It took just 12 seconds - Catching hackers with a honey pot!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

12 seconds that's how long it took a computer I directly exposed to the internet to get attacked within an hour the system experienced nearly 17 000 attacks and within a 24-hour period the system logged nearly 263 000 different attacks all those attacks were across a variety from ports protocols and services and I captured all that information with a Honeypot and in this video I'm going to show you how to set up your own using teapot welcome home lovers and sell posters Rich here we all know the internet is a dangerous place any computer directly exposed to the internet without a firewall is an extreme risk to compromise but few users understand exactly how dangerous it really is the idea for this video was born from another video I was working on regarding firewall security and when I came across the teapot Honeypot project I just had to show it to you guys but what is a Honeypot anyway in simple terms a Honeypot is a system used to trap or deceive hackers and malicious actors it works like a digital trap that appears as a tempting Target such as a vulnerable computer or network but is actually designed to Monitor and gather information about the activities of the attackers honeypots are key components to cyber security research and provide valuable information about what techniques the bad guys around the world are using to hack into real systems that information learned helps companies and businesses create processes software and tools to mitigate those attacks and keep everyone safe and the super cool part is you can set up your own Honeypot at home in your home lab as well let's talk about teapot CE and why I decided to use it while I was searching for a Honeypot to host and begin collecting data I quickly discovered that there are a ton of different open source Honeypot projects out there which makes a lot of sense there are honey pots for practically every conceivable network service protocol and systems that are in use today I began to quickly realize that what I needed was a project that included as many different Honeypot projects as possible in a single Deployable package and preferably something that had a friendly user interface and analytics and that's when I discovered teapot CE teapot CE is the answer to all of my needs from the website teapot CE is described as the all-in-one optionally distributed multi-arc Honeypot platform supporting 20 plus honey pots and countless visualization options using the elk stack animated live attack maps and lots of security tools to further improve the deception experience teapot CE provides all the things you'd want in a single Appliance like system and the visualizations it creates are impressive like show your boss at work levels of impressive check this out this is the the live map visualization feature that shows you in real time all of the attacks against the 20 plus different honeypots hosted in it each dot that appears on the world map is an attacker reaching out to attack my Honeypot down below we have a live updating color-coded table of the protocols and services to Source IP addresses and countries that the attacks are coming from and the Honey pots being attacked I could stare at this thing for hours watching the little attack lines zip back and forth it's absolutely stunning I am a huge data visualization nerd and teapot has some incredibly well crafted Cabana dashboards built in to visualize all the different data coming into the different honey pots check this out teapot has 27 different pre-built Cabana dashboards that provide an incredible amount of information from the different honey pots running on the system there are literally too many dashboards to walk through so I'm going to show you a few of my favorites to give you an idea of what information is collected and displayed let's swing over to the calorie dashboard calorie is a Honeypot specific to trapping SSH and telnut attempts the calorie dashboard shows you Baseline stuff like where an attacker came from what their IP address was a visual map of their geolocation in the world and then really digs in on fascinating details like what the remote side reported its client was and unique detection fingerprints like the haash further down we get two awesome word clouds of the most commonly attempted usernames and passwords looks like one two three four five six and password are still big targets and then the thing that really blows me away is a list of the commands executed when the attacker logged in this is just a top 10 list but if you want to dig in deep all of this is stored in the log stash instance in teapot if you're interested surakata is an open source based intrusion detection system and intrusion prevention system while not a Honeypot itself teapot pipes the data consumed from different honey pots into cerakata for threat detection the cerakata dashboard is just incredible like the calorie dashboard and others at the top you get the basic information about where the attackers came from event quantities and histograms but then you get into really meaty details like alert category stories destination ports and Country histograms hey Ukraine we're on your side knock it off and further down we get more details about alert signatures that were triggered all of which have clickable links to the cerakata forums for you to research if you're interested and Below known cves used in attacks every dashboard is built to show you things at a high level but the system collects a ton of information as an example let's drill down into some of this data let's dig into the alert category and let's choose attempted administrative privilege game on the right side of the category we'll click the three dot ellipses and select filter for value and instantly we can see all