Hello,

I am using t-pot 16.03 and after a while (one week) it is not working anymore, the status.sh command display waiting for services......... services are busy or not available....etc

Thank you.

port forwarding needs to be changed from -p 5060:5060/udp to -p 5060/udp:5060/udp

For some reason, the logs are registering the hour of an event two hours in the past. So if now its 18:33 and there is an event on Honeytrap, in the timestamp its registering as 16:33. Is there a way I can arrange this?

I was wondering if there is a way for logs of the various honeypots to keep their entries persistent i.e. not lose them every new day/start of the VM. Many thanks.

• build basic container with elk 5.x
• add CI / logos
• no head plugin, get head standalone working
• set shards / replicas
• solution for pre-building index
• rebuild visualizations
• rebuild dashboards
• dashboards, visualizations, searches need some finetuning
• limit ram / cpu usage
• fix curator
• set recommended sysctl.conf on host / for container start
• maxmind released new GeoIP v2 ASN database, integration needed! (http://dev.maxmind.com/geoip/geoip2/geolite2/)

we will loose maxmind ASN feature due to limitation of logstash geo plugin (will only read .mmdb, no more .dat)

While trying to install from the prebuild image http://community-honeypot.de/tpot.iso I get this error message. I have tried it twice but no luck.

Hello,

It is possible to change dionaea ftp fingerprint? Because nmap show that is a honeypot. I could modify the internal config file of dionaea but if I restart the docker the configuration is returned to default.

Thank you.

Where can I find this file to enable ssh? It is not in the same directory as the 2factor script. I am running the VM provided.

Being able to deploy multiple TPot's and have them send logs to a central collector or aggregator for visualization would be nice. HPFeeds does not appear to retain the same level of integrity as the events visible in the ELK stack, maybe add an optional Splunk Docker container to have a Splunk Forwarder send events to a Splunk server or some other method.

Is it possible to access the kibana dashboard without prior setup a ssh-tunnel? I tried with some NAT rules but no success so far. Background: I want to retrieve sensor data with my own scripts. Is it maybe possible to access the sensor data without the dashboard? Is there an export option I missed? Would be really great to access the data from my own scripts :-)
Thanks for any hint

tobi

Hi, in my dashboard i can only see honeytrap and cowrie to be active, with some counts, please how can i enable the others. Also how to get T-Pot attack logfile. tq

Hi there,
I found the project really interesting, but I wanted to try to take control of the logs of the honeypots by my own means. The problem is that I didn't find any place which would tell all of the different logs that each honeypot can report in order to make rules, being stuck with Kibana for the visualization of the logs. Is there any documentation of all the unique alerts that each honeypot can log?
Thanks in advance, and great job guys!

I was wondering what the TPOT system should be classified under if installed in a VM environment on a host with a bridged connection. Is it still a host intrusion detection system or a network intrusion detection system since it now can be accessed through the Internet? Or is it an enhanced HIDS with internet access?

I am confused can you please clarify?

Hello there,
atm hpfeeds are by default exported to Sicherheitstacho.
I would like to keep this going but add some further destinations in my local network.
Can this be achieved by editing the basic ews-configs? How would the config for this look like?
Thanks,
Bo

Hello,

I install the t-pot 16.10 distribution and worked fine for a couple of days, but today I try to access kibana at 127.0.0.1:8080 and not working. Output of the status.sh seems to be OK. I restart the honeypot, I restart the services... and nothing...

Thank you.

HI

I have completed the details below. Please could you advise me as to whether or not it is possible to replay attacks. This is a great advantage in Kippo and was wondering if the same is possible in T-Pot. If possible how do I replay the attack. Can this also be achieved with Kibana

I am also looking for the Payloads that is being recorded or captured as I would like to analyse the payloads. Where do I find this ? Can this also be viewed on Kibana dashboard for quick access ?

Looking forward to your reply.

Sincerely.
Gerhard

Contribution

Thank you for your decision to contribute to T-Pot.

Issues

Please feel free to post your problems, ideas and issues here. We will try to answer ASAP, but to speed things up we encourage you to ...

• Use the search function first
• Check the FAQ
• Provide basic support information with regard to your issue

Thank you 😃

FAQ

Where can I find the honeypot logs?

The honeypot logs are located in /data/. You have to login via ssh and run sudo cd /data/. Do not change any permissions here or T-Pot will fail to work.

Baisc support information

• What T-Pot version are you currtently using? 16.03
• Are you running on a Intel NUC or a VM? Production system on Hardware
• How long has your installation been running? 4 days
• Did you install any upgrades or packages? As per ISO image
• Did you modify any scripts? Nope
• Have you turned persistence on/off? On
• How much RAM available (login via ssh and run htop)? 18,053mb
• How much stress are the CPUs under (login via ssh and run htop)? No stress at all I am using a Xeon Processor
• How much swap space is being used (login via ssh and run htop)? 0
• How much free disk space is available (login via ssh and run sudo df -h)? 1Terabyte
• What is the current container status (login via ssh and run sudo start.sh)? started

I have kept persistence.on file located in data folder for a week with no problem. Today, the glastopf.log deleted all other logs and started from 2016-04-23. Why did this happen?

