into Suricata for threat detection.

04:13

The Suricata dashboard is just incredible.  Like the Cowrie dashboard and others,  

04:17

at the top you get the basic information  about where attackers came from,  

04:20

event quantities and histograms, but then you get  into really meaty details like alert categories,  

04:26

destination ports, and country histograms.  Hey Ukraine! We’re on your side! Knock it off!

04:31

And further down we get more details about  alert signatures that were triggered,  

04:35

all of which have clickable links  to Suricata’s forums for you to  

04:37

research if you’re interested, and  below known CVEs used in attacks.

04:42

Every dashboard is built to show you things  at a high level, but the system collects a  

04:46

ton of information. As an example, let’s  drill down into some of this data. Let’s  

04:50

dig into an alert category and let’s choose  “Attempted Administrative privilege gain.”  

04:54

On the right side of that category, we’ll  click the 3 dot ellipses and select ‘Filter  

04:57

for value,’ and instantly, we can see all of  the attacks of this alert type. At the bottom,  

05:02

we can see the Suricata alert signatures  seen. See those Mirai entries? Mirai is  

05:07

malware that infects smart devices like IP  cameras, home routers, and other IoT devices  

05:11

and turns them into zombie devices that  participate in a massive botnet. Amazing.

05:16

Before we walk you through setting  up your own T-Pot CE instance,  

05:19

let’s talk about the project and  give credit where credit is due.

05:22

The T-pot project is an open-source  project maintained by Telekom Security,  

05:26

a division of Deutsche Telekom, one of the world's  leading integrated telecommunications companies,  

05:31

with some 245 million mobile customers, 25  million fixed-network lines, and 21 million  

05:37

broadband lines in service. As you can expect,  this is a company that takes security seriously.

05:42

They’ve been working on this  honeypot project since 2015,  

05:45

and the maturity of it shows. T-Pot CE can be  deployed as an appliance on a virtual machine,  

05:50

stand-alone hardware, or in the cloud and  is currently built on top of Debian 11.  

05:55

The team is also working on an official  docker-only deployable stack that would  

05:58

allow you to bring your own OS of choice. It’s  in testing now and not generally available,  

06:03

but they do walk you through testing it if you  absolutely must run T-Pot on another OS instead.

06:08

Minimum requirements are reasonable and  depend on your deployment needs. For the  

06:12

fully deployed project, you’ll need 8-16GB  of RAM, at least 128GB of storage space,  

06:17

and of course, unfiltered,  direct access to the Internet.

06:20

The project website goes into deep detail on  all of the honeypots, including their function  

06:25

and purpose, and also goes into detail about  other security tools and features included.

06:30

The project is actively being  updated and maintained. In fact,  

06:33

I ran into an issue and posted about it  on their GitHub page, and within a day,  

06:37

they had resolved the issue and pushed an  update. And since everything is docker based,  

06:41

all I needed to do was run one of their update  scripts, and the fix was live on my system.

06:45

So what’s the catch? Something this nice feels  like it should cost money. And surprisingly,  

06:50

there is no catch. This entire  project is all about learning,  

06:53

protecting, and understanding the  threats on the Internet. By default,  

06:56

the project ship logs to Telekom Security  to add to their global honeypot network,  

07:00

which I think is fair for all of the work and  effort poured into this. But, if you’re not  

07:04

down to share, they provide instructions  on how to disable that sharing as well.

07:07

By this point, I’m sure I’ve sold you on T-pot  CE, so let’s walk through getting it installed.

07:11

Your first stop is to swing over to the  T-pot CE GitHub page and download the ISO  

07:16

file for your architecture. We’re going  to be running T-pot CE on x86 hardware,  

07:20

so we’ll download the tpot_amd64.iso.  The entire iso is only 46 megabytes.

07:25

T-pot CE can be deployed on physical  hardware or a virtual machine. What  

07:30

you choose is going to depend on your  home lab, your network configuration,  

07:33

and your level of comfortable risk. And that  last part is important. If you’re running in  

07:37

a virtualized environment, it’s up to make sure  that your virtual switches and your management  

07:40

interfaces are configured in a way that you’re  not risking exposure of your hypervisor to the  

07:45

Internet. And it’s for this reason, we’re  going to be showing you how to set up T-pot  

07:47

CE on a single physical PC over walking you  through creating this as a virtual machine.