the attacks of this alert type at the bottom we can see the cerakata alert signature scene see those mirror eye entries Mirai is a malware that infects smart devices like IP cameras home routers and other iot devices and turns them into zombie devices that participate in a massive botnet amazing before I walk you through setting up your own teapot CE instance let's talk about the project and give credit where credit is due the teapot project is an open source project maintained by Telecom security a division of Deutsche Telecom one of the world's leading integrated telecommunications companies with some 245 million mobile customers 25 million fixed Network lines and 21 million Broadband lines in service as you can expect this is a company that takes security seriously thank you they've been working on this Honeypot project since 2015 and the maturity of its shows teapot CE can be deployed as an appliance on a virtual machine Standalone Hardware or in the cloud and is currently built on top of Debian 11. the team is also working on an official Docker only Deployable stack that would allow you to bring your own OS of choice it's in testing now and not generally available but they do walk you through testing it if you absolutely must run teapot on another OS instead minimum requirements are reasonable and depend on your deployment needs for the fully deployed project you'll need 8 to 16 gigabytes of RAM at least 120 gigabytes of storage space and of course unfiltered direct access to the internet the project website goes into deep detail on all of the honey pots including their function and purpose and also goes into detail about the other security tools and features included the project is actively being updated and maintained in fact I ran into an issue and posted about it on their GitHub page and no kidding within a day they had resolved the issue and pushed an update and since everything is Docker based all I need to do is run one of the update scripts and the fix was live on my system so what's the catch here something this nice feels like it should cost money and surprisingly there is no catch the entire project is all about learning protecting and understanding the threats on the Internet by default the project ships its logs to Telecom security to add to their Global hypot Network which I think is fair for all the work and effort they've poured into this but if you're not down to share it they provide instructions on how to disable that sharing as well by this point I'm sure I've sold you on teapot CE so let's walk through getting it installed your first stop is to swing over to the teapot CE GitHub page and download the ISO file for your architecture we're going to be running teapot CE on X A6 Hardware so we'll download the teapot AMD 64 ISO the entire ISO is only 46 megabytes teapot to e can be deployed on physical Hardware or a virtual machine what you choose is going to depend on your home lab your network configuration and your level of comfortable risk and that last part is really important if you're running in a virtualized environment it's up to you to make sure your virtual switches and your management interfaces are configured in a way that you're not risking exposure of your hypervisor to the internet and it's for that reason we're going to show you how to set up teapot CE on a single physical PC over walking you through creating this as a virtual machine now that we've got our ISO we need to write it to a USB stick so we can install it on our Hardware we use Rufus for all of our ISO to USB needs so you can grab a copy of Rufus from the link below anyway Rufus is up and running we've inserted our USB stick into our PC and we'll click select to select our freshly downloaded ISO select it from our file system and click open now we'll click Start below say ok to the right in ISO mode prompt say ok to the warning on data wiping and away it goes the boot stick process shouldn't take too long to complete and will depend on your Hardware all done let's get teapot CE installed we'll be installing teapot CE onto this little Lenovo right here it's running a modest 8th generation Intel Core i7 8700 CPU running at 3.2 gigahertz the box also has 64 gigabytes of RAM and that's totally Overkill 16 gigs is the max you need for teapot and the box also has a 500 gigabyte mdme disk as I mentioned earlier the system needs to be connected directly to the internet with no firewalling or filtering in front of it you can build your teapot instance behind your firewall and then move it to the internet if you'd like we'll be installing teapot CE while the host is directly connected to the internet via a one gig ethernet connection once booted off the USB stick will be greeted by the grub bootloader and will select teapot22.04.0 and hit enter the first screen is the location selection screen we're in the US so we'll choose the United States the next screen is all about keyboard layout find your keyboard layout and press enter teapot CE uses the Debian 11 net install image which is light on drivers so if you're greeted with a message like this asking if you want to load drivers for the next it doesn't have support for you can do so our load test box has multiple Nicks in it and we're missing drivers for the 10 gig card thankfully we're not using that card so we'll select no and press enter the next few screens are the Debian installer attempting to activate NYX and obtain an IP address alright now we need to select the closest mirror to download more of the Debian 11 OS for teapot we want to see the list of mirrors for the us because that's where we are so we'll leave it on United States and press enter now we're presented with a list of Debian mirrors to grab the OS the default is deb.debian.org if you know of a mirror closer to you navigate and select it but we'll stick with the default here and hit enter