Free T-Pot in Azure for students

[daveopie]

I teach a cybersecurity class at a university. For the final project for my students, I am having them run the T-Pot honeypot in Azure for about a week and then write a report on the data they have captured. I have tried to document the procedure for them to build it, and I thought I would share that with the T-Pot community.

All students get a free $100 per year in Azure credits. Plus, there are some free Azure resources you can use, such as a small Linux box (1G or RAM) you can run for up to 750 hours. Details are at: https://azure.microsoft.com/en-us/free/students . You should sign up with an email address that ends in ".edu". When you run out of credits, your honeypot and anything else you build in Azure will cease to function.

In order to run T-Pot, you need a VM that costs about $5 per day. I chose a "Standard_B4ms" which costs $121.18/month, so we won't be able to run T-Pot for that long. Plus, you need a public IP (just under $3/month), and an expanded hard drive, I chose 126G ($20/month). The total cost to run T-Pot in Azure is around $5 per day. Note that these prices are from 2024 and for the East US region. Be aware Microsoft may change prices at any time.

To check pricing of various Azure resources:
https://azure.microsoft.com/en-us/pricing/details/virtual-machines/windows/#pricing

• scroll down to compare: pay-as-you-go vs. yearly vs reserved vs spot
• scroll down more to see VM prices, which are generally not too expensive if you turn the VM off when you are not using it.
• see link above list of VM prices for disk pricing. Note: 128G = $20/month, so DELETE IF NOT USING
  Look at Check Your Azure Balance & Usage: https://www.microsoftazuresponsorships.com

I am borrowing from the T-Pot install instructions at: https://github.com/telekom-security/tpotce/blob/master/README.md

To access Azure resources, use: https://portal.azure.com
To find your Subscription ID, search for "subscription" in the search box at the top of the portal. The box says "search resources, services, and docs". Your Subscription ID should have the name "Azure for Students" and the ID is composed of a series of hex digits in groups of 8-4-4-4-12. Copy that ID string.

Most of the Azure work will be done in the CLI. The CLI can be accessed from an icon at the top of the Azure portal, to the right of the search box. If you hover over it, it will say "Cloud Shell". Open a CLI windows.

(The next step may not be necessary, but it can help avoid confusion in some cases.)
az account set --subscription XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX (use your subscription ID instead of the place holder X's)
(Now you must create some networking components, specifically a resource group, vnet, subnet, and nsg. Just cut and paste the following steps.)
az group create --name rg-tpot --location 'eastus'
az network vnet create --resource-group rg-tpot --location eastus --name vnet-tpot --address-prefixes 10.0.0.0/16
az network vnet subnet create --resource-group rg-tpot --vnet-name vnet-tpot --name subnet-tpot --address-prefixes 10.0.0.0/24
az network nsg create --resource-group rg-tpot --name nsg-tpot

Now to set up NSG rules that only allow your IP address to access the admin ports of T-Pot.
(Find the IP address of your home computer, or the subnet used by your campus. Use that instead of the string "IPADDRESS" these NSG rules. You can find your own IP address by going to https://whatismyipaddress.com )
az network nsg rule create --resource-group rg-tpot --name AdminAccess1-tpot --nsg-name nsg-tpot --direction Inbound --priority 200 --source-address-prefixes IPADDRESS --destination-port-ranges 64294-64297 --access Allow
az network nsg rule create --resource-group rg-tpot --name BlockAdminPorts-tpot --nsg-name nsg-tpot --direction Inbound --priority 300 --destination-port-ranges 64294-64297 --access Deny
az network nsg rule create --resource-group rg-tpot --name AllowAllElse-tpot --nsg-name nsg-tpot --direction Inbound --priority 400 --destination-port-ranges 0-65535 --access Allow

(Now to create the VM)
az vm create --name vm-tpot --resource-group rg-tpot --image Canonical:ubuntu-24_04-lts:server:latest --admin-username tpot_admin --admin-password "Password123$" --vnet-name vnet-tpot --subnet subnet-tpot --size Standard_B4ms --public-ip-address-allocation static --nsg nsg-tpot --no-wait
(Search for "vm" in the Azure portal search window and use the GUI to go there. Refresh the page until the VM says "running" - initially it will say "creating". Some of my students were unable to build a Standard_B4ms VM in "eastus" due to limited resources. If you have a problem creating this size in your location, choose another region like "eastus2", "westus", or "westus2" and start over. Use the GUI to find and delete your resource group, vnet, subnet, and nsg, then recreate them in a new region.)
After the VM is created and running, then in the Azure GUI, "stop" the VM. Wait for it to halt.
In the Azure GUI for the VM, open Settings -> Disks. Click on your OS Disk. Then choose ... Settings -> Size + Performance .... select 128G, and then Save. A 128G hard drive should be able to collect at least a week of logs until it fills up. When running T-Pot you should occasionally check to verify you still have free storage space.
Start the VM via the GUI. Copy the public IP address of the VM.

Once the VM starts, you should be able to SSH to that IP (on port 22). To connect use Putty or whatever SSH client you prefer.

The following steps are from: https://github.com/telekom-security/tpotce?tab=readme-ov-file#tldr

(In the SSH connection, type the following)
sudo apt update && sudo apt upgrade -y
env bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/master/install.sh)"
(Choose Y)
(Choose "h" for Hive TPot standard)
(user: tpot_admin)
(confirm with 'y')
(pass: Password123$)
sudo reboot

After the reboot completes and the VM is back up and running, you should be able to connect to the TPOT GUI on: https://IP-of-your-VM:64297
(accept the security risk of not having a valid cert). If needed, you can SSH now on port 64295 (do not use port 22 - that is now a honeypot).

[t3chn0m4g3]

Great write up! Thank you for sharing 🤩