T-Pot - The All In One Multi Honeypot Platform

T-Pot is the all in one, optionally distributed, multiarch (amd64, arm64) honeypot plattform, supporting 20+ honeypots and countless visualization options using the Elastic Stack, animated live attack maps and lots of security tools to further improve the deception experience.

TL;DR

1. Meet the system requirements. The T-Pot installation needs at least 8-16 GB RAM, 128 GB free disk space as well as a working (outgoing non-filtered) internet connection.
2. Download or use a running, supported distribution.
3. Install the ISO with as minimal packages / services as possible (ssh required)
4. Install curl: $ sudo [apt, dnf, zypper] install curl if not installed already
5. Run installer as non-root from $HOME:

env bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/master/install.sh)"

• Follow instructions, read messages, check for possible port conflicts and reboot

• T-Pot - The All In One Multi Honeypot Platform
• TL;DR
• Disclaimer
• Technical Concept
  • Technical Architecture
  • Services
  • User Types
• System Requirements
  • Running in a VM
  • Running on Hardware
  • Running in a Cloud
  • Required Ports
• System Placement
• Installation
  • Choose your distro
  • Raspberry Pi 4 (8GB) Support
  • Get and install T-Pot
  • macOS & Windows
  • Installation Types
    • Standard / HIVE
    • Distributed
  • Uninstall T-Pot
• First Start
  • Standalone First Start
  • Distributed Deployment
    • Planning and Certificates
    • Deploying Sensors
  • Community Data Submission
  • Opt-In HPFEEDS Data Submission
• Remote Access and Tools
  • SSH
  • T-Pot Landing Page
  • Kibana Dashboard
  • Attack Map
  • Cyberchef
  • Elasticvue
  • Spiderfoot
• Configuration
  • T-Pot Config File
  • Customize T-Pot Honeypots and Services
• Maintenance
  • General Updates
  • Update Script
  • Daily Reboot
  • Known Issues
    • Docker Images Fail to Download
    • T-Pot Networking Fails
  • Start T-Pot
  • Stop T-Pot
  • T-Pot Data Folder
  • Log Persistence
  • Factory Reset
  • Show Containers
  • Blackhole
  • Add Users to Nginx (T-Pot WebUI)
  • Import and Export Kibana Objects
    • Export
    • Import
• Troubleshooting
  • Logs
  • RAM and Storage
• Contact
  • Issues
  • Discussions
• Licenses
• Credits
  • The developers and development communities of
• Testimonials

Disclaimer

• You install and run T-Pot within your responsibility. Choose your deployment wisely as a system compromise can never be ruled out.
• For fast help research the Issues and Discussions.
• The software is designed and offered with best effort in mind. As a community and open source project it uses lots of other open source software and may contain bugs and issues. Report responsibly.
• Honeypots - by design - should not host any sensitive data. Make sure you don't add any.
• By default, your data is submitted to Sicherheitstacho. You can disable this in the config (~/tpotce/docker-compose.yml) by removing the ewsposter section. But in this case sharing really is caring!
  
  

Technical Concept

T-Pot's main components have been moved into the tpotinit Docker image allowing T-Pot to now support multiple Linux distributions, even macOS and Windows (although both limited to the feature set of Docker Desktop). T-Pot uses docker and docker compose to reach its goal of running as many honeypots and tools as possible simultaneously and thus utilizing the host's hardware to its maximum.

T-Pot offers docker images for the following honeypots ...

• adbhoney,
• ciscoasa,
• citrixhoneypot,
• conpot,
• cowrie,
• ddospot,
• dicompot,
• dionaea,
• elasticpot,
• endlessh,
• glutton,
• hellpot,
• heralding,
• honeypots,
• honeytrap,
• ipphoney,
• log4pot,
• mailoney,
• medpot,
• redishoneypot,
• sentrypeer,
• snare,
• tanner,
• wordpot

... alongside the following tools ...

