tpotce: The All In One Honeypot Platform

T-Pot – The All In One Honeypot Platform

T-Pot is based on the Debian (Stable) network installer. The honeypot daemons as well as other support components are dockered. This allows T-Pot to run multiple honeypot daemons and tools on the same network interface while maintaining a small footprint and constrain each honeypot within its own environment.

In T-Pot we combine the dockerized honeypots …

• adbhoney,
• ciscoasa,
• citrixhoneypot,
• conpot,
• cowrie,
• dicompot,
• dionaea,
• elasticpot,
• glutton,
• heralding,
• honeypy,
• honeysap,
• honeytrap,
• ipphoney,
• mailoney,
• medpot,
• rdpy,
• snare,
• tanner

… with the following tools …

• Cockpit for a lightweight, WebUI for docker, os, real-time performance monitoring, and web terminal.
• Cyberchef a web app for encryption, encoding, compression, and data analysis.
• ELK stack to beautifully visualize all the events captured by T-Pot.
• Elasticsearch Head a web front end for browsing and interacting with an Elastic Search cluster.
• Fatt a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic.
• Spiderfoot a open-source intelligence automation tool.
• Suricata a Network Security Monitoring engine.

… to give you the best out-of-the-box experience possible and an easy-to-use multi-honeypot appliance.

While data within docker containers is volatile T-Pot ensures a default 30-day persistence of all relevant honeypot and tool data in the well-known/data folder and sub-folders. The persistence configuration may be adjusted in /opt/tpot/etc/logrotate/logrotate.conf. Once a docker container crashes, all other data produced within its environment is erased and a fresh instance is started from the corresponding docker image.

Basically, what happens when the system is booted up is the following:

• start host system
• start all the necessary services (i.e. cockpit, docker, etc.)
• start all docker containers via docker-compose (honeypots, nms, elk, etc.)

The T-Pot project provides all the tools and documentation necessary to build your own honeypot system and contribute to our Sicherheitstacho.

The source code and configuration files are fully stored in the T-Pot GitHub repository. The docker images are preconfigured for the T-Pot environment. If you want to run the docker images separately, make sure you study the docker-compose configuration (/opt/tpot/etc/tpot.yml) and the T-Pot systemd script (/etc/systemd/system/tpot.service), as they provide a good starting point for implementing changes.

The individual docker configurations are located in the docker folder.

Install & Use

Copyright (C) 2021 telekom-security