I found some good walkthroughs on using T-POT once it was up and running, but not too many on how to get started, set up and configured properly.
I used the Debian-10-amd64 AMI on AWS, with the latest version of TPOT. I am going to cover Amazon only and will assume that you have some basic experience using AWS services before you jump into this.
Create a new Isolated VPC/subnet/Internet gateway, a new subnet is probably ok, depending on what you have running in the AWS account that you decided you use. For me I wanted this to be completely isolated away from all other workloads I have in the AWS account. Whether you decide to create a new AWS account for this or simply use an existing AWS account, it's good practice to enable MFA, log in using a non-root AWS account, only assign IAM roles/permissions which are needed to perform the work you will be doing. See https://aws.amazon.com/architecture/well-architected/?wa-lens-whitepapers.sort-by=item.additionalFields.sortDate&wa-lens-whitepapers.sort-order=desc for more information.
Amazon AMI — Debian-10-amd64–20210208–542
Don’t forget to assign an elastic IP to the new VM instance (you must have an internet gateway created and attached to our VPC before you can assign the elastic IP. Since we are here, one other common thing I see, depending on how the setup was done, what AWS services were reused, and what was created new — make sure you have an entry in your VPC route table which sends all 0.0.0.0/0 traffic out to either an internet gateway or even better a nat gateway.
For the server instance storage, I went with 50GB, I would recommend you select something more than the default of 8GB.
For CPU, Memory, and Network IO, I went with a t2.xlarge instance which gave me 4 cores and 16GB of memory, I have tried smaller instances that just won’t stay running without locks up, and reboots along the way.
Select a new isolated or existing VPC subnet
For the security groups, you can leave those open, we will be coming back to this topic once the installation is complete.
Create a new key pair or use an existing which I wouldn’t recommend.
Once everything looks good, and you have launched your VM, you will be able to SSH to the new instance -“ssh -i tpot.pem admin@ ec2-x-x-x-x.us-east-2.compute.amazonaws.com”. Remember, your actual connection will be different, specifically the key name, username, public DNS, or Elastic IP.
Once you have logged into the server, run these two commands to update your server — “sudo apt-get update” and “sudo apt-get upgrade”.
Next run ”sudo apt install git -y” to get the get repository.
Run “git clone https://github.com/dtag-dev-sec/tpotce.git“ to copy TPOT to the server instance.
cd into your directory, in my case its called tpotcd, you will see the install.sh file, go ahead and run that as sudo with a few extra parameters added “sudo ./install.sh –type=user”
When prompted for the install type I selected Standard or Full, there is an option to only install Sensor, but with Standard, I wanted the Honeypots, ELK, NSM, and all tools included.
You will also be prompted for TPOT username and Password to log in when the install completes, make sure you create a strong password, I think mine was around 27 characters in length.
The install for me took around 10min, it may take longer for you depending on the instance size you selected earlier.
Once the install is completed successfully, you will access the dashboard using port 64297 and ssh will be available on port 64295.
https://22.214.171.124:64297 — once you are logged in ok, head to the dashboard and select T-POT, its going to take some time but eventually your dashboard will start to fill with attacks.
ssh -i “tp.pem” firstname.lastname@example.org -p 64295 — login with the username and strong password you created earlier.
Once you have confirmed you are seeing successful attacks come in, you are able to access both the dashboard and the server instance.
Go back into the AWS console, under services type VPC, and select.
On the left scroll down to Network ACL, find the VPC where you launched the server instance.
Edit the inbound rules, remember the lowest number is evaluated first, so we are simply saying allow the port range if the source IP matches 126.96.36.199, if not deny. Then if the source IP is anyone else, deny those ports, then allow all traffic inbound from all sources and ports to make the best use of T-POT.
I hope this was helpful, I have really enjoyed using this and reviewing all the reports and stats it has given me thus far!