It took just 12 seconds - Catching hackers with a honey pot!
Summary
TLDRThis video demonstrates the rapid vulnerability of an exposed computer to the internet, illustrating how a system can be attacked within seconds. The presenter introduces T-Pot CE, an all-in-one honeypot platform that traps hackers to gather data on their methods. With over 20 honeypots and powerful visualization tools, T-Pot CE helps in understanding and mitigating cyber threats. The video guides viewers through setting up their own honeypot, emphasizing the importance of home network security with a modern firewall.
Takeaways
- 🕒 The script describes a demonstration where a computer exposed to the internet was attacked within 12 seconds, highlighting the vulnerability of unprotected systems.
- 🔥 Within an hour, the system faced nearly 17,000 attacks, and in a day, it recorded 263,000 different attacks, emphasizing the constant threat of cyber attacks on exposed systems.
- 🔍 The attacks were diverse, targeting various ports, protocols, and services, indicating the wide range of techniques used by malicious actors.
- 🪤 The script introduces a honeypot, a system designed to trap hackers and gather information about their methods, playing a crucial role in cybersecurity research.
- 🌟 The T-Pot CE project is highlighted as a comprehensive, open-source honeypot platform supporting over 20 honeypots and offering extensive visualization options.
- 📈 T-Pot CE includes impressive live attack maps and Kibana dashboards that provide real-time insights into the attacks and the techniques used by attackers.
- 🛠️ T-Pot CE is maintained by Telekom Security, a division of Deutsche Telekom, showcasing the project's maturity and the company's commitment to cybersecurity.
- 💻 T-Pot CE can be deployed on various platforms including virtual machines, standalone hardware, or in the cloud, with minimum system requirements that are practical for most users.
- 🔄 The project is actively updated and maintained, with quick responses to issues reported on the GitHub page, demonstrating the support and development behind T-Pot CE.
- 📊 T-Pot CE provides a wealth of data visualization tools, such as the Cowrie dashboard for SSH and Telnet attempts, and the Suricata dashboard for intrusion detection and prevention.
- 🏠 The script concludes with a reminder of the importance of securing home networks with modern firewalls and regular updates, advocating for proactive cybersecurity measures.
Q & A
How long did it take for the computer exposed to the Internet to get attacked?
-It took 12 seconds for the computer to get attacked after being exposed to the Internet.
What is the purpose of a honeypot in cybersecurity?
-A honeypot is a system used to trap or deceive hackers and malicious actors. It acts as a digital trap that appears as a tempting target, such as a vulnerable computer or network, but is designed to monitor and gather information about the activities of the attackers.
What does T-Pot CE stand for and what does it include?
-T-Pot CE stands for T-Pot Community Edition. It is an all-in-one, optionally distributed, multiarch honeypot platform that supports over 20 honeypots and countless visualization options using the Elastic Stack, animated live attack maps, and various security tools.
How does T-Pot CE help in understanding cybersecurity threats?
-T-Pot CE collects data on attacks from various honeypots, which provides valuable information about the techniques used by attackers worldwide. This information helps companies and businesses create processes, software, and tools to mitigate attacks and improve security.
What are the minimum requirements for deploying T-Pot CE?
-The minimum requirements for deploying T-Pot CE include 8-16GB of RAM, at least 128GB of storage space, and unfiltered, direct access to the Internet.
How can one visualize the data collected by T-Pot CE?
-T-Pot CE includes 27 prebuilt Kibana dashboards that provide a wealth of information from the different honeypots running on the system, offering visualizations such as live map visualizations and color-coded tables of attack data.
What is the significance of the live map visualization feature in T-Pot CE?
-The live map visualization feature in T-Pot CE shows real-time attacks against the honeypots hosted in it. Each dot on the world map represents an attacker reaching out to the honeypot, providing a visual representation of the global scope of cyber threats.
What is the role of Suricata in T-Pot CE?
-Suricata is an open-source intrusion detection and prevention system. While not a honeypot itself, T-Pot CE pipes data from different honeypots into Suricata for threat detection, enhancing the system's security capabilities.
Who maintains the T-Pot project and what is its background?
-The T-Pot project is maintained by Telekom Security, a division of Deutsche Telekom, one of the world's leading integrated telecommunications companies. They have been working on the honeypot project since 2015, and it is built on top of Debian 11.
How can one contribute to the T-Pot project and what are the privacy considerations?
-By default, the T-Pot project sends logs to Telekom Security to add to their global honeypot network. However, if a user is not comfortable sharing their data, the project provides instructions on how to disable that sharing.