Need more information

• logs from upstart
• logs from docker
• system information

Probably timing problem within upstart and dependencies.

As it stands T-Pot is a nicely integrated solution but adding bricks to it is cumbersome and requires either changing most installation scripts or abandonning this nice integration to deploy other tools aside from T-Pot.

It is mostly a matter of hardcoded names. While I think making it work with ews may be troublesome as it would on the information sharing side it would still be nice to have a plugin system to add containers of other origins.

This would also IMHO make it easier to deploy as more specific honeypots have more value in enterprises.

Howdy colleagues

I Just installed TpotCE successfully w/ support from your inst-video. Now I am stuck at minute 6:56 of your video at that point where to configure the ssh tunnel to get access via browser on localhost:8080. Here I get the message of 'connection refused'. Where does this message belong to? Does it refer to the access to my pub-IP via ssh? Or does it say that the access to localhost is denied?
Where exactly does the tunnel want to connect to and where is this request rejected then?

Your response will be highly appreciated.

Kind regards,

Roger

I left the system running and all of a sudden rebooted itself with the following message

Should I just poweroff and restart by force?

hi, i cant find (ssh_enable.sh) in the same session i found (2fa_enable.sh). and when i try connect to ssh based on the installation given i get port 64295: connection refused. pls can i get a deep details on how to do it. Thanks

After 6hrs of the system running non-stop without any issues, when doing status.sh, I get Error response from daemon: No such container: dionaea. This happened just now.

Before restarting the VM, container cowrie also stopped running. What is the problem? Should I restart the host machine?

Hello. When I run sudo status.sh, a few of the containers show "ewsposter fatal: exited too quickly (process log may have details)." Should I be concerned? The pots affected are Dionaea, Glastopf and Honeytrap.

A couple of reboots did not resolve problem.

Eventually replace Glastopf with SNARE.

I installed mail package but in /var/log/cron nothing exists, the directory does not exist.

How can I make sure that the cronjob is running?

I used crontab -e to create a new crontab and at the end of the file, i.e after the comments section I wrote

0 * * * * logretreiver.sh

The tool Suricata used in T-Pot does it just labelling traffic using signatures and letting it pass or else stopping traffic in some way?

For my research I need all traffic to pass. If it is stopping some traffic, is there a way to let it all pass?

Thankyou

starting with 14.04 LTS releases will follow the biosdevname scheme.

Device Old Name New Name
Embedded NIC eth[0123…] em[1234…]
card NIC eth[0123…] pp

since this should only occur on physical hardware you will not be able to reproduce this behavior in most VM environments.

this is a bug in docker, is fixed & merged in source and will be released soon.
https://github.com/docker/docker/blob/master/contrib/init/upstart/docker.conf

replace updated docker.conf in /etc/init/docker.conf for a quick fix.

update ALL upstart conf for containers, on test machine everything works fine so far.

ews.ip

ip =

Hello,

I understand that the honeypots are designed such that little to no configuration is necessary. DHCP is not enabled on my network; all VMs are assigned static IPs. Is it possible to assign individual IP addresses to the honeypots? Some of them need to be in the internal network and others in the DMZ.

Hi,
Lately, anytime I try to log in I get the following.

channel 2: open failed: connect failed: Connection refused
channel 3: open failed: connect failed: Connection refused
channel 4: open failed: connect failed: Connection refused
channel 5: open failed: connect failed: Connection refused
channel 6: open failed: connect failed: Connection refused
channel 7: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused

Requires a reboot to get back in which isn't ideal.

Is there a community forum that users can discuss issues etc? I like the project a lot and would like the opportunity to discuss stuff with other running it.

Cheers

Hi there,

Looking at the honeypot we set up now it seems as if there is data logging missing, can I get some help/insight on this? in the /data folder there is nothing besides the Suricata folder ( no kippo folder nothing, just one lone folder) and the dashboard looks like this:

Any insight would be appreciated!

We need housekeeping.

Hi,
I successfully installed the T-Pot 16.03 system with Ubuntu 14.04.4 LTS. I had windows OS installed with Symantec disk encryption in the same PC. But the problem is when I boot the TPot, the login screen appears and it denies the login:tsec password:tsec credentials. What can I do?

This is only optical, filtering is working perfectly fine.
The dashboard only needs to be saved again within Kibana with * as filter.

Services not working, heap exceeding limit elasticsearch

There are no logs in data elk/log directory

Is there a way to read or access the information stored in sqlite:///db/glastopf.db?

I need more information as can be seen in Kibana in glastopf dashboard and not just the IP and dummy page as found in glastopf.log.

Thankyou

Hello,

I am installing t-pot in a VM and am at the point of "Configure Package Manager." However, I get the error message: Bad Archive Mirror. The ubuntu mirror hostname is archive.ubuntu.com and the mirror directory is /ubuntu. Has this changed? Or is there an alternative mirror that I can use?

Did some testing in VM, still needs testing on a NUC

Hello T-Pot Team! :-)

I just installed the latest tpot.iso and noticed something odd with the Honeypot Map:
Instead of displaying a world map there is a message from MapQuest stating they have discontinued their tile service since the 11th of July 2016.

Cheers,

Emre