What is a Honeypot
A honeypot is a security mechanism designed to detect, deflect, or counteract unauthorized use of information systems. It serves several purposes, including detection of potential threats, deflection of malicious traffic from critical systems, and analysis of attack methods. There are two types of honeypots: low-interaction honeypots, which simulate some services and applications but do not provide a fully functional environment, and high-interaction honeypots, which are full systems providing attackers with a realistic environment for more detailed insights into their behavior. Honeypots can be deployed as network honeypots, monitoring and logging traffic within different segments of a network, or as application honeypots, focusing on specific applications to attract attackers exploiting application-level vulnerabilities. They are used by security researchers to study new attack methods and by organizations to enhance their security posture. However, honeypots come with risks, such as exposure if not properly secured and significant resource consumption, especially for high-interaction setups. Overall, honeypots are a valuable tool in cybersecurity for understanding and mitigating threats by simulating vulnerable systems and attracting malicious activities.
What is a Honeypot
A honeypot is a security mechanism designed to detect, deflect, or counteract unauthorized use of information systems. It serves several purposes, including detection of potential threats, deflection of malicious traffic from critical systems, and analysis of attack methods. There are two types of honeypots: low-interaction honeypots, which simulate some services and applications but do not provide a fully functional environment, and high-interaction honeypots, which are full systems providing attackers with a realistic environment for more detailed insights into their behavior. Honeypots can be deployed as network honeypots, monitoring and logging traffic within different segments of a network, or as application honeypots, focusing on specific applications to attract attackers exploiting application-level vulnerabilities. They are used by security researchers to study new attack methods and by organizations to enhance their security posture. However, honeypots come with risks, such as exposure if not properly secured and significant resource consumption, especially for high-interaction setups. Overall, honeypots are a valuable tool in cybersecurity for understanding and mitigating threats by simulating vulnerable systems and attracting malicious activities.
Tools Being Used
I will be using Vultr and T-Pot. Vultr is a VPS service, but you don’t have to use Vultr; if you think there is a better or cheaper solution, then use that. T-Pot is a GitHub repository for a bunch of honeypots like Cowrie (telnet and SSH), DDoSPot (DDoS attacks), SentryPeer (VoIP), etc.
Setting Up the VPS
First, go to Vultr and sign up. Then, you want to start a VPS. Use a Shared CPU to keep costs down. For location, pick a location near you for fast access; you will still be attacked from wherever the server is located. For the OS, use Ubuntu 24.04 LTS. For the plan, pick “Regular Cloud Compute” with 160GB SSD, 4 vCPUs, 8GB of RAM, and 4TB of bandwidth. This is about $40 a month (Tip: if you want to keep costs down, don’t run it 24/7). You don’t need auto backups or IPv6. If you have an SSH key, you can upload it for easy access. Then give your VPS a hostname.
Next, go to Network -> Firewall, create a new firewall group and name it. Then add four rules. The first two rules are for Protocol UDP and TCP (you will need to create two different rules) for port 1-64293. The third and fourth rules are Protocol UDP and TCP on port 1-65535, and the source is your IP (this is for management).
Now your VPS should be done starting up. Just SSH into the server. If you click on the server, it will give you the IP and the root password. Before we do anything else, update the machine with:
sudo apt update && sudo apt upgrade -y
Then add your users:
sudo useradd -m username
sudo passwd username
sudo usermod -aG sudo username
Next, log out of the VPS and add your SSH key to that user by doing this on Linux:
ssh-copy-id username@vps-ip
Then SSH back into the machine and run:
env bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/master/install.sh)"
This will set everything up for us. It’s VERY IMPORTANT to choose this option: (S)ensor - T-Pot Sensor installation. Then reboot the server.
Web Portal
Once you reboot the system, go to the web portal on port 64297 and log in. You are done! You will have to wait about 24 hours to see a lot of attacks.
I set up a box about a week ago, and this is what happened…