\n\nThis page has been machine-translated from the original page.
\n
I’m planning to start playing around with Azure, and first of all, I’d like to deploy T-Pot, a honeypot I’ve been interested in for a while.
\nEver since I read the book Analyzing the Footprints of Cyber Attacks: Honeypot Observation Records, I’ve wanted to try this, but I couldn’t commit due to risks and cost concerns.
\nThis time, it seems I can do this nicely using Azure, so I’ll be setting up T-Pot on an Azure environment.
\nI’m figuring things out as I go, but I’ll proceed with safety first.
\nAs I’m a beginner, the content of this article is not necessarily best practice, so I’ll add improvements as I find them.
\nThe content of this article is not intended to encourage acts that violate social order.
\nPlease be aware that attempting attacks on environments other than your own or those you have permission to access may violate the “Act on Prohibition of Unauthorized Computer Access (Unauthorized Access Prohibition Act)“.
\nAll statements are attributed to me personally, not to any organization I belong to.
\n\nBefore creating a honeypot environment on Azure, I made the following two decisions and confirmations:
\nI’ll pay particular attention to these two points.
\nI’m prioritizing this above all else lol
\nIf I were to be arrested and detained by the police, or summarily prosecuted like in the Coinhive case or Wizard Bible case, my PC would be seized and I wouldn’t be able to work, which would be game over.
\nEven if I’m completely innocent, there can be losing events where the police misunderstand and conduct a home search, so it’s an impossible game, but I want to take as many countermeasures as possible.
\nReference: Life Continuation Plan in Case of Arrest - yashio
\nIn other cases, there are quite a few scary stories like “the police conducted a home search as a result of a site operated on a rental server being cracked” or “the administrator of a rental server where a fraudulent site was operated was questioned”.
\nHonestly, I think there’s considerable risk for individuals living in Japan to engage in personal security-related activities.
\n(That’s also why I’ve been avoiding setting up a honeypot for so long.)
\nHowever, since I’ve decided to do it, I’ll work on operations that can avoid risks as much as possible.
\nSpecifically, as of 2022/02/09 when I decided to build this environment, I’m assuming the following points:
\nFirst of all, T-Pot is roughly speaking a tool that can run various honeypots.
\nAmong these, there are honeypots aimed at collecting malware.
\nReference: What is a Honeypot? Actually Making and Touching One - Construction Edition | SIOS Tech. Lab
\nFor now, I plan to operate without using honeypots aimed at collecting malware.
\nThe reason is that I’m afraid of violating the crime related to unauthorized command electromagnetic records.
\nWhile this law prohibits possession of malware “for malicious purposes”, unfortunately the criteria for this are quite ambiguous at present.
\n\n\nWhat is the crime of acquiring and storing viruses
\nWithout legitimate reason, for the purpose of having them executed automatically regardless of the user’s intention, acquiring or storing computer viruses or computer virus source code.
\n
Reference: Crimes Related to Unauthorized Command Electromagnetic Records, Metropolitan Police Department
\nThe following site is very helpful as it summarizes the results of @it_giron’s disclosure requests to various prefectural police departments regarding the constituent requirements of “crimes related to unauthorized command electromagnetic records”.
\n\nFor the time being, I plan to operate the honeypot machine by stopping it at night using Azure’s auto-shutdown function.
\nOnce the operation is established to some extent, I’ll extend the operating hours.
\nThis is probably where the biggest risk lies.
\nIf the honeypot is compromised for some reason and becomes a BOT, it may attack other users or become a relay server for unauthorized files.
\nTo prevent this, I want to create security measures and monitoring mechanisms.
\nFor now, I’ll install the agent of Trend Micro Cloud One Workload Security on the machine where the honeypot is built.
\nThis security software can manage up to 5 machines for free, and can perform anti-malware, host-based IDS, critical file change monitoring, and application whitelist operations.
\n(Also, I used it at my previous job and am personally familiar with its operation)
\nAdded note
\nUnfortunately, as of 2022/01/31, the license system has changed and the free use of up to 5 machines is no longer available.
\nSad.
\n\nI’ll switch to an OSS EDR tool or similar soon.
\nI’ll properly monitor and operate the host’s operation status.
