top of page

How to Setup a Honeypot in 30-minutes

Writer's picture: Tyler WallTyler Wall

Updated: Dec 8, 2024



30-Minute Azure Honeypot Project Cloud Security



How to Setup a Honeypot in 30 minutes

This 30-minute Azure honeypot project is a fake computer system or network that looks real but isn’t actually used for any important work. It’s designed to attract hackers who are up to no good. This is How to Setup a Honeypot in 30-minutes?


Just like a bee is drawn to honey, hackers are drawn to these honeypots because they seem like easy targets. Once they try to break in, cybersecurity experts can watch what the hackers are doing.


Think of it as a decoy house in a neighborhood. Burglars might try to break in, thinking it’s an easy target, but instead, they get caught in the act!


Most all of the activity you’ll see in the honeypot is automated bots, billions of them, scanning the internet nonstop looking for vulnerable hosts. It doesn’t take 5 seconds after your host is deployed on the internet to start seeing voracious attacks in every direction.

That is what we’re doing here, we’re going to create a Debian VM on Azure, install T-pot, and open up the gates to let anyone and anything in to contact it. Then I’m going to let you poke around and toy with all the features of T-pot.



30-Minute Azure Honeypot Project Cloud Security

Creating a Virtual Machine


The first thing you’re going to do is go to the Azure Portal and sign up for an account if you already don’t have one. Once you do, you will get $200 free credits added to your account. That will more than cover the charges of this lab.


Once you have created an account, at the top search bar type in “Virtual Machine” and you will be brought to the screen in Figure 1–1. Click the button to create a new virtual machine.


30-Minute Azure Honeypot Project

Figure 1–1 Create a New VM


Then create a new resource group and name it “tpot-rg” as shown in Figure 1–2.


A resource is the individual service that you will be consuming, and a resource group is a group of these resources together.

This project will have a few resources like the Virtual Machine, Public IP address, Network Security Group,… etc that will be inside of this resource group. When you are finish with the lab all that you need to do is delete the resource group to delete this entire project.



30-Minute Azure Honeypot Project Cloud Security

Figure 1–2 Create New Resource Group



  • Name the virtual machine, “tpot-vm”

  • Set the region to "East US"

  • Set the security type to “standard”

  • Click see all images and select “Ubuntu Minimal 24.04 LTS -x64 Gen1”

  • Choose size “Standard_A2m_v2 — 2 vcpus, 16 GiB memory”


30-Minute Azure Honeypot Project Cloud Security

30-Minute Azure Honeypot Project Cloud Security

Figure 1–4 Select Region, VM name, Security Type, Image and Size



  • Select password authentication type

  • Choose username ‘azureuser’ and type a password

  • Click “Next: Disks”


30-Minute Azure Honeypot Project Cloud Security

Figure 1–5 Choose Password, Enter Username and Password, Click Next



  • Change the disk size to 128GiB

  • Click Next


30-Minute Azure Honeypot Project Cloud Security

Figure 1–6 Change Disk Size to 128GiB, Click Next



  • Check the box to delete public IP and NIC when VM is deleted

  • Click “Next: Management”


30-Minute Azure Honeypot Project Cloud Security

Figure 1–7 Check Box, Click Next



  • Click “Review + create” at the top

  • Click “Create” to create your new VM


30-Minute Azure Honeypot Project Cloud Security

Figure 1–8 Click Review and Create and then Create



  • Wait for your VM deployment to finish



30-Minute Azure Honeypot Project Cloud Security

Figure 1–9 Deployment Finished



Open Traffic Flow


Now we need to open up the gates and create a rule to allow all communication in to the honeypot. This will allow the adversaries to be able to attack the honeypot so you can collect the data.


  • At the top search bar, type in “tpot-vm-nsg” and select the network security group resource


30-Minute Azure Honeypot Project Cloud Security

Figure 2–1 Select the Network Security Group We Created


  • Select “Inbound security rules” on the left


30-Minute Azure Honeypot Project Cloud Security

Figure 2–2 Select Inbound Security Rules


  • Click “Add”


30-Minute Azure Honeypot Project Cloud Security

Figure 2–3 Click Add



  • Change Destination port ranges to start “*”

  • Change Priority to “100”

  • Change Name to “DANGER_ALLOW_ALL”

  • Click “Add”


This rule on the Network Security Group applies to all resources in the network security group and allows ALL traffic on ALL ports inside. This is not recommended anywhere at anytime except right now.


30-Minute Azure Honeypot Project Cloud Security

Figure 2–4 Change Destination Port Range, Priority, and Name then Click Add



Configuring the honeypot


Now we need to go grab the public IP address for the VM, as its time to log into the VM.


  • Type in “tpot-vm” in the search bar at the top and select the resource


30-Minute Azure Honeypot Project Cloud Security

Figure 3–1 Go to the tpot-vm resource


  • Copy the Public IP address to the clipboard



30-Minute Azure Honeypot Project Cloud Security

Figure 3–2 copy the Public IP address


Windows now has the ability to SSH from the command prompt in Win 10 and Win 11, Mac and Linux also allows SSH from the terminal. Go ahead and SSH into the host:


ssh azureuser@<public ip address>

30-Minute Azure Honeypot Project Cloud Security

Figure 3–3 SSH into honeypot


  • Execute these commands


env bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/master/install.sh)"

Select "Hive" install

sudo reboot (when finished)

Note: The installation script changes the port to SSH on, so if you want to ssh to it you have to use this syntax "ssh azureuser@<ip address> -p 64295"

You can now login to the honeypot web interface via


https://<ipaddress>:64297

Be sure to delete the resource group to delete all resources when you're finished!






Cyber NOW Education: How to start a career in cybersecurity

Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts.


You can connect with him on LinkedIn.


You can sign up for a Lifetime Membership of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits.


Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.


Some of our free resources include the Forums, the Knowledge Base, our True Entry Level SOC Analyst Jobs, Job Hunting Application Tracker, Resume Template, and Weekly Networking Checklist. Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer.


Check out my latest book, Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success, 2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here.



881 views3 comments

Recent Posts

See All

3 Comments


omaralfayyadh
Jul 19, 2024

This is awesome. Thanks for the fix

Like
Tyler Wall
Tyler Wall
Jul 25, 2024
Replying to

You're very welcome :)

Like

omaralfayyadh
Jul 16, 2024

Hello, Tyler

I appreciate you spending time to explain this easy-to-use guideline. I came across a couple of issues while following the guidelines. The first is that when I ssh into the vm and install the git repository, the file path doesn't contain tpotce/iso/installer/, rather, it is tpotce/.install.sh. When I run the .install.sh, I can't run it using sudo because a message tells me I can't be root (I am not root). Also, when I do run ./install.sh --type=user, I only get three types of installation, m mobile, h hive, and s. For whichever choice I go with, I install the honeypot, but then I won't be able to access the vm through my ip address, and if I disconnect…

Like
bottom of page