Outlines
🔒 Rapid Cyber Attacks on Exposed Systems
This paragraph details the vulnerability of a computer system exposed to the internet without a firewall. Within 12 seconds of exposure, the system was attacked, and within 24 hours, it experienced nearly 263,000 different attacks across various ports, protocols, and services. The author introduces the concept of a honeypot, a system designed to trap and deceive hackers, and emphasizes its importance in cybersecurity research. The video aims to demonstrate setting up a honeypot using T-Pot, an all-in-one honeypot platform with over 20 honeypots and extensive visualization options.
📈 T-Pot CE: A Comprehensive Honeypot Solution
The author discusses the T-Pot CE project, an open-source honeypot platform developed by Telekom Security. T-Pot CE is described as a multiarch, multi-honeypot platform with over 20 honeypots and numerous visualization tools, including live attack maps and Kibana dashboards. The platform is built on Debian 11 and requires a system with at least 8-16GB of RAM and 128GB of storage, along with direct internet access. The project is actively maintained, with updates and support provided by the developers. The author also highlights the project's educational goals and the option to disable data sharing with Telekom Security.
🛠 Setting Up T-Pot CE for Cybersecurity Monitoring
The paragraph outlines the process of setting up T-Pot CE, from downloading the ISO file to installing it on physical hardware. The author provides a step-by-step guide, including creating a bootable USB stick using Rufus, selecting the correct geographical location and keyboard layout during installation, and choosing the full deployment edition of T-Pot CE. The installation process involves setting up a user account, downloading necessary packages, and configuring Docker containers. After installation, the system reboots and provides access to various tools such as the attack map, Kibana dashboards, and administrative interfaces.
🏠 Enhancing Home Network Security with T-Pot CE
In the final paragraph, the author discusses the importance of home network security and the role of T-Pot CE in monitoring and understanding cyber threats. The video concludes with a demonstration of the T-Pot CE web interface, highlighting tools like Cockpit for system management, CyberChef for data analysis, Elasticvue for data retrieval, and Spiderfoot for footprinting and discovery. The author also emphasizes the need for regular updates to home firewalls and invites viewers to join their Discord community for further support.
Mindmap
Keywords
💡Honeypot
💡Cybersecurity Research
💡T-Pot CE
💡Elastic Stack
💡Suricata
💡CVE
💡IoT Devices
💡Debian
💡Docker
💡pfSense
💡Kibana Dashboards
Highlights
A computer exposed to the Internet without a firewall is extremely vulnerable, experiencing nearly 17,000 attacks within an hour.
In a 24-hour period, the system logged nearly 263,000 different attacks from a variety of ports, protocols, and services.
Honeypots are used to trap and deceive hackers, gathering valuable information about their techniques for cybersecurity research.
T-Pot CE is an all-in-one, optionally distributed, multiarch honeypot platform supporting over 20 honeypots and visualization options.
T-Pot CE provides impressive live attack maps and detailed Kibana dashboards for data visualization.
Cowrie dashboard offers insights into SSH and Telnet attempts, including attempted usernames, passwords, and executed commands.
Suricata, integrated with T-Pot, is an intrusion detection system that helps identify threats and CVEs used in attacks.
T-Pot CE can be deployed on various platforms including virtual machines, stand-alone hardware, or in the cloud.
The project is maintained by Telekom Security, emphasizing its maturity and commitment to cybersecurity.
T-Pot CE is built on Debian 11 and requires 8-16GB of RAM and at least 128GB of storage space for full deployment.
The project is actively updated and maintained, with quick resolution to issues reported on GitHub.
T-Pot CE logs can be shared with Telekom Security by default, but users have the option to disable this feature.
Installation of T-Pot CE is straightforward, with detailed instructions provided for both physical and virtual deployments.
T-Pot CE comes with a variety of security tools, including CyberChef for data analysis and Elasticvue for raw data exploration.
Spiderfoot, included with T-Pot, is a powerful tool for conducting deep searches into IP addresses, websites, and domains.
The video emphasizes the importance of home network security, recommending the use of modern firewalls like pfSense.
Transcripts
12 seconds. That’s how long it took for the computer I directly exposed
to the Internet to get attacked. Within an hour, the system experienced nearly 17
thousand attacks, and within a 24-hour period, the system logged nearly 263
thousand different attacks. All of those attacks were across a variety of different ports,
protocols, and services, and I captured all of that information with a honeypot,
and in this video, I’m going to show you how to set up your own using T-Pot.
