How to Setup a Honeypot in 30 minutes
This 30-minute Azure honeypot project is a fake computer system or network that looks real but isn’t actually used for any important work. It’s designed to attract hackers who are up to no good. This is How to Setup a Honeypot in 30-minutes?
Just like a bee is drawn to honey, hackers are drawn to these honeypots because they seem like easy targets. Once they try to break in, cybersecurity experts can watch what the hackers are doing.
Think of it as a decoy house in a neighborhood. Burglars might try to break in, thinking it’s an easy target, but instead, they get caught in the act!
Most all of the activity you’ll see in the honeypot is automated bots, billions of them, scanning the internet nonstop looking for vulnerable hosts. It doesn’t take 5 seconds after your host is deployed on the internet to start seeing voracious attacks in every direction.
That is what we’re doing here, we’re going to create a Debian VM on Azure, install T-pot, and open up the gates to let anyone and anything in to contact it. Then I’m going to let you poke around and toy with all the features of T-pot.
Creating a Virtual Machine
The first thing you’re going to do is go to the Azure Portal and sign up for an account if you already don’t have one. Once you do, you will get $200 free credits added to your account. That will more than cover the charges of this lab.
Once you have created an account, at the top search bar type in “Virtual Machine” and you will be brought to the screen in Figure 1–1. Click the button to create a new virtual machine.
Figure 1–1 Create a New VM
Then create a new resource group and name it “tpot-rg” as shown in Figure 1–2.
A resource is the individual service that you will be consuming, and a resource group is a group of these resources together.
This project will have a few resources like the Virtual Machine, Public IP address, Network Security Group,… etc that will be inside of this resource group. When you are finish with the lab all that you need to do is delete the resource group to delete this entire project.
Figure 1–2 Create New Resource Group
Name the virtual machine, “tpot-vm”
Set the region to "East US"
Set the security type to “standard”
Click see all images and select “Ubuntu Minimal 24.04 LTS -x64 Gen1”
Choose size “Standard_A2m_v2 — 2 vcpus, 16 GiB memory”
Figure 1–4 Select Region, VM name, Security Type, Image and Size
Select password authentication type
Choose username ‘azureuser’ and type a password
Click “Next: Disks”
Figure 1–5 Choose Password, Enter Username and Password, Click Next
Change the disk size to 128GiB
Click Next
Figure 1–6 Change Disk Size to 128GiB, Click Next
Check the box to delete public IP and NIC when VM is deleted
Click “Next: Management”
Figure 1–7 Check Box, Click Next
Click “Review + create” at the top
Click “Create” to create your new VM
Figure 1–8 Click Review and Create and then Create
Wait for your VM deployment to finish
Figure 1–9 Deployment Finished
Open Traffic Flow
Now we need to open up the gates and create a rule to allow all communication in to the honeypot. This will allow the adversaries to be able to attack the honeypot so you can collect the data.
At the top search bar, type in “tpot-vm-nsg” and select the network security group resource
Figure 2–1 Select the Network Security Group We Created
Select “Inbound security rules” on the left
Figure 2–2 Select Inbound Security Rules
Click “Add”
Figure 2–3 Click Add
Change Destination port ranges to start “*”
Change Priority to “100”
Change Name to “DANGER_ALLOW_ALL”
Click “Add”
This rule on the Network Security Group applies to all resources in the network security group and allows ALL traffic on ALL ports inside. This is not recommended anywhere at anytime except right now.
Figure 2–4 Change Destination Port Range, Priority, and Name then Click Add
Configuring the honeypot
Now we need to go grab the public IP address for the VM, as its time to log into the VM.
Type in “tpot-vm” in the search bar at the top and select the resource
Figure 3–1 Go to the tpot-vm resource
Copy the Public IP address to the clipboard
Figure 3–2 copy the Public IP address
Windows now has the ability to SSH from the command prompt in Win 10 and Win 11, Mac and Linux also allows SSH from the terminal. Go ahead and SSH into the host:
ssh azureuser@<public ip address>
Figure 3–3 SSH into honeypot
Execute these commands
env bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/master/install.sh)"
Select "Hive" install
sudo reboot (when finished)
Note: The installation script changes the port to SSH on, so if you want to ssh to it you have to use this syntax "ssh azureuser@<ip address> -p 64295"
You can now login to the honeypot web interface via
https://<ipaddress>:64297
Be sure to delete the resource group to delete all resources when you're finished!
![Cyber NOW Education: How to start a career in cybersecurity](https://static.wixstatic.com/media/29a6f6_618d031212b64fda87896d100054c76f~mv2.jpg/v1/fill/w_980,h_560,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/29a6f6_618d031212b64fda87896d100054c76f~mv2.jpg)
Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts.
You can connect with him on LinkedIn.
You can sign up for a Lifetime Membership of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits.
Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.
Some of our free resources include the Forums, the Knowledge Base, our True Entry Level SOC Analyst Jobs, Job Hunting Application Tracker, Resume Template, and Weekly Networking Checklist. Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer.
Check out my latest book, Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success, 2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here.
This is awesome. Thanks for the fix
Hello, Tyler
I appreciate you spending time to explain this easy-to-use guideline. I came across a couple of issues while following the guidelines. The first is that when I ssh into the vm and install the git repository, the file path doesn't contain tpotce/iso/installer/, rather, it is tpotce/.install.sh. When I run the .install.sh, I can't run it using sudo because a message tells me I can't be root (I am not root). Also, when I do run ./install.sh --type=user, I only get three types of installation, m mobile, h hive, and s. For whichever choice I go with, I install the honeypot, but then I won't be able to access the vm through my ip address, and if I disconnect…