07:51

Now that we’ve got our ISO, we need to write it to  a USB stick so we can install it on our hardware.  

07:55

We use Rufus for all our ISO to USB needs, you can  grab a copy of Rufus from the link below. Anyway,  

08:01

Rufus is up and running, we’ve inserted  our USB stick in our PC, and we’ll click  

08:06

‘Select’ to select our freshly downloaded ISO,  select it from our file system, and click Open.  

08:12

Now we’ll click ‘start’ below, say  OK to the ‘write in ISO mode’ prompt,  

08:16

say OK to the warning on data wiping, and away  it goes. The boot stick process shouldn’t take  

08:22

too long to complete but will depend on your  hardware. All done, let’s get T-pot CE installed!

08:28

We’ll be installing T-pot CE onto this little  Lenovo right here. It’s running a modest  

08:32

8th-generation Intel Core i7-8700 CPU running at  3.2 GHz. The box also has 64GB of RAM in it - this  

08:40

is overkill, 16GB is the max you’d need for  T-pot, and the box also has a 500GB NVMe disk.

08:46

As I mentioned earlier, this system needs to  be connected directly to the Internet with no  

08:50

firewalling or filtering in front of it. You can  build your T-pot instance behind your firewall  

08:54

and then move it directly to the Internet  if you’d like. We’ll be installing T-Pot CE  

08:57

while the host is directly connected to the  Internet via a 1-gig Ethernet connection.

09:01

Once booted off the USB stick, we’re  greeted by the grub boot loader,  

09:04

and we’ll select T-pot 22.04.0 and hit enter.

09:09

The first screen is the location selection screen,  

09:12

we’re in the US so, we’ll  choose the United States.

09:15

The next screen is all about keyboard layout,  find your keyboard layout and press enter.

09:20

T-pot CE uses the Debian 11 netinstall image,  which is light on drivers, so if you’re greeted  

09:25

with a message like this asking if you want to  load in drivers for the NICs it doesn’t have  

09:29

support for, you can do so. Our little test box  has multiple NICs in it, and we’re missing drivers  

09:34

for the 10Gig card. Thankfully we’re not using  that card, so we’ll select No and press enter.

09:39

The next few screens are the Debian installer  

09:41

attempting to activate NICs  and obtain an IP address.

09:44

Alright, now we need to select the closet  mirror to download more of the Debian 11  

09:47

OS for T-pot. We want to see the  list of mirrors for the US cause  

09:51

that’s where we are, so we’ll leave  it on United States and press enter.

09:55

Now we’re presented with a list of  Debian mirrors to grab the OS. The  

09:59

default is deb.debian.org, if you  know of a closer mirror to you,  

10:02

navigate and select it, but we’ll stick  with the default here and hit enter.

10:06

We don’t have an HTTP proxy, and I  doubt you do as well, so just hit enter.

10:11

And away it goes. The system will download  a few necessary files off the Internet,  

10:15

automatically partition and format your  hard drive, and reboot when complete.

10:19

After the reboot, the system will continue with  the second half of the install process. This  

10:24

will take a while to complete as well,  so be patient and allow it to finish.

10:27

Alright, this screen is where we get to  choose which edition of T-pot CE we want  

10:31

to install. There are quite a few different  options, Standard being the full deployment  

10:35

with all the bells and whistles, which  is the one we’ll be installing because  

10:38

we want to everything! If you’re interested  in the other editions, I encourage you to  

10:42

read more about them and their focus on T-pot’s  GitHub site. Let’s hit enter to kick this off!

10:47

Now we need to set the password for the  tsec account. Tsec is your one and only  

10:52

user on the OS. When you interact with  your T-pot in an administrative capacity,  

10:56

you’ll be using the tsec user.  Enter a password and hit enter.

11:00

And do it again to confirm.

