T-POT – Honeypot Investigation
Project Info
- App T-POT
- What it does Honeypot
- Platform Docker
Project Description
Some time ago I got curious about how bad guys were launching attacks. Specifically from where. What cloud or hosting services are they using?
So I found T-POT
T-Pot is the all in one, optionally distributed, multiarch (amd64, arm64) honeypot plattform, supporting 20+ honeypots and countless visualization options using the Elastic Stack, animated live attack maps and lots of security tools to further improve the deception experience. - source
I self hosted it on a cloud server located in another country, fired it up, and let it go to work attracting bots, the curious, and attackers. It gives you A LOT of information, I was able to get a count of the top cloud services that attacks were coming from as well as information like most active countries, attempts to install malware, and some indication of command and control servers and their location.
I wrote it up here.
https://labb.run/comprehensive-threat-intelligence-report-honeypot-data-analysis/
Running your own honeypot is a fascinating project. however it can get expensive if you're hosing it on a cloud service. However, if you're into that kind of thing I highly recommend it.