A honeypot is a computer system or network that is intentionally left vulnerable to hackers in order to detect, analyse, and respond to potential security threats. The goal of a honeypot is to gather information about the tactics, techniques, and procedures used by bad actors, which can help improve overall network security.
-
Improved threat intelligence: Honeypots provide valuable insights into attacker tactics, techniques, and procedures (TTPs), helping security teams improve their defenses.
-
Early detection and response: Honeypots can detect attacks early on, allowing for swift response and mitigation of threats.
-
Reduced attack surface: By identifying vulnerabilities and misconfigurations in honeypots, organizations can reduce the attack surface and prevent attacks from spreading.
Setting up a honeypot has been an great way for me to develop knowledge in various areas, including threat intelligence, vulnerability detection and networking. By analysing the data collected from my honeypot, I'll be able to gain insights into attacker tactics and techniques from which I'll be able to create PoCs; this is really beneficial when new 0days are known.
Not only would it be useful for threat intellegence it would also allow me to improve my organisation's security posture, prevent future attacks, and enhance overall system performance.
I'm running tpot on a Debian 12 16GB RAM / 6vCPU core cloud server fully segregated from my core infrastructure. Installation was fairly simple, it was a matter of running a single script which can be found here, then reboot the system.
Once the system is back online the admin panel will be accessible on port 64297 and SSH connections on port 64295. Do note that once the system is back online it may take a while for all the docker containers to load, once it does load it should look like the below when running sudo docker ps:
The logs can be fetched from the tpotce/data folder,
Within this repo I have create a GH Action which aggregates the top 500 malicious IPs gathered from Elastic and sends them to a file from which I will look to create a new workflow to submit these and mark them as bad-reputation on common threat intel sites such as Talos CTI.
A link to the all malicious IPs detected can be found here.
If for whatever reason you'd like to detect tpot honeypots I've created a detection method here. In order to run this script, there are some prerequisits:
- Download Nuclei from here
- Copy the template to your local system
- Run the following command:
nuclei -u https://host.com -t honeypot-detection.yaml