• Autoheal a tool to automatically restart containers with failed healthchecks.
• Cyberchef a web app for encryption, encoding, compression and data analysis.
• Elastic Stack to beautifully visualize all the events captured by T-Pot.
• Elasticvue a web front end for browsing and interacting with an Elasticsearch cluster.
• Fatt a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic.
• T-Pot-Attack-Map a beautifully animated attack map for T-Pot.
• P0f is a tool for purely passive traffic fingerprinting.
• Spiderfoot an open source intelligence automation tool.
• Suricata a Network Security Monitoring engine.

... to give you the best out-of-the-box experience possible and an easy-to-use multi-honeypot system.

Technical Architecture

The source code and configuration files are fully stored in the T-Pot GitHub repository. The docker images are built and preconfigured for the T-Pot environment.

The individual Dockerfiles and configurations are located in the docker folder.

Services

T-Pot offers a number of services which are basically divided into five groups:

1. System services provided by the OS
   • SSH for secure remote access.
2. Elastic Stack
   • Elasticsearch for storing events.
   • Logstash for ingesting, receiving and sending events to Elasticsearch.
   • Kibana for displaying events on beautifully rendered dashboards.
3. Tools
   • NGINX provides secure remote access (reverse proxy) to Kibana, CyberChef, Elasticvue, GeoIP AttackMap, Spiderfoot and allows for T-Pot sensors to securely transmit event data to the T-Pot hive.
   • CyberChef a web app for encryption, encoding, compression and data analysis.
   • Elasticvue a web front end for browsing and interacting with an Elasticsearch cluster.
   • T-Pot Attack Map a beautifully animated attack map for T-Pot.
   • Spiderfoot an open source intelligence automation tool.
4. Honeypots
   • A selection of the 23 available honeypots based on the selected docker-compose.yml.
5. Network Security Monitoring (NSM)
   • Fatt a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic.
   • P0f is a tool for purely passive traffic fingerprinting.
   • Suricata a Network Security Monitoring engine.
     
     

User Types

During the installation and during the usage of T-Pot there are two different types of accounts you will be working with. Make sure you know the differences of the different account types, since it is by far the most common reason for authentication errors.

System Requirements

Depending on the supported Linux distro images, hive / sensor, installing on real hardware, in a virtual machine or other environments there are different kind of requirements to be met regarding OS, RAM, storage and network for a successful installation of T-Pot (you can always adjust ~/tpotce/docker-compose.yml and ~/tpotce/.envto your needs to overcome these requirements).

T-Pot does require ...

• an IPv4 address via DHCP or statically assigned
• a working, non-proxied, internet connection ... for a successful installation and operation.
  
  If you need proxy support or otherwise non-standard features, you should check the docs of the supported Linux distro images and / or the Docker documentation.
  
  

Running in a VM

All of the supported Linux distro images will run in a VM which means T-Pot will just run fine. The following were tested / reported to work:

• UTM (Intel & Apple Silicon)
• VirtualBox
• VMWare Fusion and VMWare Workstation
• KVM is reported to work as well.

Some configuration / setup hints:

• While Intel versions run stable, Apple Silicon (arm64) support has known issues which in UTM may require switching Display to Console Only during initial installation of the OS and afterwards back to Full Graphics.
• During configuration you may need to enable promiscuous mode for the network interface in order for fatt, suricata and p0f to work properly.
• If you want to use a wifi card as a primary NIC for T-Pot, please be aware that not all network interface drivers support all wireless cards. In VirtualBox e.g. you have to choose the "MT SERVER" model of the NIC.
  
  

Running on Hardware

T-Pot is only limited by the hardware support of the supported Linux distro images. It is recommended to check the HCL (hardware compatibility list) and test the supported distros with T-Pot before investing in dedicated hardware.

Running in a Cloud

T-Pot is tested on and known to run on ...

• Telekom OTC using the post install method ... others may work, but remain untested.

Some users report working installations on other clouds and hosters, i.e. Azure and GCP. Hardware requirements may be different. If you are unsure you should research issues and discussions and run some functional tests. With T-Pot 24.04.0 and forward we made sure to remove settings that were known to interfere with cloud based installations.

Required Ports

Besides the ports generally needed by the OS, i.e. obtaining a DHCP lease, DNS, etc. T-Pot will require the following ports for incoming / outgoing connections. Review the T-Pot Architecture for a visual representation. Also some ports will show up as duplicates, which is fine since used in different editions.