How to Set Up and Use T-Pot on Azure Cloud

If you're serious about cybersecurity, you’ve probably heard of Honeypots—those sneaky traps designed to lure in attackers and study their behavior. One of the most powerful honeypot solutions available today is T-Pot, a multi-honeypot platform that gives you a full-fledged cybersecurity research environment out of the box. I recently set up T-Pot on Azure, and I’ll walk you through the entire process, from deployment to usage. By the end of this, you'll have a working honeypot setup in the cloud, ready to monitor and analyze malicious activity.

T-Pot image

Let's dive in:

Why T-Pot?

T-Pot, developed by Deutsche Telekom Security, is an all-in-one honeypot platform that integrates multiple honeypot technologies into a single deployment. The best part? It comes with a built-in web-based dashboard powered by Kibana, making log analysis and threat hunting much easier. Some key benefits include:

- Multiple honeypots (Cowrie, Dionaea, Snare, and more) running simultaneously.
- Pre-configured ELK stack (Elasticsearch, Logstash, Kibana) for visualization.
- Dockerized setup for easy management.
- User-friendly web UI to monitor attacks in real-time.

Now, let's dive into setting it up on Azure

Prerequisite: 
Before we get started, make sure you’ve got these basics covered:

An Azure Account: If you don’t have one, you can sign up for a free Azure account. They give you some free credits to play around with, which is perfect for this setup.

Basic Azure Knowledge: You don’t need to be an expert, but knowing how to create a virtual machine (VM) and configure networking will help.

An SSH Client: You’ll need this to connect to your VM. If you’re on Windows, PuTTY works great. On macOS or Linux, you can use the built-in terminal.

Step 1: Spin Up a Virtual Machine on Azure

Log in to Azure Portal - Head over to Azure Portal and sign in.

Create a new Virtual Machine:

- Click Create a resource > Compute > Ubuntu Server (Choose Ubuntu 20.04 LTS for compatibility).

- Select an appropriate VM size (T-Pot requires at least 4 vCPUs and 8GB RAM).

- Set up a username and SSH key for access.

Configure networking:

-Allow SSH (port 22), HTTP (port 80), and HTTPS (port 443).

-Add custom inbound rules for ports 64297, 64298, 64299 (T-Pot UI ports).

Review & Create - Click Create, and wait for Azure to provision your VM.


Step 2: Connect to Your VM

Once your VM is ready, it’s time to connect to it via SSH.

Grab the Public IP:

Go to your VM’s overview page in Azure and note the public IP address.

SSH into the VM:

Open your terminal or SSH client and connect using the public IP:

If you’re using PuTTY, just enter the IP and click “Open.”

bash

ssh username@public-ip

Step 3: Install T-Pot

Now for the fun part—installing T-Pot!
Update Your System:
Before installing anything, it’s always a good idea to update your system

bash

sudo apt-get update && sudo apt-get upgrade -y
sudo apt install git -y
git clone https://github.com/telekom-security/tpotce
cd tpotce/iso/installer
sudo ./install.sh

Follow the Prompts:

The script will ask you a few questions, like which type of installation you want (I recommend the “Standard” option for beginners). Set a password for the T-Pot web interface. It’ll also configure networking and set up the honeypots.

Step4: Accessing the T-Pot Dashboard

Once installed, restart your VM and navigate to the T-Pot UI:

Open your browser and go to: https://<your-vm-ip>:64297

Log in using the credentials you set during installation.

You should now see the Kibana dashboard with live attack data!


Step 5: Monitoring and Analyzing Attacks

With T-Pot running, here’s what you can do:

View real-time attack data: The Kibana dashboard visualizes attacks on different honeypots.

Investigate logs: Check logs for attack patterns and IP addresses.

Test incident response: Simulate attacks and monitor T-Pot's behavior.

Block malicious traffic: Identify and blacklist malicious IPs.

Conclusion: 

And that’s it! You’ve successfully set up T-Pot on Azure. Now you can sit back, relax, and watch as attackers stumble into your honeypot. It’s like setting up a security camera for the internet—fascinating and incredibly useful.

If you run into any issues or have questions, feel free to drop me a message. And if you found this guide helpful, share it with your fellow cybersecurity enthusiasts. Happy hunting!

© Copyright Ezekiel MyCyberanalyst - All Rights Reserved