Learning from the failures of last year I changed several tactics within my approach. If I wanted to increase my documentation I needed to make it easy so I did.

I decided to track my notes using the note feature of Proton Pass (don't worry no sponsored content coming).

Remembering the $700 Microsoft Azure Invoice from 2022 I thought it's just a project and it's not like you're getting funding for this; use some second rate IAAS service.

So after I made my Contabo Account (show me the lie 😒) I began what was a disaster of a build.

After attempting to build on Contabo's Virtual Private Server failed for last time prior to the snapping of my final nerve, I realized that I spent 6 hours on what took me 20 mins the year prior. As any security professional with other things to do with the rest of their life I went back to Azure and had the honeypot live inside of 2 hours.

The next day remembering the honey sniping attack of 2022 (targeting a honeypot with various resource denial methods) I shut down some of the ports related to conpot. This was done for a more realistic looking server. Conpot replicates the behavior of ICS and SCADA systems which are hardware based, and my honeypot can't help but tell that it is a VM. The drawback of using Azure is that the public IP is listed as a microsoft datacenter for web host aka the cloud aka you are hitting VM. 

Here is where I settled:

The build logs and notes are below shoot me an email (akyl.phillips@mogulsuccess.com) if you need me to decipher the stone carvings below:

(20230826)

14:57PM- Purchased Contabo VM

15:07PM- Received  VPS Login

16:02PM- generated new root pw:AvJM0m8KDQMPRhB4

1603- Pw Reset Test Status:Started

16:04- PW Reset Test Status: Successful

16:05 ->24

Standard Install (git clone https://github.com/telekom-security/tpotce

cd tpotce/iso/installer/

./install.sh --type=user)

webuser:**REDACTED**

webpw: **REDACTED**

16:32- TPOT Management Console Accessed after another restart

16:25 Script disabled Root Access to ssh

16:44- Installation Successful, however logins fail, attempting pw reset:**REDACTED**

16:45- PW Reset Reported Successful By Contabo

16:46- Restart Initiated

16:48- Restart Complete

16:50-16:54  Sever Reset (Initiated:Completed)

16:56- [root@vmi1440858:~# history

    1  history

    2  apt update

    3  apt upgrade

    4  history]

16:57- apt install git

16:58 : git clone https://github.com/telekom-security/tpotce

16:59-  cd tpotce/iso/installer/

17:00-  ./install.sh --type=user

webusr- **REDACTED**

webpw- **REDACTED**

17:05-17:08 TPOT Installation Started : Complete

17:17: Restarting Install with following comment in mind.{Cockpit and SSH are accessed by the user when you set up your machine. If you only had a root user to begin with then any login on Cockpit and SSH will fail for security reasons. You have to create another user locally on your machine then and this user to the sudo group in /etc/group.

Also, you probably hit the authentication limit of fail2ban. Review the status of the jails with fail2ban-client status and by adding the <jail name> you can check if a ban is currently active. With fail2ban-client unban --all you unban all blocked IPs again.} - github tech noted. follow same step next entry at newuser creation for mgladmin

17:24- [Cmds:

1. apt update

2. apt ugrade

3. apt install git

4. git clone https://github.com/telekom-security/tpotce

5. cd tpotce/iso/installer

6. ./install.sh --type=user

7. y (to continue and let the script handle the setup for basic/commonly used protocols)

8. Select "Standard" in the T-POT Installer Wizard

9. Type in Name of User

10. Type in PW and Repeat

17:45- T-POT Installation W/privilegeduser Complete

17:48-  (https://154.53.63.139:64294/) accessed

17:49- PrivUser used to access Debian Admin Mgmt GUI (/lib/systemd/system/networking.service

failed to start)

1756- [TS] [Logs]systemd

networking.service: Failed with result 'exit-code'.

CODE_FILE src/core/unit.c

CODE_FUNC unit_log_failure

CODE_LINE 6099

INVOCATION_ID 4940dd687b9b46269429f7b8b8ea08ce

MESSAGE_ID d9b373ed55a64feb8242e02dbe79a49c

PRIORITY 4

SYSLOG_FACILITY 3

SYSLOG_IDENTIFIER systemd

TID 1

UNIT networking.service

UNIT_RESULT exit-code

_BOOT_ID 6d5849fae32348ce811144fb899fd3c5

_CAP_EFFECTIVE 1ffffffffff

_CMDLINE /sbin/init

_COMM systemd

_EXE /usr/lib/systemd/systemd

_GID 0

_HOSTNAME seniorpocketbook

_MACHINE_ID 9608359ded2fb1d447a4ad7564ea96e3

_PID 1

_SELINUX_CONTEXT unconfined

_SOURCE_REALTIME_TIMESTAMP 1693097735812150

_SYSTEMD_CGROUP /init.scope

_SYSTEMD_SLICE -.slice

_SYSTEMD_UNIT init.scope

_TRANSPORT journal

_UID 0

__CURSOR s=9d050f13089a4970ba36648c5f2a32a4;i=2e48;b=6d5849fae32348ce811144fb899fd3c5;m=221e8075;t=603dd091cf844;x=545bb252ab5009

__MONOTONIC_TIMESTAMP 572424309

__REALTIME_TIMESTAMP 1693097735813188

[END]

Scrapped (Know when the juice isn't worth the squeeze and change directions)

19:20 Migrating Honeypot Infrastructure to Azure (ServeName:dictation591 In Azure US WEST 3 Arizona) https://www.datacenterdynamics.com/en/news/microsoft-launches-new-west-us-3-azure-region-in-arizona/ [E Series Standard_E8s_v3 - 8 vCPUs, 64GiB Mem $367.92/month 😒skin in the game]

19:29- Generate new PW

**REDACTED**:**REDACTED**

19:31- Azure Create A VM -> []✔️ for "Delete public IP and NIC when VM is deleted "  *Easy clean up*

19:40- Login to Azure VM (20.168.8.13) via SSH

19:45- CMDs 1  sudo apt update

    2  sudo apt upgrade

    3  sudo apt install git

    4  sudo git clone https://github.com/telekom-security/tpotce

    5  cd tpotce/iso/installer/

    6  history

-> sudo ./install.sh --type=user TPOT Install initiated

19:47- Web User:**REDACTED**

WebPass:**REDACTED**

19:55 Azure T-POT Build Complete

Opening NSG with scoped in /granular IPV4 for T-Pot Admin Port (64294-HTTPS 64295-SSH 64297-Tools)

20:19- **REDACTED**:server (Note Azure is in UTC time)

20:31-20:41 T-Pot Install Initiated:Completed and Verified (No Errors)

20:42 combinedspacing:hostname IP:20:168.2.111

21:00- Rebuild initiated due to 2fa.sh script (Make back up user)

Made with backup usr mglcortext

TPOT USR: **REDACTED**

21:37- 2023 Honey Pot Deployment ✅

22:00- 5555,5000,8443,23,53,11112,21,42,135,445,993,995,1080,,3306,8081,143,110,389,1433,1521,5432,5900,6379,8080,9200,11211,123,631,25565,2575,5060 -Open

(20230827)

06:30- Conpot Ports Shut (HoneyPot Optimization Effort)