Honeypot open T-pot 19.03.3 installation and use

Honey Pot: essentially a kind of attacker spoofing, by arranging some hosts, network services or information as bait to lure the attacker to attack them, which can capture and analyze attacks

Honeypot is generally in the isolated environment, attackers invaded in the system over the system, the attacker to do anything are recorded in the system for analysis

Official description: https: //dtag-dev-sec.github.io/mediator/feature/2019/04/01/tpot-1903.html

Official GitHub: https://github.com/dtag-dev-sec/tpotce

T-pot 19.03 run on debian (Sid), based docker, docker-compose and comprising honeypots docker mirror:
adbhoney, ciscoasa, conpot, Cowrie, Dionaea, elasticpot, glastopf, Glutton, heralding, honeypy, Honeytrap, mailoney , medpot, rdpy, snare, tanner
According to reports to get closer to the design of the rolling release model, this version moved from debian ubuntu

19.03 to commit the updated version of the T-pot a shared data capabilities, you can create an account by SISSDEN portal

T-Pot offers many honeypot daemon running in parallel, captured on a network interface and traffic re-routed to the most appropriate open source honeypot.
And processing the data stored in the local ELK stack.

First, install

· Installation Requirements

6-8GRAM
128G disk space

· Installation mode

Standard installation, the sensor mounting, industrial installations, collector installation, next mounting

For more information, see the official explanation https://github.com/dtag-dev-sec/tpotce#postinstallauto

It provides three methods of installation:

· Bare equipment installation

1, to obtain the ISO in two ways:

ISO mode:
- https://github.com/dtag-dev-sec/tpotce/releases/download/19.03/tpot.iso
Self-built ISO mode:
- Create ISO image requirements:
  1. Debian 9.7 or later
  2. Available RAM 4GB
  3. 32G disk space
  4. Internet connection
- Create ISO image:
  1. Get T-pot from github
    - git clone https://github.com/dtag-dev-sec/tpotce
    - cd tpotce
  2. Use ISO build script. The script will download and install the required dependencies
    - ./makeiso.sh
    - # After successfully constructed in the directory will generate an iso image tpot.iso and tpot.sha256

2, running on hardware

The image to burn U disk, install

3, run on a virtual machine

The iso mount installation

4, installation

Select the first option to install

Select the first option to install

Tpot installation mode selected here selection criteria

Set the default user password tsec

Set up a web user name

web user password

System installed automatically execute the installation script

Based on the existing system installation
1. Replace apt source

 
   /etc/apt/sources.list /etc/apt/sources.list_bak_$(date% F + cp) 
# T-POT are using the version of Sid So I added the source is Sid version (which is the official comments of a foreign source station): 
echo "SID http://mirrors.163.com/debian/ the deb main non-Free contrib 
the deb-SID main http://mirrors.163.com/debian/ the src non-Free contrib 
the deb HTTPS : SID //mirrors.tuna.tsinghua.edu.cn/debian/ main non-Free contrib 
the deb-SID main https://mirrors.tuna.tsinghua.edu.cn/debian/ the src non-Free contrib 
the deb HTTP: / SID main non-Free /mirrors.ustc.edu.cn/debian/ contrib 
the deb-SID main http://mirrors.ustc.edu.cn/debian/ the src non-Free contrib 
#deb http://ftp.sg. SID main non-Free debian.org/debian/ contrib 
# http://ftp.sg.debian.org/debian/ the deb the src-SID main contrib non-Free 
the deb http://ftp.hk.debian.org/debian/ SID main contrib non-Free
deb-src http://ftp.hk.debian.org/debian/ sid main non-free contrib " > /etc/apt/sources.list
apt-get update
apt-get install curl git 
  

2. Install apt-fast

apt-fast acceleration package download speed, download a file with a plurality of image sources through multi-threaded aria2 of this step can be ignored, will automatically install the install.sh

 
   -Y-GET aria2 the install APT 
Git clone https://github.com/ilikenwf/apt-fast.git 
CD APT-FAST / 
CP APT-FAST / usr / bin / 
CP APT-FAST / usr / local / sbin / 
the chmod X + / usr / bin / APT-FAST 
the chmod + X / usr / local / sbin / 
CP-fast.conf APT / etc 
APT-FAST Update 
Sed -i "/ ^ * MIRRORS / D" / etc / FAST-APT. the conf 
echo "MIRRORS = ( 'http://mirrors.163.com/debian/,https://mirrors.tuna.tsinghua.edu.cn/debian/,http://mirrors.ustc.edu.cn/debian / ') ">> /etc/apt-fast.conf 
looked at T-pot install script found behind # apt-fast download within a script (so you can not download their own apt-fast)? 
# this box optional command execution , it is recommended to perform it again before long 
  