\nI’ll forward various logs and events to Slack or Discord.
\nFor costs, I’m implementing SMS and email notifications.
\nI summarized the cost alert settings in the following article.
\nReference: Checking Azure Active Directory ID Security Score
\n\nSince I’m not planning to collect malware this time, I don’t think there’s much risk, but to avoid accidentally bringing bad things from the honeypot to my environment, connections to the honeypot will be made via a bastion.
\nAlthough I created a virtual machine for bastion access and allowed access via SSH port forwarding, the communication became very unstable.
\nThis is probably because the bastion machine has specs of 1vCPU / 1 RAM, but since increasing the bastion server’s specs is costly, I ultimately decided to access the T-Pot machine from a virtual machine built on my private machine.
\nThe bastion server on Azure will be used as a Syslog server running the Sentinel Agent, and for running honeypot monitoring tools and notification programs.
\nAccess to the T-Pot console was restricted by my home’s global IP address.
\nThis time I’m setting up a honeypot on Azure, so I checked the terms.
\nLooking at Azure’s Q&A site, it seems that operating honeypots is not particularly prohibited.
\nReference: Deployed tpot on azure VM - Microsoft Q&A
\nReference: Investigating Whether Honeypot Operation Violates Terms #2 - Black Leopard’s Blog
\nHowever, the following acts are prohibited, so care must be taken not to fall under these.
\nIn all cases, it’s okay if the scope of impact is only your own environment, and attacks on other users or Azure itself are NG.
\nConversely, the following acts seem to be permitted:
\nAttempting to escape from shared service containers such as Azure Websites or Azure Functions.
\nHowever, if successful, you must immediately report to Microsoft and stop further investigation. Intentionally accessing other customers’ data violates the terms.
\nThe system requirements for T-Pot are as follows:
\nTo meet the above, I’ll create a Debian 10 (Buster) machine.
\nTo create the virtual machine, I’ll create the following resources first:
\nBy setting up a resource group, you can manage multiple resources together.
\nReference: Managing Resource Groups - Azure portal - Azure Resource Manager | Microsoft Docs
\nThis time I created a resource group as follows and also set tags.
\nNetwork security groups are filters for network traffic that Azure resources send and receive.
\nFilters can be applied by associating them with virtual machine network interfaces or subnets.
\nReference: Azure Network Security Groups Overview | Microsoft Docs
\nReference: Network Security Groups - How It Works | Microsoft Docs
\nHere, I created the following two types of security groups:
\nThe bastion server’s security group allows inbound connections from my private machine to SSH and HTTPS ports, and all outbound communications.
\nFor the SSH port, I’ll use a random port instead of port 22 just to be safe.
\nBy the way, security groups are designed with “default rules” that allow all inbound communication from VirtualNetwork, so here I explicitly add a setting to deny all inbound communication from VirtualNetwork.
\nThe idea is to set communications allowed on a VirtualNetwork basis, such as SSH, at higher priorities than this.
\nAzure virtual networks are elements that constitute private networks within Azure.
\nBy using Azure virtual networks, you can build private networks within Azure that are logically separated from other networks.
\nReference: Azure Virtual Network | Microsoft Docs
\nReference: What is Azure’s Virtual Network Azure VNet? Explaining Communication Methods and Fees
\nThis time I created a tightly restricted subnet space for now.
\nYou could also connect with a fixed IP, but it wastes costs and IP access lacks flexibility, so I think it’s good to set a DNS name.
\nAzure Sentinel is a SIEM service provided by Azure.
\nReference: Azure Sentinel - Cloud-Native SIEM Solution | Microsoft Azure
\nFor linking Cloud One and Azure Sentinel, detailed procedures are written in the “Data Connector” on the Azure Sentinel side as follows.
\nThis is all for now, but in the future it would be good to do some analysis on Azure Sentinel.
\nIf you need to add a disk to the virtual machine, after setting up the additional disk from the Azure console, you need to configure it the same way as mounting normally in Linux.
\nFirst, check the disk list with `lsblk`.
