How to Make a Honeypot in 30 Minutes

This 30-minute Azure honeypot project is a fake computer system or network that looks real but isn’t used for critical work. It’s designed to attract hackers who are up to no good. This is How to Make a Honeypot in 30 minutes.

Just like a bee is drawn to honey, hackers are drawn to these honeypots because they seem like easy targets. Once they try to break in, cybersecurity experts can watch what the hackers are doing.

Think of it as a decoy house in a neighborhood. Burglars might try to break in, thinking it’s an easy target, but instead, they get caught in the act!

Most of the activity you’ll see in the honeypot is automated bots, billions of them, scanning the internet nonstop, looking for vulnerable hosts. It doesn’t take 5 seconds after your host is deployed on the internet to see voracious attacks in every direction.

That is what we’re doing here: we will create a Debian VM on Azure, install T-pot, and open up the gates to let anyone and anything in contact with it. Then I’m going to let you poke around and play with all the features of a T-pot.

Creating a Virtual Machine

The first thing you will do is go to the Azure Portal and sign up for an account if you don’t already have one. Once you do, you will get $200 in free credits added to your account. That will cover more than the lab's charges.

Once you have created an account, at the top search bar type in “Virtual Machine” and you will be brought to the screen in Figure 1–1. Click the button to create a new virtual machine.

Then create a new resource group and name it “tpot-rg” as shown in Figure 1–2.

This project will have a few resources like the Virtual Machine, Public IP address, Network Security Group,… etc that will be inside of this resource group. When you are finished with the lab, all that you need to do is delete the resource group to delete this entire project.

• Name the virtual machine, “tpot-vm”

• Set the region to "East US"

• Set No Infrastructure Redundancy Required

• Set the security type to “standard”

• Click see all images and select “Ubuntu 24.04 LTS Noble Numbat - x64 Gen1”

• Choose size “Standard_A2m_v2 — 2 vcpus, 16 GiB memory”

• Select password authentication type

• Choose username ‘azureuser’ and type a password

• Click “Next: Disks"

• Change the disk size to 128GiB

• Click Next

• Check the box to delete the public IP and NIC when the VM is deleted

• Click “Next: Management”

• Click “Review + create” at the top

• Click “Create” to create your new VM

• Wait for your VM deployment to finish

Open Traffic Flow

Now we need to open up the gates and create a rule to allow all communication into the honeypot. This will allow the adversaries to attack the honeypot, so you can collect the data.

• At the top search bar, type in “tpot-vm-nsg” and select the network security group resource

• Select “Inbound security rules” on the left

Figure 2–2 Select Inbound Security Rules

• Click “Add”

• Change Destination port ranges to start “*”

• Change Priority to “100”

• Change Name to “DANGER_ALLOW_ALL”

• Click “Add”

This rule on the Network Security Group applies to all resources in the network security group and allows ALL traffic on ALL ports inside. This is not recommended anywhere at any time except right now.

Configuring the honeypot

Now we need to go grab the public IP address for the VM, as its time to log into the VM.

• Type in “tpot-vm” in the search bar at the top and select the resource

• Copy the Public IP address to the clipboard

Windows now has the ability to SSH from the command prompt in Win 10 and Win 11, and Mac and Linux also allow SSH from the terminal. Go ahead and SSH into the host:

ssh azureuser@<public ip address>

• Execute these commands

env bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/master/install.sh)"

Select "Hive" install

sudo reboot (when finished)

You can now log in to the honeypot web interface via

https://<ipaddress>:64297

Be sure to delete the resource group to delete all resources when you're finished!