Welcome, homelabbers and self-hosters, Rich here. We all know the internet is a dangerous
place. Any computer directly exposed to the Internet without a firewall is at extreme
risk to compromise. But few users understand how dangerous it really is. The idea for this
video was actually born from another video I was working on regarding firewall security, and when
I came across the T-pot honeypot project, I just had to show you. But what is a honey pot anyway?
In simple terms, a honey pot is a system used to trap or deceive hackers and
malicious actors. It works like a digital trap that appears as a tempting target,
such as a vulnerable computer or network but is actually designed to monitor and
gather information about the activities of the attackers.
Honey pots are a key component of cybersecurity research and provide valuable information about
what techniques the bad guys around the world are using to hack into real systems. That information
learned helps companies and businesses create processes, software, and tools to mitigate those
attacks and keep everyone safe. And the super cool part is you can set up your own honey pot
at home in your homelab as well! Let’s talk about T-pot CE and why I decided to use it.
While I was searching for a honey pot to host and begin collecting data, I quickly
discovered that there are a ton of different open-source honey pot projects out there,
which makes sense. There are honeypots for practically every conceivable network service,
protocol, and system that are in use today.
friendly user interface and analytics. And that’s what I discovered T-pot CE.
T-Pot CE is the answer to all of my needs. From the website, T-pot CE is described as
“The all in one, optionally distributed, multiarch honeypot plattform, supporting
20+ honeypots and countless visualization options using the Elastic Stack, animated
live attack maps and lots of security tools to further improve the deception experience.”
T-pot CE provides all of the things you would want in a single appliance-like system,
and the visualizations it creates are impressive. Like,
show your boss at work levels of impressive. Check these out:
This is the live map visualization feature that shows you, in real-time,
all of the attacks against the 20-plus different honeypots hosted in it. Each
dot that appears on the worldmap is an attacker reaching out to attack my honeypot. Down below,
we have a live-updating color-coded table of the protocols and services, the source IP addresses
and countries the attacks are coming from, and the honeypots being attacked. I could stare
at this thing for hours, watching the little attack lines zip back and forth. It’s stunning.
I am a huge data visualization nerd,
and T-pot has some incredibly well-crafted kibana dashboards built-in to visualize
all of the different data coming into the different honeypots. check this out!
T-Pot has 27 different prebuilt Kibana dashboards that provide an incredible
amount of information from the different honeypots running on the system. There
are literally too many dashboards to walk through, so I’m going to show you a few of
my favorites to give you an idea of what information is collected and displayed.
Let’s swing over to the Cowrie dashboard. Cowrie is a honeypot specific to trapping SSH and Telnet
attempts. The Cowrie dashboard shows you baseline stuff like where an attacker came from,
what their IP address was, a visual map of their geolocation in the world,
and then really digs in on fascinating details like what the remote side reported its client
was and unique detection fingerprints like HAASH. Further down, we get two awesome word
cloud of the most commonly attempted user names and passwords. Looks like 123456 and
password are still big targets, and then the thing that really blows me away a list
of the commands executed when the attacker logged in. This is just a top-10 list, but if
you want to dig in deep, it’s all stored in the elastic instance in T-pot if you’re interested.
Suricata is an open-source based intrusion detection system and
intrusion prevention system. While not a honeypot itself,
T-pot pipes the data consumed from different honeypots into Suricata for threat detection.
The Suricata dashboard is just incredible. Like the Cowrie dashboard and others,
at the top you get the basic information about where attackers came from,
event quantities and histograms, but then you get into really meaty details like alert categories,
destination ports, and country histograms. Hey Ukraine! We’re on your side! Knock it off!
And further down we get more details about alert signatures that were triggered,
all of which have clickable links to Suricata’s forums for you to
research if you’re interested, and below known CVEs used in attacks.
Every dashboard is built to show you things at a high level, but the system collects a
ton of information. As an example, let’s drill down into some of this data. Let’s
dig into an alert category and let’s choose “Attempted Administrative privilege gain.”
On the right side of that category, we’ll click the 3 dot ellipses and select ‘Filter
for value,’ and instantly, we can see all of the attacks of this alert type. At the bottom,
we can see the Suricata alert signatures seen. See those Mirai entries? Mirai is
malware that infects smart devices like IP cameras, home routers, and other IoT devices
and turns them into zombie devices that participate in a massive botnet. Amazing.
Before we walk you through setting up your own T-Pot CE instance,
let’s talk about the project and give credit where credit is due.
The T-pot project is an open-source project maintained by Telekom Security,
a division of Deutsche Telekom, one of the world's leading integrated telecommunications companies,
with some 245 million mobile customers, 25 million fixed-network lines, and 21 million
broadband lines in service. As you can expect, this is a company that takes security seriously.
