T-Pot - The All In One Multi Honeypot Platform

T-Pot is the all in one, optionally distributed, multiarch (amd64, arm64) honeypot plattform, supporting 20+ honeypots and countless visualization options using the Elastic Stack, animated live attack maps and lots of security tools to further improve the deception experience. <br><br>

TL;DR

1. Meet the system requirements. The T-Pot installation needs at least 8-16 GB RAM, 128 GB free disk space as well as a working (outgoing non-filtered) internet connection.
2. Download or use a running, supported distribution.
3. Install the ISO with as minimal packages / services as possible (ssh required)
4. Install curl: $ sudo [apt, dnf, zypper] install curl if not installed already
5. Run installer as non-root from $HOME:

env bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/master/install.sh)"

• Follow instructions, read messages, check for possible port conflicts and reboot

<!-- TOC -->

• T-Pot - The All In One Multi Honeypot Platform
• TL;DR
• Disclaimer
• Technical Concept
  • Honeypots and Tools
  • Technical Architecture
  • Services
  • User Types
• System Requirements
  • Running in a VM
  • Running on Hardware
  • Running in a Cloud
  • Required Ports
  • LLM-Based Honeypots
    • Ollama
    • ChatGPT
• System Placement
• Installation
  • Choose your distro
  • Raspberry Pi 4 (8GB) Support
  • Get and install T-Pot
  • macOS & Windows
  • Red Hat Enterprise Linux
  • Installation Types
    • Standard / Hive
    • Distributed
  • Uninstall T-Pot
• First Start
  • Standalone First Start
  • Distributed Deployment
    • Planning and Certificates
    • Deploying Sensors
    • Removing Sensors
  • Community Data Submission
  • Opt-In HPFEEDS Data Submission
• Remote Access and Tools
  • SSH
  • T-Pot Landing Page
  • Kibana Dashboard
  • Attack Map
  • Cyberchef
  • Elasticvue
  • Spiderfoot
• Configuration
  • T-Pot Config File
  • Customize T-Pot Honeypots and Services
• Maintenance
  • General Updates
  • Update Script
  • Daily Reboot
  • Known Issues
    • Docker Images Fail to Download
    • T-Pot Networking Fails
  • Start T-Pot
  • Stop T-Pot
  • T-Pot Data Folder
  • Log Persistence
  • Factory Reset
  • Show Containers
  • Blackhole
  • Add Users to Nginx (T-Pot WebUI)
  • Import and Export Kibana Objects
    • Export
    • Import
• Troubleshooting
  • Logs
  • RAM and Storage
• Contact
  • Issues
  • Discussions
• Licenses
• Credits
  • The developers and development communities of
  • The following companies and organizations
  • And of course YOU for joining the community!
• Testimonials
• Thank you 💖

<!-- TOC -->

<br><br>

Disclaimer

• You install and run T-Pot within your responsibility. Choose your deployment wisely as a system compromise can never be ruled out.
• For fast help research the Issues and Discussions.
• The software is designed and offered with best effort in mind. As a community and open source project it uses lots of other open source software and may contain bugs and issues. Report responsibly.
• Honeypots - by design - should not host any sensitive data. Make sure you don't add any.
• By default, your data is submitted to Sicherheitstacho. You can disable this in the config (~/tpotce/docker-compose.yml) by removing the ewsposter section. But in this case sharing really is caring! <br><br>

Technical Concept

T-Pot's main components have been moved into the tpotinit Docker image allowing T-Pot to now support multiple Linux distributions, even macOS and Windows (although both limited to the feature set of Docker Desktop). T-Pot uses docker and docker compose to reach its goal of running as many honeypots and tools as possible simultaneously and thus utilizing the host's hardware to its maximum. <br><br>

Honeypots and Tools

• T-Pot offers docker images for the following honeypots:<br> adbhoney, beelzebub, ciscoasa, citrixhoneypot, conpot, cowrie, ddospot, dicompot, dionaea, elasticpot, endlessh, galah, go-pot, glutton, h0neytr4p, hellpot, heralding, honeyaml, honeypots, honeytrap, ipphoney, log4pot, mailoney, medpot, miniprint, redishoneypot, sentrypeer, snare, tanner, wordpot

Alongside the following tools:

• Autoheal a tool to automatically restart containers with failed healthchecks.
• Cyberchef a web app for encryption, encoding, compression and data analysis.
• Elastic Stack to beautifully visualize all the events captured by T-Pot.
• Elasticvue a web front end for browsing and interacting with an Elasticsearch cluster.
• Fatt a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic.
• T-Pot-Attack-Map a beautifully animated attack map for T-Pot.
• P0f is a tool for purely passive traffic fingerprinting.
• Spiderfoot an open source intelligence automation tool.
• Suricata a Network Security Monitoring engine.

... to give you the best out-of-the-box experience possible and an easy-to-use multi-honeypot system. <br><br>

Technical Architecture

The source code and configuration files are fully stored in the T-Pot GitHub repository. The docker images are built and preconfigured for the T-Pot environment.

The individual Dockerfiles and configurations are located in the docker folder. <br><br>

Services

T-Pot offers a number of services which are basically divided into five groups:

1. System services provided by the OS
   • SSH for secure remote access.
2. Elastic Stack
   • Elasticsearch for storing events.
   • Logstash for ingesting, receiving and sending events to Elasticsearch.
   • Kibana for displaying events on beautifully rendered dashboards.
3. Tools
   • NGINX provides secure remote access (reverse proxy) to Kibana, CyberChef, Elasticvue, GeoIP AttackMap, Spiderfoot and allows for T-Pot sensors to securely transmit event data to the T-Pot hive.
   • CyberChef a web app for encryption, encoding, compression and data analysis.
   • Elasticvue a web front end for browsing and interacting with an Elasticsearch cluster.
   • T-Pot Attack Map a beautifully animated attack map for T-Pot.
   • Spiderfoot an open source intelligence automation tool.
4. Honeypots
   • A selection of the 23 available honeypots based on the selected docker-compose.yml.
5. Network Security Monitoring (NSM)
   • Fatt a pyshark based script for extracting networ