\n``` bash\n$ lsblk\nNAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT\nloop0 7:0 0 61.9M 1 loop /snap/core20/1328\nloop1 7:1 0 43.4M 1 loop /snap/snapd/14549\nloop2 7:2 0 67.2M 1 loop /snap/lxd/21835\nsda 8:0 0 128G 0 disk\nsdb 8:16 0 30G 0 disk\nsdb1 8:17 0 29.9G 0 part /\nsdb14 8:30 0 4M 0 part\nsdb15 8:31 0 106M 0 part /boot/efi\nsdc 8:32 0 16G 0 disk\nsdc1 8:33 0 16G 0 part /mnt\n```
\nThe disk I added this time is recognized as `sda`, so I’ll mount it.
\nSince I added it as an empty new disk this time, I first need to create a partition.
\n``` bash\nsudo parted /dev/sda —script mklabel gpt mkpart xfspart xfs 0% 100%\n```
\nIf you run `lsblk` again, `sda1` has been created, so format the XFS file system with the following command.
\n``` bash\nsudo mkfs.xfs /dev/sda1\nsudo partprobe /dev/sda1\n```
\nIn the case of Debian instead of Ubuntu, you may need to install `xfsprogs` beforehand.
\n``` bash\nsudo apt install xfsprogs\n```
\nReference: Fix “mkfs.xfs: No such file or directory” on CentOS/Ubuntu/Debian - TechViewLeo
\nFinally, I created a `tpot` directory to install the honeypot and mounted `/dev/sda1`.
\n``` bash\nmkdir ~/tpot\nsudo mount /dev/sda1 ~/tpot\n```
\nIf you run `lsblk` again, you can see that the mount is properly reflected.
\n``` bash\n$ lsblk\nNAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT\nloop0 7:0 0 61.9M 1 loop /snap/core20/1328\nloop1 7:1 0 43.4M 1 loop /snap/snapd/14549\nloop2 7:2 0 67.2M 1 loop /snap/lxd/21835\nsda 8:0 0 128G 0 disk\nsda1 8:1 0 128G 0 part /home/azureuser/tpot\nsdb 8:16 0 30G 0 disk\nsdb1 8:17 0 29.9G 0 part /\nsdb14 8:30 0 4M 0 part\nsdb15 8:31 0 106M 0 part /boot/efi\nsdc 8:32 0 16G 0 disk\nsdc1 8:33 0 16G 0 part /mnt\n```
\nReference: Expanding Virtual Hard Disks for Linux VMs - Azure Virtual Machines | Microsoft Docs
\nSince the preparation is mostly complete, I’ll finally install T-Pot, but before that, I’ll take a snapshot of the disk just in case.
\nBy taking a snapshot of the Azure disk, you can restore by rebuilding a new machine if there’s a problem.
\nHonestly, even snapshots cost monthly fees which I don’t really want to use personally, but I’ll do it for now.
\nThe link below is easy to understand for detailed instructions.
\n\nJust turn off the virtual machine and create a snapshot from the disk.
\nOnce the snapshot is created, finally install T-Pot.
\nBefore installing T-Pot, disable Cloud One’s anti-malware function.
\nThen execute the following commands in order.
\n``` bash\ncd ~/tpot\ngit clone https://github.com/telekom-security/tpotce\ncd tpotce/iso/installer/\n```
\nHere, a file called `tpot.conf.dist` has the following settings written:
\n``` bash
\nmyCONFTPOTFLAVOR=‘STANDARD’\nmyCONFWEBUSER=‘webuser’\nmyCONFWEBPW=‘w3b$ecret’\n```
\nBy default, the T-Pot type is `STANDARD`.
\nNext, after changing the username and password arbitrarily, execute the following command.
\n``` bash\ncp tpot.conf.dist tpot.conf\nsudo ./install.sh —type=auto —conf=tpot.conf\n```
\nIf this completes without problems, you’ll get output like the following.
\nNow you can connect to the T-Pot machine’s local IP address via the bastion server.
\nYou can actually open the console by connecting to `https://
The T-Pot console looks cool!!
\nWhat I did this time is as follows:
\nI haven’t yet opened the inbound ports of the T-Pot machine’s security group, so it’s not actually operational yet.
\nI’ll decide from now on which honeypots included in T-Pot to use and what kind of analysis to do with Azure Sentinel.
\n