Honey Pot: essentially a kind of attacker spoofing, by arranging some hosts, network services or information as bait to lure the attacker to attack them, which can capture and analyze attacks
Honeypot is generally in the isolated environment, attackers invaded in the system over the system, the attacker to do anything are recorded in the system for analysis
Official description: https: //dtag-dev-sec.github.io/mediator/feature/2019/04/01/tpot-1903.html
Official GitHub: https://github.com/dtag-dev-sec/tpotce
T-pot 19.03 run on debian (Sid), based docker, docker-compose and comprising honeypots docker mirror:
adbhoney, ciscoasa, conpot, Cowrie, Dionaea, elasticpot, glastopf, Glutton, heralding, honeypy, Honeytrap, mailoney , medpot, rdpy, snare, tanner
According to reports to get closer to the design of the rolling release model, this version moved from debian ubuntu
19.03 to commit the updated version of the T-pot a shared data capabilities, you can create an account by SISSDEN portal
T-Pot offers many honeypot daemon running in parallel, captured on a network interface and traffic re-routed to the most appropriate open source honeypot.
And processing the data stored in the local ELK stack.
First, install
· Installation Requirements
6-8GRAM
128G disk space
· Installation mode
Standard installation, the sensor mounting, industrial installations, collector installation, next mounting
For more information, see the official explanation https://github.com/dtag-dev-sec/tpotce#postinstallauto
It provides three methods of installation:
· Bare equipment installation
1, to obtain the ISO in two ways:
- ISO mode:
- https://github.com/dtag-dev-sec/tpotce/releases/download/19.03/tpot.iso
- Self-built ISO mode:
- Create ISO image requirements:
- Debian 9.7 or later
- Available RAM 4GB
- 32G disk space
- Internet connection
- Create ISO image:
- Get T-pot from github
- git clone https://github.com/dtag-dev-sec/tpotce
- cd tpotce
- Use ISO build script. The script will download and install the required dependencies
- ./makeiso.sh
- # After successfully constructed in the directory will generate an iso image tpot.iso and tpot.sha256
- Get T-pot from github
- Create ISO image requirements:
2, running on hardware
The image to burn U disk, install
3, run on a virtual machine
The iso mount installation
4, installation
- Select the first option to install
Select the first option to install
- Tpot installation mode selected here selection criteria
- Set the default user password tsec
- Set up a web user name
- web user password
- System installed automatically execute the installation script
-
Based on the existing system installation
- 1. Replace apt source
/etc/apt/sources.list /etc/apt/sources.list_bak_$(date% F + cp) # T-POT are using the version of Sid So I added the source is Sid version (which is the official comments of a foreign source station): echo "SID http://mirrors.163.com/debian/ the deb main non-Free contrib the deb-SID main http://mirrors.163.com/debian/ the src non-Free contrib the deb HTTPS : SID //mirrors.tuna.tsinghua.edu.cn/debian/ main non-Free contrib the deb-SID main https://mirrors.tuna.tsinghua.edu.cn/debian/ the src non-Free contrib the deb HTTP: / SID main non-Free /mirrors.ustc.edu.cn/debian/ contrib the deb-SID main http://mirrors.ustc.edu.cn/debian/ the src non-Free contrib #deb http://ftp.sg. SID main non-Free debian.org/debian/ contrib # http://ftp.sg.debian.org/debian/ the deb the src-SID main contrib non-Free the deb http://ftp.hk.debian.org/debian/ SID main contrib non-Free deb-src http://ftp.hk.debian.org/debian/ sid main non-free contrib " > /etc/apt/sources.list apt-get update apt-get install curl git
-
2. Install apt-fast
apt-fast acceleration package download speed, download a file with a plurality of image sources through multi-threaded aria2 of this step can be ignored, will automatically install the install.sh
-Y-GET aria2 the install APT Git clone https://github.com/ilikenwf/apt-fast.git CD APT-FAST / CP APT-FAST / usr / bin / CP APT-FAST / usr / local / sbin / the chmod X + / usr / bin / APT-FAST the chmod + X / usr / local / sbin / CP-fast.conf APT / etc APT-FAST Update Sed -i "/ ^ * MIRRORS / D" / etc / FAST-APT. the conf echo "MIRRORS = ( 'http://mirrors.163.com/debian/,https://mirrors.tuna.tsinghua.edu.cn/debian/,http://mirrors.ustc.edu.cn/debian / ') ">> /etc/apt-fast.conf looked at T-pot install script found behind # apt-fast download within a script (so you can not download their own apt-fast)? # this box optional command execution , it is recommended to perform it again before long
-
3. Configure npm source
npm install the FAST-APT npm Registry http://registry.npm.taobao.org the SET config # will be replaced by domestic sources npm source
- 4. Cloning Tpot
