Advanced • Honeynet • T-Pot • Networking Protocols

T-Pot honeynet project.

I did this project to extend what I was learning in Networking Protocols class into a live, controlled lab. It shows how I set up a disposable T-Pot honeynet on a VPS, monitored the dashboards, collected a short evidence set, and shut the lab down cleanly.

The goal was not to hack anyone back. The goal was to watch what touched the exposed honeypot, learn from the logs, and document the behavior safely.

Install T-Pot Monitor dashboards Findings summary

Safety rule: Use a disposable VPS or isolated lab machine. Restrict management access to your IP. Expect provider alerts, because honeypots intentionally look like exposed services.

Before you start

T-Pot is heavier than a normal beginner VPS project. Treat this as a dedicated lab box, not as a server that also hosts your website.

Use the right machine

Dedicated VPS or VM only
At least 8 GB RAM for a sensor-style install
At least 128 GB SSD storage
Clean supported Linux install with SSH available

Lock down management

Do not expose management ports to the whole Internet
Allow T-Pot SSH only from your IP
Allow the web dashboard only from your IP
Use strong passwords and save them in a password manager

Do not run this on your home network as a first attempt. A public honeynet attracts scanners, bots, abuse notifications, and noisy traffic. Start with a cloud VPS you can destroy.

Strict install steps

These steps follow the current T-Pot project install flow: start from a clean supported Linux host, install curl if needed, run the installer as a normal user from your home directory, reboot, then use the T-Pot management ports.

Create the VPS

Use a fresh supported Linux image. Do not install Apache, Nginx, databases, panels, or extra services first.

Pick a server with enough RAM and disk
Add your SSH key
Record the public IP

Restrict management ports

Before exposing honeypot traffic, keep T-Pot management access limited to your IP.

SSH management: 64295/tcp
Web landing page: 64297/tcp
Allow those only from your home IP

SSH into the server

If SSH is still new, read the terminal and SSH guide first.

ssh username@YOUR_SERVER_IP

Open the SSH beginner guide

Install curl if needed

T-Pot uses a remote installer script, so the server needs curl.

sudo apt update
sudo apt install -y curl

Run the T-Pot installer

Run this as your normal user from $HOME, not as root.

cd ~
env bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/master/install.sh)"

Read every installer prompt

Do not speed-click through the installer.

Choose the install type intentionally
Create the web user when prompted
Write down the web username and password
Watch for port conflict warnings

Reboot after install

The official flow expects a reboot after the installer finishes.

sudo reboot

Log in through T-Pot SSH

After reboot, T-Pot uses its management SSH port.

ssh -l username -p 64295 YOUR_SERVER_IP

Monitor the dashboards

Once T-Pot is running, use the web landing page to reach Kibana, the Attack Map, and other tools.

Open

T-Pot landing page

https://YOUR_SERVER_IP:64297

Watch

Attack Map

Look for source countries, bursts, and repeated scanners.

Review

Kibana dashboards

Check Cowrie, Suricata, ports, usernames, passwords, and commands.

Record

Evidence notes

Capture screenshots, top ports, top credentials, and one short interpretation.

Keep the evidence sanitized. Do not publish raw logs, full VPS IPs, attacker IPs, keys, provider account data, or customer identifiers.

Dashboard screenshots

T-Pot dashboard overview showing protocol activity and honeypot performance charts — Dashboard view showing protocol mix, attack timing, honeypot performance, and heatmap-style activity.

Sanitized T-Pot live feed showing honeypot, protocol, port, country, and reputation fields — Sanitized live feed view. The source IP column is redacted for public sharing, but the protocol, port, honeypot, country, and reputation fields still show the monitoring workflow.

Clean shutdown

A honeynet lab is not complete until it is stopped, exported, or destroyed.

Stop T-Pot

sudo systemctl stop tpot
sudo systemctl disable tpot

Verify containers stopped

docker ps

Archive data if needed

tar -czf tpot-logs.tar.gz ~/tpotce/data

Destroy the VPS

Terminate the instance and check for leftover volumes, snapshots, public IPs, or firewall rules.

What this advanced project demonstrated

This page keeps the detailed results private, but the high-level pattern was worth documenting: exposed services attract automated attention quickly, including traffic that appears financially motivated.

Advanced

Protocols become visible

T-Pot turns abstract networking topics into visible events: ports, protocols, sessions, source traffic, IDS alerts, and dashboard timelines.

Crypto targeting

Crypto thieves are out there

One sanitized finding was a visible crypto-themed SSH credential pattern. The lesson is simple: attackers and bots are actively looking for weakly secured systems tied to valuable infrastructure.

Documentation

Evidence handling matters

The project required careful notes, screenshots, log handling, redaction, shutdown steps, and a clear separation between private analysis and public summary.

Official references

Official

T-Pot README

The current install commands, requirements, ports, first-start notes, dashboards, and maintenance details.

Open T-Pot on GitHub

Next Step

AWS VPS setup

Use this first if students still need help creating a disposable Linux server.

Open AWS VPS guide

Beginner

Terminal and SSH intro

Use this first if the commands, SSH tunnel, or headless-server workflow are still unfamiliar.

Open terminal guide