we don't have an HTTP proxy and I doubt you do as well so just hit enter and away it goes the system will download a few necessary files off the internet automatically partition and format your hard drive and reboot when complete after the reboot the system will continue with the second half of the install process this will take a while to complete as well so be patient and allowed to finish alright this screen is where we get to choose which edition of teapot CE we want to install there are quite a few different options standard being the full deployment with all the bells and whistles which is the one we want because we want everything if you're interested in other editions I encourage you to read more about them and their focus on teapot's GitHub site let's hit enter and kick this off now we need to set the password for the tsac account t-sec is your one and only user on the OS when you interact with your teapot in an administrative capacity you'll be using the t-sec user enter the password and hit enter and do it again to confirm next we need to create a user for the web interface this user is only for accessing the teapot website's Maps kibana dashboards and other security tools you can use anything you'd like for the username we'll be using the username teapot CE so we'll enter that and press enter then we'll confirm that yes we want teapot CE as our username now we'll create a password just for our newly minted web user and do it again to confirm and hit enter alright now teapot is installing on the host during this process the installer will download and install Docker pull in all the necessary supporting packages on the OS and execute the creation of the docker containers Network configurations and so on for the system again this can take a while depending on your Hardware your connection to the internet and so on it took us about eight full minutes to complete the installation and the system will reboot after it's completed after reboot will be presented with a console screen giving us the links to access our teapot CE installation and begin seeing all the attacks and attempts happening to your system right now let's head over to the web interface and have a quick look around once you head over to the website for your new teapot CE instance and log in with the user you created for the website you'll be greeted by the teapot landing page from here you can start digging into the data coming in I've already shown you the attack map and some of the kibana dashboards cockpit is the administrative interface you can use to manage your system you'll need the tsac user and the password you set for that account to log in there cyber Chef is a useful tool for analyzing converting and decoding data of different types easily there are around 200 different operations in cyber Chef you can use from converting date and time to decompressing gzip data or parsing in x509 certificate it's a useful tool for interpreting some of the information you'll be collecting in your honey pots elasticvue is a user interface to dig into the raw data collected from your honeypots if you want to search for a specific bit of data you'll use elastic view to get at that data stored in logstash in teapot and lastly spider foot is a footprinting and Discovery tool that allows you to run deep searches into IP addresses websites and domains its footprinting tools allow you to learn every thing you can that's publicly available about your search query another fantastic security tool and that really is all there is to the entire thing and I can just sit back and watch all those attacks come rolling in this is a good time to talk about the security of your home network regardless of whether you're a home lover self-hoster or you just have a simple ASUS router running at home it's important to have something between your home network and the internet we're big fans of pfSense as a firewall for protecting against all the bad guys on the net and we've made quite a few videos around building and setting up your own pfSense firewall no matter what you choose make sure you're using a modern firewall and make sure it's updated regularly with firmware updates or patches unfortunately there's no such thing as a one and done solution for protecting your home network so make sure you check for updates for your firewall often and get them installed as soon as you can and as always consider joining our Discord Community if you have any questions about Network design or firewall configurations or anything home lab or self-hosted related we're always happy to help in that friends we'll do it for this video if you liked it throw us a thumbs up and a sub and if you have a beef with anything I've said please leave it in the comment below special thank you to our YouTube subscribers for supporting what we do in the channel you guys are awesome if you'd like to support us check out our YouTube memberships or buy some swag right here all of it helps us keep making videos and actually finish watching this video how about checking out this playlist over here of other great home lab and self-hosting videos we've done the past if you're looking to get into virtualization home Labs or self-hosting we can help

Info

Channel: 2GuysTek

Views: 10,133

Rating: undefined out of 5

Keywords: How dangerous is the Internet, Honey pot, t-pot honeypot, hacker, hacking, You need a firewall, T-pot CE, t-pot install, How to install T-pot, How to setup a honey pot, how to create a honeypot, How to create a honey pot, t-pot honeypot install, do you need a firewall, how to setup a honeypot server, Telekom T-pot, Telekom tpot, T-pot Community Edition, t-pot honeypot github, ethical hacking, honeypot, cybersecurity, cyber security, honeypot cyber security, ssh honeypot

Id: ZqLOqiMsSec

Channel Id: undefined

Length: 14min 41sec (881 seconds)

Published: Wed Jun 07 2023