# This specifies clone libraries to / opt / tpot, because this version will be install.sh to read configuration files in this directory does not exist, then automatically from github clone a git clone https://github.com/ dtag-dev-sec / tpotce / opt / tpot
- 5. Change the Script
# Discovery script will replace the image source to the official source, you need to delete the script replace command, the following is the 19.03 version of the delete command: sed -i '/ ^ * TEE \ / etc / d' install.sh sed -i ' / * the deb ^ / D 'the install.sh Sed -i "$ (the install.sh CAT -n | grep" the EOF $ "| awk' {}. 1 Print $ '| -n Sed" 1P ") D" the install.sh # these three commands is not recommended to run on non 19.03 version, you may install script content changes. sed -i "/ ^ * git clone https: \ / \ / github / d" install.sh # install.sh delete this entry clone libraries to / opt / front tpot has been cloned into this directory so delete # default pull docker mirror the foreign sites, there are always a few mirror pull them, the configuration will accelerate much faster cd / opt / TPOT / ISO / Installer AA = $ (CAT install.sh -n | grep "myTPOTCOMPOSE" | grep "for name in "| awk '{}. 1 Print $') Sed -i" $ {I} AA curl -ssl https://get.daocloud.io/daotools/set_mirror.sh | -s SH HTTP: //f1361db2.m.daocloud .io "install.sh sed -i"
- 6. Install
TPOT cd / ISO / Installer / ./install.sh the User --type = # drop out if executed install.sh, may report the wrong version does not support, you need to remove a test version of the verification sed -i "s / if \ [ \" \ $ myLSB \ "\ = * / IF \ [1 \ = 1 \!] \;!. /" install.sh #github cloning slow, then you can try to change the hosts file echo "13.229.188.59 github.com www.github .com 185.199.111.153 assets-cdn.github.com www.assets-cdn.github.com 151.101.228.249 global.ssl.fastly.net www.global.ssl.fastly.net ">> / etc / hosts
- 7. Deploy Video
https://player.youku.com/embed/XNDE5NDAyMDEwMA==
-
Cloud deployment
There is a ansible example of cloud folder # This method does not verify, you readers be independently verified
Nude installation is not recommended, before the acquisition can not use enough system package apt-fast multi-threaded downloads will be particularly slow
Bare installation need to be installed to debian then execute install, due to the installation of the system part of the installation package is not recommended to use this method slowly
varying test about 2-6 hours
Recommended Debian installed directly on an existing system, using slow iso source is typically mounted to a few hours
Install and use multiple threads to download and install almost 20 minutes you can complete the installation in existing systems
Two Dian check the installation
-
Check Tpot Service
systemctl status tpot
-
Check the container
CD / opt / TPOT / bin ./dps.sh # If it does not use the reference to the following start command # If the section is not successfully downloaded, you can manually download the following download missing container
UP is normal
* Download missing container
cd /opt/tpot/etc/compose for i in `cat ./standard.yml | grep image | cut -d '"' -f2 | uniq` do docker pull $i done
• Start container
CD / opt / TPOT / etc / Compose Docker Compose -f-./standard.yml # yml If the installation mode is the corresponding other version # If the section is not successfully downloaded, can manually download
Third, the use
-
Start Tpot Service
systemctl start tpot
-
Stop Tpot Service
systemctl stop tpot
-
Select Close to submit data
By default, the captured data will be submitted to the back-end community, and Sicherheitstacho to unfold website can be turned off according to personal preference
- 1. Stop T-Pot Service
systemctl stop tpot
- 2. Delete Ewsposter Service
we /opt/tpot/etc/tpot.yml
- 3. Remove the following line, save and exit
# Ewsposter service ewsposter: container_name: ewsposter restart: always networks: - ewsposter_local image: "dtagdevsec/ewsposter:1903" volumes: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
- 4. Start T-Pot Service
systemctl start tpot
-
Opt HPFEEDS share data
Can now be shared with third parties HPFEEDS T-Pot data provide additional options to submit attack data, such as SISSDEN . If you want to share your T-Pot data, you simply sign up for an account at a third-party broker, and bring benefits to the community. After registering, you will receive your voucher in order to divide the community
Create an account and apply for credentials https://portal.sissden.eu/profile
Run the script
./hpfreeds_option.sh
-
The system uses
- 1, the system monitors web landing system users
https://yourip:64294
- 2, management web
https://yourip:64297
- 3.ssh landing
ssh -l tsec -p 64295 yourip
· The public network to collect data
Port can be used within the network penetration tools will need to collect the information forwarded, you can refer to
Fourth, update
Back up important files
Select the backup yourself
· Perform the update command
cd / opt / tpot ./update.sh