If you would like to get a quick and dirty honeypot set up in Azure, you’ve come to the right place! I’ll provide a brief background on honeypots and then walk you through steps to set up your own working honeypot in Azure using the open source software T-Pot.
What is a honeypot?
In the world of cybersecurity, a honeypot is an intentionally vulnerable machine designed to look attractive to attackers, and collect information on any attempted exploits.
Now, the real question is should you use a honeypot, and if so how? Well, that’s no simple answer to that question. Instead of getting into the weeds on this, let me offer a few examples of how a honeypot could be useful:
1) Research : honeypots are great for research projects or any company that does malware reverse engineering.
2) Understanding the threat landscape : wouldn’t it be great to know what attacks threat attackers are using against your organization? Honeypots can help with that.
3) As an alarm : IDS/IPS systems are built to detect attackers that have made their way into your network, but with so many attackers living off the land nowadays, their job is increasingly more difficult. Leave a juicy honeypot laying around your internal network to catch what the IDS/IPS missed.
Deploying T-Pot in Azure
I chose to use the honeypot T-Pot. It’s open source and very easy to deploy and has all a number of honeypots rolled into one install. For details check out their github page https://github.com/dtag-dev-sec/tpotce .
To get started, you’ll need an An Azure Account. If you don’t have one, sign up for a free account here https://azure.microsoft.com/en-us/free/ You’ll need a credit card, but Microsoft won’t charge you unless you activate the “pay as you go” subscription.
Create an Azure Virtual Machine:
Under Azure services, choose Virtual Machines and then click Add. Make sure you select the Image: “Debian 10 “Buster” with backports kernel”.
Under Administrator account, add a SSH key. If you’re unsure how to do this, check out this Microsoft Doc on how to create a SSH key https://docs.microsoft.com/en-us/azure/virtual-machines/linux/mac-create-ssh-keys . Make sure you add the public SSH Key, and store your private SSH key in a safe place.
After adding the SSH key, click Next. Under Data disks, click “Create and attach a new disk” and add a 128 GB Premium or Standard SSD. T-Pot recommends having at least 128 GB for storage. Click “Next: Networking” when finished.
In the Networking page, ensure your new virtual machine (VM) gets a public IP and has SSH enabled. Everything else can be left as a default. When you’re ready, click “Create” and take a coffee break or play with your cat. It should take 10-15 minutes to build the virtual machine.
SSH Into your Azure VM:
You’ll need the public IP (or fully qualified domain name) of your Azure VM and the private SSH key you created earlier. In a bash shell (most Linux distros use bash), this will look like:
ssh -i private-ssh-key username@<PUBLIC IP ADDRESS>
In Windows, I recommend using Putty.
Install T-Pot:
Fortunately this is a very easy process.
1) Update the new Debian install
sudo apt update && sudo apt uprade -y
2) Install git
sudo apt install git
3) Clone the T-Pot repository
sudo git clone https://github.com/dtag-dev-sec/tpotce
4) Run the installer
sudo tpotce/iso/installer/install.sh --type=user
When asked to review your running services, type “y” and hit Enter to continue.
Choose either the STANDARD or NEXTGEN T-Pot Edition. The “STANDARD” install is the most stable, while “NEXTGEN” will install the newest T-Pot version in development (currently T-Pot v. 20). I chose NEXTGEN for my honeypot.
When the installer is finished, your Azure VM will reboot and your SSH session will terminate. You won’t be able to SSH back in until we reconfigure the networking in Azure.
Configure Azure VM Networking:
The honeypot is up and running, but Azure is blocking its ports. Jump back over to Azure portal so we can open them up and give your machine access to the T-Pot Web UI.
Sign into Azure, select your virtual machine and under Settings choose “Networking”.
You’ll see that port 22 is open for SSH but all other ports are blocked. Delete the SSH rule, and add the following three inbound rules using the “Add inbound port rule” button:
1) Name: t-pot_ssh, Allow port 64295, Protocol: TCP , Source:<Your IP> , Destination: Any
2) Name: t-pot_web-portal, Allow port 64297, Protocol: TCP, Source: <Your IP>, Destination: Any
3) Name: t-pot_allow-all-else, Allow ports 0-64293,64298-65535, Protocol: TCP, Source: Any, Destination: Any
The IP is for the computer you’d like to use to access the web URL. You can leave the Source: Any, however it is much less secure. If you’re unsure of your IP, type “what’s my ip” into a Google Search.
That’s it! Your honeypot is now live in Azure.
Connect to your T-Pot:
In your favorite web browser, navigate to:
https://:64297
(make sure you use “https.”) If it works, you should see a certificate error message warning of “Potential Security Risk”. Accept the risk. To do this in Firefox, click Advanced and “Accept the Risk and Continue”.
You’ll be prompted for a password. Enter the Web username and password you created earlier, and you should see the main Web UI.
Click “Kibana” and the Dashboard “>T-Pot”. You should be seeing attacks role in. My honeypot was logging around 5,000 attacks per hour.
I hope you enjoyed this post! Feel free to comment with questions or suggestions.
For a great blog post on building a T-Pot VM in AWS check out https://medium.com/@sudojune/deploying-a-honeypot-on-aws-5bb414753f32 . (Just make sure to use a Debian VM because T-Pot no longer supports Ubuntu).