As cybersecurity threats become more advanced and persistent, defenders need ways to observe attackers in the wild—safely and legally. That’s where honeypots come in.
Recently, I set up a T-Pot honeypot to get hands-on experience capturing, analyzing, and learning from real-world malicious activity. In this blog post, I’ll walk you through the setup, some of the tools involved, and what insights you can gain from watching threat actors do their thing.
🚀 What is T-Pot?
T-Pot is an open-source, all-in-one honeypot platform maintained by Deutsche Telekom’s security team. It bundles multiple honeypot daemons, like:
- Cowrie (SSH/Telnet honeypot),
- Dionaea (malware collection),
- Conpot (ICS/SCADA emulation),
- ElasticPot, Heralding, and more…
All neatly integrated with the ELK stack (Elasticsearch, Logstash, Kibana) for data aggregation and visualization.
🧰 Prerequisites
Before we dive in, here’s what you’ll need:
- A dedicated VM or cloud VPS (min. 8GB RAM, 128GB disk)
- Fresh install of Ubuntu Server 20.04 LTS
- A basic understanding of Linux and networking
- Secure remote access (use key-based SSH login)
⚠️ Warning: Never install a honeypot on a production system or network. Use an isolated environment. Honeypots are meant to be attacked.
🔧 Installation Steps
- Download & Prep
wget https://github.com/telekom-security/tpotce/releases/latest/download/install.sh chmod +x install.sh sudo ./install.sh - Choose Installation Type During setup, you’ll be prompted to select an installation mode:
- Standard: All services (recommended for full experience)
- Honeypot-only: No dashboards
- Collector-only: Just data aggregation
- Sit Back and Wait The installation will take 30–60 minutes depending on your system. It configures Docker containers, networking, and all included services.
- Access the Dashboard Once done, access your web dashboard at:
https://<your-ip>:64297Login with the credentials set during installation.
📊 Log Analysis with Kibana
T-Pot ships with Kibana dashboards that give you a visual representation of:
- Source IPs, geolocation, and attack frequency
- Commonly targeted ports and protocols
- Malware samples (captured by Dionaea)
- SSH/Telnet session logs (Cowrie)
This is where the fun begins.
Within minutes of going live, I observed port scans, SSH brute force attempts, and even some malware drop attempts from random IPs across the globe. It’s eye-opening to see how noisy the internet really is.
🛡️ Next Steps: Reporting Abuse
If you want to go the extra mile:
- Use
whois <ip>to look up attacker information. - Contact the abuse email listed for the IP’s ASN.
- Share logs (scrubbed of any sensitive info) to help them take action.
This contributes back to the security ecosystem.
🧠 Lessons Learned
- Attackers don’t sleep: Some IPs hit my honeypot within seconds of deployment.
- Pattern recognition is powerful: With ELK, it’s easy to spot trends over time.
- This is a learning goldmine: Real logs = real insights.
Setting up a honeypot like T-Pot is one of the best ways to level up your blue team skills, understand attacker behavior, and gain a deeper appreciation for logging and detection.
💬 Final Thoughts
Whether you’re a SOC analyst, student, or curious tinkerer, deploying a honeypot gives you a front-row seat to the wild world of cyber threats. Just remember: play safe, isolate the environment, and use what you learn to improve your defenses.
