Honeypot Hosted in the Cloud with Azure

By /

Hi there!
Today I’m going to walk you through how I set up my own honeypot lab hosted in the cloud using Microsoft Azure and T-Pot.

The goal of this lab was to gain hands-on experience with honeypots and to get more familiar with cloud infrastructure by hosting and managing a server in Azure.

Let’s dive in!

What is a Honeypot?

Before getting into the technical steps, let’s briefly go over what a honeypot is and why it’s important in cybersecurity.

A honeypot is a deliberately vulnerable or exposed server designed to attract attackers. It acts as digital “bait,” simulating a real system to lure malicious actors into interacting with it.

Once attackers attempt to exploit it, security professionals can monitor and analyze their behavior to learn about the tools, tactics, and procedures (TTPs) they use. This data helps defenders strengthen real systems, detect attacks earlier, and understand evolving threats.

Honeypots can also waste attackers’ time and act as an early warning system when someone probes your network, alerting defenders before serious damage occurs.

Lab Prerequisites

Setting Up the Environment

After registering and logging into my Azure account, I went to the Virtual Machines tab and created a new VM.

1. Resource Group

I created a new resource group called Honeypot-Monitoring.
A resource group is a container that holds related resources for an application such as the virtual machine, disk storage, network interface, and public IP. It makes management much simpler.

2. Virtual Machine Configuration

I named the virtual machine Honeypot and selected the Ubuntu Server 24.04 LTS (x64 Gen2) image.

T-Pot requires a fair amount of resources, so I chose a VM size with 16 GiB of RAM and 256 GiB of storage, as recommended by the T-Pot documentation. Then, I set up credentials for SSH access to the admin account.

3. Networking

For the purpose of this lab, I created a new inbound rule allowing all inbound connections on all ports.

⚠️ Important: This is only safe for isolated lab environments. In real-world deployments, always restrict access to necessary ports and use firewalls or Network Security Groups (NSGs) to prevent unauthorized access.

Connecting via PuTTY

Once the VM was created, I used PuTTY to connect remotely.

PuTTY is an open-source terminal emulator that supports protocols like SSH (secure remote access), Telnet, and Serial (for COM port devices like routers or switches).

I entered the VM’s public IP address and logged in with my admin credentials.

Installing T-Pot

After connecting to the VM, I updated the system packages using the commands:

sudo apt update
sudo apt upgrade

Then, I cloned the T-Pot repository:

git clone https://github.com/telekom-security/tpotce
cd tpotce
sudo ./install.sh

Halfway through the installation, T-Pot prompted me to choose a setup type.
I selected Hive, which includes a full suite of honeypot tools and dashboards.

The installer also asked for a web username and password, which will be used to access the T-Pot monitoring interface.

After installation finished, I restarted the VM and my honeypot environment was ready to go!

Accessing the Honeypot

To access the T-Pot web interface, I opened my browser and went to:

https://<VM_Public_IP>:64297

(Your browser may show a warning about a self-signed certificate. This is expected and safe for a local lab.)

After entering my credentials, the T-Pot dashboard loaded successfully.


Let’s take a look at some of the tools it includes.

Attack Map

The Attack Map is a visual dashboard that displays incoming connections on a world map. Each dot represents an attack or probe, showing its source IP, location, and protocol.

I immediately noticed several connection attempts from different countries and one of them originating from the Netherlands.

By checking the IP on AbuseIPDB, I discovered it had been reported over 38,000 times for malicious activity such as scanning, brute-forcing, and malware distribution.

This confirmed that the honeypot was working correctly and attracting real attacks.

Elasticvue

Elasticvue is a web-based GUI for exploring data stored in Elasticsearch. It allows you to view and filter logs collected by the honeypot, such as:

  • Source IPs
  • Timestamps
  • Ports and protocols
  • Payloads

I used Elasticvue to check for suspicious login attempts. I found four failed logins targeting the “root” and “admin” accounts, using weak passwords like “1234” and “admin.”

The attacking IP had over 30,000 reports on AbuseIPDB, confirming it was a repeat offender.

Kibana

Kibana is another visualization tool used with Elasticsearch. It provides dashboards, charts, and maps to help you explore attack data in real time.

T-Pot includes multiple Kibana dashboards for different honeypots.
For example:

  • Cowrie Dashboard — focuses on SSH brute-force attempts, usernames, passwords, and session logs.
  • Dionaea Dashboard — lists malware samples, file hashes, and download URLs.
  • Suricata Dashboard — displays IDS alerts and network anomalies.

I mainly used the T-Pot Dashboard, which summarizes data across all honeypots.
Some interesting findings included:

  • Most common username and password attempts: root / 123456
  • Top Suricata alert:
    ET EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication

This specific alert appeared nearly 3,000 times and is related to the DoublePulsar backdoor, which is the same exploit used in the WannaCry ransomware attacks by the Shadow Brokers.

Spiderfoot

Spiderfoot is an open-source OSINT automation tool that gathers intelligence about internet-facing assets (domains, IPs, emails, etc.). It runs hundreds of data collection modules and presents results in a web interface.

I created a new scan targeting one of the IP addresses that had attempted brute-force logins.

Once the scan finished, the results were eye-opening! Several other malicious IPs were in the same subnet, indicating a network of coordinated malicious hosts.

In the Correlations tab, Spiderfoot also showed a high-risk alert, confirming that this IP had a long history of abuse reports, such as spamming, port scanning, and brute-force attacks.

💡 Why OSINT matters:
Tools like Spiderfoot help correlate attack sources and uncover larger threat infrastructures. This kind of threat intelligence is invaluable for improving defenses and blacklisting malicious ranges.

Conclusion

From this project, I learned how to:

  • Deploy and configure a cloud-based honeypot using Azure
  • Install and manage T-Pot CE and its monitoring tools
  • Analyze real-world attack data using Elasticvue, Kibana, and Spiderfoot
  • Interpret IDS alerts and correlate malicious behavior using OSINT

This lab was an eye-opening experience that bridged theory and real-world security practice.

Thanks for reading!
If you found this helpful, feel free to share or comment.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top