Honeypot Deployment - Google Cloud

Provisioned a GCP e2-standard-4 VM running Ubuntu 22.04. Deployed T-Pot via Docker Compose, bringing up 20+ honeypot services including Cowrie (SSH/Telnet), Dionaea (malware capture), Conpot (ICS/SCADA), and Elasticpot.

Configured GCP firewall rules to expose only honeypot ports externally while restricting management access to a specific IP. Implemented iptables rules and SSH hardening (key-only auth, non-standard management port) to prevent honeypot escape.

Used T-Pot's integrated ELK stack to visualise attack patterns in real time. Created custom Kibana dashboards for geographic source mapping, top attacked ports, and credential spray patterns.

Analysed collected logs over a 4-week period. Documented attacker TTPs mapped to MITRE ATT&CK, extracted malware samples captured by Dionaea, and identified common credential combinations used in automated spray attacks.

Over 50,000 SSH login attempts recorded within the first 24 hours. Top credentials: root/root, admin/admin, pi/raspberry.

Ports 22 (SSH), 23 (Telnet), 80 (HTTP), 8080, and 5900 (VNC) received the highest volume of scanning traffic.

Dionaea captured 12 unique malware samples including Mirai botnet variants targeting exposed Telnet services.

Top attacking countries: China, Russia, United States, Netherlands, Germany.

Conpot honeypot recorded multiple interactions probing Modbus and S7comm protocols, indicating targeted ICS scanning.