Hands-On Training for Cyber Defense using Honeypots - T-pot Cloud Setup

31 Mar 2021

Shubham Khichi

Learn how to deploy T-pot on practically any cloud environment and monitor the attacks IRL!

By Shubham Khichi - Linkedin:

Bonus Content: Flow chart of popular honeypots you can deploy on your systems.

https://whimsical.com/cyber-deception-shubham-khichi-GoYYetQ94zviguWZ9Apgi5@2Ux7TurymMh28DAoCtgH

Things you need!

1. Download T-Pot from https://github.com/telekom-security/tpotce#installation

2. A cloud instance (GCP, AWS, Azure, DO Droplets) anything which will represent a cloud enterprise environment.

3. Patience to learn

The Learning Objective?

The idea is to simulate an attack surface and allow only those ports(honeypots) to open to the internet which are utilized by your environment. Based on the amount of attacks hitting that specific honeypot, we can harden our systems and services to make it harder for hackers to penetrate. Think of it as a check engine light on your car, if it lights up you still have some time to drive but should get it investigated soon by a professional.

Setting up GCP VM:

1. Compute Engine --> VM instance Template -> Select the Debian Buster 10 VM

2. VPC Network—>Firewall rules—>Create a Firewall Rule

3. Create a name

4. Under Targets select "All Instances in the network"

5. Under Source IP select - 0.0.0.0/0

6. Protocols and ports - Allow all

Setting up the T-pot:

1. Launch SSH in GCP platform

2. sudo apt-get update && apt-get upgrade

3. sudo install git -y

4. git clone https://github.com/dtag-dev-sec/tpotce.git

5. go into the tpotce folder and run the command sudo ./install.sh –type=user

6. Select STANDARD(or whichever option suits your business needs but standard should work for all)

Set the Username and Password when prompted and the VM is set!

Access via:

1. Web portal - https://<external GCP IP address>:64297

2. Management portal - https://<external GCP IP address>:64294