They’ve been working on this honeypot project since 2015,
and the maturity of it shows. T-Pot CE can be deployed as an appliance on a virtual machine,
stand-alone hardware, or in the cloud and is currently built on top of Debian 11.
The team is also working on an official docker-only deployable stack that would
allow you to bring your own OS of choice. It’s in testing now and not generally available,
but they do walk you through testing it if you absolutely must run T-Pot on another OS instead.
Minimum requirements are reasonable and depend on your deployment needs. For the
fully deployed project, you’ll need 8-16GB of RAM, at least 128GB of storage space,
and of course, unfiltered, direct access to the Internet.
The project website goes into deep detail on all of the honeypots, including their function
and purpose, and also goes into detail about other security tools and features included.
The project is actively being updated and maintained. In fact,
I ran into an issue and posted about it on their GitHub page, and within a day,
they had resolved the issue and pushed an update. And since everything is docker based,
all I needed to do was run one of their update scripts, and the fix was live on my system.
So what’s the catch? Something this nice feels like it should cost money. And surprisingly,
there is no catch. This entire project is all about learning,
protecting, and understanding the threats on the Internet. By default,
the project ship logs to Telekom Security to add to their global honeypot network,
which I think is fair for all of the work and effort poured into this. But, if you’re not
down to share, they provide instructions on how to disable that sharing as well.
By this point, I’m sure I’ve sold you on T-pot CE, so let’s walk through getting it installed.
Your first stop is to swing over to the T-pot CE GitHub page and download the ISO
file for your architecture. We’re going to be running T-pot CE on x86 hardware,
so we’ll download the tpot_amd64.iso. The entire iso is only 46 megabytes.
T-pot CE can be deployed on physical hardware or a virtual machine. What
you choose is going to depend on your home lab, your network configuration,
and your level of comfortable risk. And that last part is important. If you’re running in
a virtualized environment, it’s up to make sure that your virtual switches and your management
interfaces are configured in a way that you’re not risking exposure of your hypervisor to the
Internet. And it’s for this reason, we’re going to be showing you how to set up T-pot
CE on a single physical PC over walking you through creating this as a virtual machine.
Now that we’ve got our ISO, we need to write it to a USB stick so we can install it on our hardware.
We use Rufus for all our ISO to USB needs, you can grab a copy of Rufus from the link below. Anyway,
Rufus is up and running, we’ve inserted our USB stick in our PC, and we’ll click
‘Select’ to select our freshly downloaded ISO, select it from our file system, and click Open.
Now we’ll click ‘start’ below, say OK to the ‘write in ISO mode’ prompt,
say OK to the warning on data wiping, and away it goes. The boot stick process shouldn’t take
too long to complete but will depend on your hardware. All done, let’s get T-pot CE installed!
We’ll be installing T-pot CE onto this little Lenovo right here. It’s running a modest
8th-generation Intel Core i7-8700 CPU running at 3.2 GHz. The box also has 64GB of RAM in it - this
is overkill, 16GB is the max you’d need for T-pot, and the box also has a 500GB NVMe disk.
As I mentioned earlier, this system needs to be connected directly to the Internet with no
firewalling or filtering in front of it. You can build your T-pot instance behind your firewall
and then move it directly to the Internet if you’d like. We’ll be installing T-Pot CE
while the host is directly connected to the Internet via a 1-gig Ethernet connection.
Once booted off the USB stick, we’re greeted by the grub boot loader,
and we’ll select T-pot 22.04.0 and hit enter.
The first screen is the location selection screen,
we’re in the US so, we’ll choose the United States.
The next screen is all about keyboard layout, find your keyboard layout and press enter.
T-pot CE uses the Debian 11 netinstall image, which is light on drivers, so if you’re greeted
with a message like this asking if you want to load in drivers for the NICs it doesn’t have
support for, you can do so. Our little test box has multiple NICs in it, and we’re missing drivers
for the 10Gig card. Thankfully we’re not using that card, so we’ll select No and press enter.
The next few screens are the Debian installer
attempting to activate NICs and obtain an IP address.
Alright, now we need to select the closet mirror to download more of the Debian 11
OS for T-pot. We want to see the list of mirrors for the US cause
that’s where we are, so we’ll leave it on United States and press enter.
Now we’re presented with a list of Debian mirrors to grab the OS. The
default is deb.debian.org, if you know of a closer mirror to you,
navigate and select it, but we’ll stick with the default here and hit enter.
We don’t have an HTTP proxy, and I doubt you do as well, so just hit enter.