11:02

Next, we need to create a user for the web  interface. This user is only for accessing the  

11:07

T-pot website’s maps, Kibana dashboards, and other  security tools. You can create anything you’d  

11:12

like for a user, we’ll be using the user name  ‘tpotce’, so we’ll enter that and press enter.

11:18

Then we’ll confirm that, yes,  we want tpotce as our username.

11:22

Now we’ll create a password just  for our newly minted web user

11:25

And do it again to confirm and hit enter

11:29

Alright, now T-pot is installing on the  host. During this process, the installer  

11:33

will download and install docker, pull in  all necessary supporting packages on the OS,  

11:37

and execute the creation of the docker  containers, network configurations,  

11:40

and so on for the system. Again, this can  take a while, depending on your hardware,  

11:45

your connection speed to the Internet,  and so on. It took about 8 full minutes  

11:48

to complete the installation, and the  system will reboot after it’s completed.

11:52

After reboot, we’re presented with the console  screen giving us the links to access our T-pot  

11:57

CE installation and begin seeing all  the attacks and attempts happening to  

12:01

your system right now. Let’s head over to the  web interface and have a quick look around.

12:06

Once you head over to the web site  for your new T-pot CE instance and  

12:09

log in with the user you create for the web site,  

12:11

you’ll be greeted by the T-pot landing  page. From here you can start digging into  

12:15

the data coming in. I’ve already shown you the  Attack Map and some of the Kibana dashboards.

12:20

Cockpit is the Administrative interface  you can use to manage your system,  

12:23

you’ll need the tsec user and the password  you set for that account to log into there.

12:27

Cyberchef is a useful tool for analysing,  converting, and decoding data of different  

12:31

types easily. There are around 200 different  operations in CyberChef you can use from  

12:36

converting date and time, to decompressing gzipped  data or parsing an x.509 certificate. It’s a  

12:42

useful tool for some of the information  you’ll be collecting in your honeypots.

12:45

Elasticvue is a user interface to  dig into the raw data collected  

12:49

from your honeypots. If you want to  search for a specific bit of data,  

12:52

you’d use elasticvue to get at the  data stored in Logstash in T-pot.

12:56

And lastly, Spiderfoot is a footprinting and  

12:58

discovery tool that allows you to  run deep searches into IP addresses,  

13:02

websites, and domains. Its footprinting  tools allow you to learn everything  

13:06

you can that’s publicly available about your  search query. Another fantastic security tool.

13:12

That’s really all there is to  the entire thing. Now you can  

13:14

just sit back and watch the attacks come in.

13:17

This is a good time to talk about  the security of your home network,  

13:20

regardless of whether you’re a homelabber,  self-hoster, or you just have a simple ASUS  

13:24

router running at home, It’s important that you  have something in between your home network,  

13:27

and the Internet. We’re big fans of pfSense  as a firewall for protection against all the  

13:32

bad guys on the ‘net, and we’ve made quite  a few videos around building and setting  

13:35

up your own pfSense firewall. No matter what you  choose, make sure you’re using a modern firewall  

13:40

and make sure it’s updated regularly with  firmware updates or patches. Unfortunately,  

13:44

there is no such thing as a one-and-done solution  for protecting your home network, so make sure you  

13:48

check for updates for your firewall often  and get them installed as soon as you can.

13:51

And as always, consider joining our  Discord community if you have questions  

13:54

about network design, firewall configurations,  

13:57

or anything homelab and self-hosting  related. We’re always happy to help.

14:00

And that friends will do it for this video! If  you liked it throw us a thumbs up and a sub,  

14:05

and if you have a beef with anything we said,  please leave it in a comment below! Special thanks  

14:09

to our YouTube subscribers for supporting what we  do here on the channel, you guys are awesome. If  

14:13

you’d like to support us, check out our YouTube  membership, or buy some swag, all of it helps us  

14:18

keep making videos. And now that you’ve finished  watching this video, how about checking out this  

14:21

playlist here of other great homelab and  self-hosting videos we’ve done in the past,  

14:24

If you’re looking to get into virtualization,  homelab, or self-hosting we can help!