My Homelab Honeypot
Honeypot Overview - Over half a million attacks in under 30 days.
After being inspired by the research that comes out of the SANS Internet Storm Center with their Dshield Honeypot setup, I wanted to gather some threat intelligence from the comfort of my own homelab.
I had looked into several different services, including the DShield Honeypot, but ended up selecting the T-Pot Community Edition honeypot from Telekom Security.
It was incredibly exciting to see that this honeypot had the following built-in docker images for threat collection:
Cybersecurity Tools Built In
T-Pot also comes with some incredible tools built in as well:
- Cockpit for a lightweight and secure WebManagement and WebTerminal.
- Cyberchef a web app for encryption, encoding, compression and data analysis.
- Elastic Stack to beautifully visualize all the events captured by T-Pot.
- Elasticvue a web front end for browsing and interacting with an Elastic Search cluster.
- Fatt a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic.
- Geoip-Attack-Map a beautifully animated attack map optimized for T-Pot.
- P0f is a tool for purely passive traffic fingerprinting.
- Spiderfoot a open source intelligence automation tool.
- Suricata a Network Security Monitoring engine.
Proper Network Segmentation
It is incredibly important to have proper network segmentation when implementing a honeypot in any environment.
My current setup is with a commercial router running OpenWRT. OpenWRT is a suite of tooling and packages that allow you to replace stock firmware on a commercial home router, and can be argued that it is typically more secure than default firmware.
I followed a pretty good framework from "cydergoth" on setting up multiple VLANs in a home environment, but the basic network segmentation can be summed up as follows:
VLAN-2 is required by my ISP for the upstream link. All packets exiting the SFF router to the fiber-to-ethernet adapter are required to be tagged with VLan-2, QoS-3
VLAN-3 is my guest network. Devices on this network may only access the internet and not devices on the other VLans.
VLAN-4 is my Internet-of-Things (IoT) network. This is where I put all of my devices like Nest Thermostats, Security Cameras etc.
VLAN-5 is my work network, where my corporate provided laptop lives
VLAN-6 is where the honeypot resides.
For more details, I'd recommend following this guide created on github.
Threat Intelligence - Half a million attacks later
After more than half a million attacks later, I am greeted with a ton of real world threat intelligence.
For the TOP 12 CVE's that were found to be exploited are as follows:
For the top usernames being tried:
root user admin pi ubuntu test postgres oracle chia guest git support zabbix ftpuser hadoop mysql ts3 ansible Administrator
For the top passwords being tried:
1 123456 Password 1q2w3e4r password admin root 12345 1qaz2wsx 1234 raspberry raspberryraspberry993311 (empty) 123 test PASSWORD 12345678 mypassword user 666666
This was a quick overview of T-Pot and it's capabilities that can help you at home, or any small business gain actionable, real-time threat intelligence. Make sure that any services you expose on the internet are either using Key-Based Authentication or ensure you use Cloudflare Argo Tunnels to gain access to your internal infrastructure, and you won't even need to expose your services.