Introduciton

A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.

One flavor of a honeypot that is actively maintained is TPot by a team at T-Mobile. The source is available at GitHub https://github.com/telekom-security/tpotce. It comes with an AWS and Open Telekom Cloud (OTC) Terraform deployment but no GCP.

In this post, I want to introduce a way to install Tpot on Google Cloud Platform. Future posts will go over the functionality and configuration options.

I created https://github.com/fchyla/tpot-on-gcp using which you can deploy TPot to a GCE instance.

Deployment

1. Clone repository https://github.com/fchyla/tpot-on-gcp
2. Create terraform.tfvars using example.tfvars as a template
3. The defults use a GCS bucket so store state edit backend.tf as necessary
4. Run terraform init -backend-config="bucket=<GCS_tfstate_bucket_name>" -backend-config="prefix=tpot/state" to initialize
5. Run terraform plan -out tf_tpot.tfplan to create a plan
6. Run terraform apply tf_tpot.tfplan
7. Outputs after a successful run will provide you with the connection strings

Things to look out for

• The GCE instance used is a n2-highmem-2 with 16GB of RAM; the instance took a very long time with only 8GB (as recommended in the Tpot readme)
• Tpot instance runs under a dedicated service account with only logging and metricWriter roles, you create the service account via terraform
• use a new ssh-key, for this instance, you might want to use an inconspicuous username; you pass the ssh public key as a string.
• GCE Debian 10 image does not have cloud-init installed the startup.sh script will install missing components and reboot the instance, and the cloud-init from Tpot will setup the server
• During installation, Tpot sets a random hostname; if you want to install the GoogleOps monitoring agent, you will have to fix the hostname