And away it goes. The system will download a few necessary files off the Internet,
automatically partition and format your hard drive, and reboot when complete.
After the reboot, the system will continue with the second half of the install process. This
will take a while to complete as well, so be patient and allow it to finish.
Alright, this screen is where we get to choose which edition of T-pot CE we want
to install. There are quite a few different options, Standard being the full deployment
with all the bells and whistles, which is the one we’ll be installing because
we want to everything! If you’re interested in the other editions, I encourage you to
read more about them and their focus on T-pot’s GitHub site. Let’s hit enter to kick this off!
Now we need to set the password for the tsec account. Tsec is your one and only
user on the OS. When you interact with your T-pot in an administrative capacity,
you’ll be using the tsec user. Enter a password and hit enter.
And do it again to confirm.
Next, we need to create a user for the web interface. This user is only for accessing the
T-pot website’s maps, Kibana dashboards, and other security tools. You can create anything you’d
like for a user, we’ll be using the user name ‘tpotce’, so we’ll enter that and press enter.
Then we’ll confirm that, yes, we want tpotce as our username.
Now we’ll create a password just for our newly minted web user
And do it again to confirm and hit enter
Alright, now T-pot is installing on the host. During this process, the installer
will download and install docker, pull in all necessary supporting packages on the OS,
and execute the creation of the docker containers, network configurations,
and so on for the system. Again, this can take a while, depending on your hardware,
your connection speed to the Internet, and so on. It took about 8 full minutes
to complete the installation, and the system will reboot after it’s completed.
After reboot, we’re presented with the console screen giving us the links to access our T-pot
CE installation and begin seeing all the attacks and attempts happening to
your system right now. Let’s head over to the web interface and have a quick look around.
Once you head over to the web site for your new T-pot CE instance and
log in with the user you create for the web site,
you’ll be greeted by the T-pot landing page. From here you can start digging into
the data coming in. I’ve already shown you the Attack Map and some of the Kibana dashboards.
Cockpit is the Administrative interface you can use to manage your system,
you’ll need the tsec user and the password you set for that account to log into there.
Cyberchef is a useful tool for analysing, converting, and decoding data of different
types easily. There are around 200 different operations in CyberChef you can use from
converting date and time, to decompressing gzipped data or parsing an x.509 certificate. It’s a
useful tool for some of the information you’ll be collecting in your honeypots.
Elasticvue is a user interface to dig into the raw data collected
from your honeypots. If you want to search for a specific bit of data,
you’d use elasticvue to get at the data stored in Logstash in T-pot.
And lastly, Spiderfoot is a footprinting and
discovery tool that allows you to run deep searches into IP addresses,
websites, and domains. Its footprinting tools allow you to learn everything
you can that’s publicly available about your search query. Another fantastic security tool.
That’s really all there is to the entire thing. Now you can
just sit back and watch the attacks come in.
This is a good time to talk about the security of your home network,
regardless of whether you’re a homelabber, self-hoster, or you just have a simple ASUS
router running at home, It’s important that you have something in between your home network,
and the Internet. We’re big fans of pfSense as a firewall for protection against all the
bad guys on the ‘net, and we’ve made quite a few videos around building and setting
up your own pfSense firewall. No matter what you choose, make sure you’re using a modern firewall
and make sure it’s updated regularly with firmware updates or patches. Unfortunately,
there is no such thing as a one-and-done solution for protecting your home network, so make sure you
check for updates for your firewall often and get them installed as soon as you can.
And as always, consider joining our Discord community if you have questions
about network design, firewall configurations,
or anything homelab and self-hosting related. We’re always happy to help.
And that friends will do it for this video! If you liked it throw us a thumbs up and a sub,
and if you have a beef with anything we said, please leave it in a comment below! Special thanks
to our YouTube subscribers for supporting what we do here on the channel, you guys are awesome. If
you’d like to support us, check out our YouTube membership, or buy some swag, all of it helps us
keep making videos. And now that you’ve finished watching this video, how about checking out this
playlist here of other great homelab and self-hosting videos we’ve done in the past,
If you’re looking to get into virtualization, homelab, or self-hosting we can help!
浏览更多相关视频
What is a Firewall?
Meet the NetGotchi: A New Firmware for ESP32 boards Packed with Defensive Tools
Introduction to Cryptography and Network Security
Installing and Configuring Logstash to Ingest Fortinet Syslogs
What is VPN | How VPN Works 🕵️♂️| Virtual Private Network (VPN) with Real Life Examples
Computer & Technology Basics Course for Absolute Beginners
5.0 / 5 (0 votes)