February 2, 2025 in Technical5 minutes
Step-by-step guide on deploying an open-source honeypot named T-Pot in Azure Cloud using free student credit.
T-Pot is an all-in-one honeypot platform that is open-source. It integrates 20+ honeypots in a docker-based environment for us to study and analyze various attack vectors.
In this blog, we will be guiding you through step-by-step on deploying T-Pot in Azure cloud.
For students, Azure provides free $100 Azure credit without any credit card required. This is a good opportunity to allow students to learn more about cloud infrastructure. More details about the free student plan can be found here.
There is also a post about this on T-Pot discussion page, guiding us for deploying T-Pot in cloud, and we will be following the guide with more detailed explanation for it.
A big shout-out to the author for sharing this valuable guide in the discussion!
Before we start to create a virtual machine, we need to get subscription ID for further usage later. In the search bar, search for
Subscriptions
and go to the page.
You can get your subscription ID here. Save it for further usage.
Now go back to home page by clicking
Home
and will be redirected to this page. You will then need to create an Azure virtual machine following the steps above.
Following the guide from the T-Pot discussion, we will be using CLI to create our virtual machine instead of GUI so it is much more efficient. Make sure to open Azure Cloud Shell following the steps above, and we will be diving into the command line configuration in the following steps.
This step is used to set the active subscription for our Azure account. It may not be necessary, but it can help avoid confusion in some cases according to the discussion guideline.
az account set --subscription [subscription-id]
# create a new resource group in a specific Azure region
# you can choose location closest to you (eg. 'southeastasia', 'eastus')
az group create --name rg-tpot --location 'southeastasia'
# create a Virtual Network (VNet)
az network vnet create --resource-group rg-tpot --location southeastasia --name vnet-tpot --address-prefixes 10.0.0.0/16
# create a subnet within an existing Azure VNet
az network vnet subnet create --resource-group rg-tpot --vnet-name vnet-tpot --name subnet-tpot --address-prefixes 10.0.0.0/24
# create a Network Security Group (NSG)
az network nsg create --resource-group rg-tpot --name nsg-tpot
Now we will be setting up NSG rules that only allow our public IP address (can be IP address of our home computer, or the subnet used by our campus) to access the admin ports of T-Pot. You can get your own IP address by going to https://whatismyipaddress.com. Replace [ip-address]
with your own IP address.
# add a rule to an existing NSG
az network nsg rule create --resource-group rg-tpot --name AdminAccess1-tpot --nsg-name nsg-tpot --direction Inbound --priority 200 --source-address-prefixes [ip-address] --destination-port-ranges 64294-64297 --access Allow
# create a deny rule in NSG that blocks inbound traffic to specific ports
az network nsg rule create --resource-group rg-tpot --name BlockAdminPorts-tpot --nsg-name nsg-tpot --direction Inbound --priority 300 --destination-port-ranges 64294-64297 --access Deny
# create a rule in NSG that allows all inbound traffic on all ports as a "catch-all" rule
az network nsg rule create --resource-group rg-tpot --name AllowAllElse-tpot --nsg-name nsg-tpot --direction Inbound --priority 400 --destination-port-ranges 0-65535 --access Allow
Now we can create a virtual machine named “vm-tpot” using the command below:
# deploy a new VM
az vm create --name vm-tpot --resource-group rg-tpot --image Canonical:ubuntu-24_04-lts:server:latest --admin-username [your-username] --admin-password "[your-password]" --vnet-name vnet-tpot --subnet subnet-tpot --size Standard_B4ms --public-ip-address-allocation static --nsg nsg-tpot --no-wait
Use the search bar to search for
Virtual machines
page. The virtual machine will be in “creating” status initially, and you will need to refresh until you see the status is “running”.
After the virtual machine is created and running, stop it and wait for it to halt.
In the Azure GUI for the VM, open
Settings
-> Disks
. Click on your OS Disk.
Then, in
Size + Performance
, select 128GB, and then Save
. You can refer to T-Pot system requirement here. Considering we are using $100 credit, 128GB storage should be sufficient for us to collect at least a week of logs. Make sure to occasionally check your machine to see if you have free storage space, as filling up the storage will crash the system.
With our Ubuntu Server virtual machine up and running, we can now connect to it via SSH to install and run T-Pot.
Connect to the virtual machine using the following command:
ssh [username]@[vm-public-ip-address]
After connecting to the virtual machine, start by updating the packaging lists with:
sudo apt update
Next, install T-Pot by following the official instructions here, or you can refer to the command below:
git clone https://github.com/telekom-security/tpotce
cd tpotce
./install.sh
# when prompted, choose "h" for T-Pot Hive/Standard
# once done, reboot your machine
sudo reboot
⚠️ Note that once T-Pot is installed, our SSH is now using port 64295, as the default SSH port (port 22) is now a honeypot.
If you would like to connect to your virtual machine again, you can use the command below:
ssh [username]@[vm-public-ip-address] -p 64295
Once the installation is complete, we can access T-Pot web interface at
https://[vm-public-ip-address]:64297
.
If you want to run only specific honeypots, you can modify the
docker-compose.yml
file. The full location of the file is ./tpotce/docker-compose.yml
. To disable a honeypot, you can comment out its section in the file by adding a #
at the beginning of the line. You can refer to this T-Pot GitHub issue for further discussion on customizing the selection of honeypots.
If your IP address changes and you can no longer access the T-Pot admin GUI, you need to update the allowed IP address in Azure NSG settings. Follow the steps above to modify the rule by changing the IP address.