3. Configure npm source

 
   npm install the FAST-APT 
npm Registry http://registry.npm.taobao.org the SET config 
# will be replaced by domestic sources npm source 
  

4. Cloning Tpot

# This specifies clone libraries to / opt / tpot, because this version will be install.sh to read configuration files in this directory does not exist, then automatically from github clone a 

git clone https://github.com/ dtag-dev-sec / tpotce / opt / tpot

5. Change the Script

 
   # Discovery script will replace the image source to the official source, you need to delete the script replace command, the following is the 19.03 version of the delete command: 
sed -i '/ ^ * TEE \ / etc / d' install.sh 
sed -i ' / * the deb ^ / D 'the install.sh 
Sed -i "$ (the install.sh CAT -n | grep" the EOF $ "| awk' {}. 1 Print $ '| -n Sed" 1P ") D" the install.sh 
# these three commands is not recommended to run on non 19.03 version, you may install script content changes. 
sed -i "/ ^ * git clone https: \ / \ / github / d" install.sh # install.sh delete this entry clone libraries to / opt / front tpot has been cloned into this directory so delete 
# default pull docker mirror the foreign sites, there are always a few mirror pull them, the configuration will accelerate much faster 
cd / opt / TPOT / ISO / Installer 
AA = $ (CAT install.sh -n | grep "myTPOTCOMPOSE" | grep "for name in "| awk '{}. 1 Print $') 
Sed -i" $ {I} AA curl -ssl https://get.daocloud.io/daotools/set_mirror.sh | -s SH HTTP: //f1361db2.m.daocloud .io "install.sh 
sed -i"　 
  

6. Install

TPOT cd / ISO / Installer / 
./install.sh the User --type = 
# drop out if executed install.sh, may report the wrong version does not support, you need to remove a test version of the verification 
sed -i "s / if \ [ \" \ $ myLSB \ "\ = * / IF \ [1 \ = 1 \!] \;!. /" install.sh 
#github cloning slow, then you can try to change the hosts file 
echo "13.229.188.59 github.com www.github .com 
185.199.111.153 assets-cdn.github.com www.assets-cdn.github.com 
151.101.228.249 global.ssl.fastly.net www.global.ssl.fastly.net ">> / etc / hosts

7. Deploy Video

https://player.youku.com/embed/XNDE5NDAyMDEwMA==

Cloud deployment

There is a ansible example of cloud folder # This method does not verify, you readers be independently verified

Nude installation is not recommended, before the acquisition can not use enough system package apt-fast multi-threaded downloads will be particularly slow

Bare installation need to be installed to debian then execute install, due to the installation of the system part of the installation package is not recommended to use this method slowly
varying test about 2-6 hours

Recommended Debian installed directly on an existing system, using slow iso source is typically mounted to a few hours

Install and use multiple threads to download and install almost 20 minutes you can complete the installation in existing systems

Two Dian check the installation

Check Tpot Service

systemctl status tpot

Check the container

 
   CD / opt / TPOT / bin 
./dps.sh 
# If it does not use the reference to the following start command 
# If the section is not successfully downloaded, you can manually download the following download missing container 
  

UP is normal

* Download missing container

 
   cd /opt/tpot/etc/compose
for i in `cat ./standard.yml | grep image | cut -d '"' -f2 | uniq`
do
docker pull $i
done 
  

• Start container

 
   CD / opt / TPOT / etc / Compose 
Docker Compose -f-./standard.yml 
# yml If the installation mode is the corresponding other version 
# If the section is not successfully downloaded, can manually download 
  

Third, the use

Start Tpot Service

systemctl start tpot

Stop Tpot Service

systemctl stop tpot

Select Close to submit data

By default, the captured data will be submitted to the back-end community, and Sicherheitstacho to unfold website can be turned off according to personal preference

1. Stop T-Pot Service

systemctl stop tpot

2. Delete Ewsposter Service

we /opt/tpot/etc/tpot.yml

3. Remove the following line, save and exit

 
   # Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
image: "dtagdevsec/ewsposter:1903"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
 
  
4. Start T-Pot Service

systemctl start tpot

Opt HPFEEDS share data

Can now be shared with third parties HPFEEDS T-Pot data provide additional options to submit attack data, such as SISSDEN . If you want to share your T-Pot data, you simply sign up for an account at a third-party broker, and bring benefits to the community. After registering, you will receive your voucher in order to divide the community

Create an account and apply for credentials https://portal.sissden.eu/profile

Run the script