Deception Technology Lab: T-Pot Honeypot with OpenCanary
Deception technology flips the attacker's advantage on its head — instead of waiting for alerts from real systems, you plant fake assets that only an intruder would ever touch. Any interaction is an immediate, high-fidelity signal. This project deploys a full deception stack using T-Pot (multi-honeypot platform) and OpenCanary (lightweight canary daemon), then wires everything into Kibana for real-time visibility.
Project Overview
What you'll build:
- T-Pot multi-honeypot platform (20+ honeypot types in Docker)
- OpenCanary daemon emulating common services (SSH, HTTP, SMB, FTP, MSSQL)
- Canary tokens scattered across the environment as tripwires
- Kibana dashboards for attack visualisation and geo-mapping
- Alerting pipeline for instant notification on canary triggers
Time to complete: 5-8 hours
Skills gained: Deception architecture, threat intelligence collection, attacker behaviour analysis, ELK stack operations
Architecture
┌─────────────────────────────────────────────────────────────────┐
│ Deception Network │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ T-Pot Host (Ubuntu 22.04) │ │
│ │ │ │
│ │ ┌────────────┐ ┌────────────┐ ┌────────────────────┐ │ │
│ │ │ Cowrie │ │ Dionaea │ │ Honeytrap │ │ │
│ │ │ (SSH/Telnet│ │ (Malware) │ │ (Port scanner) │ │ │
│ │ └────────────┘ └────────────┘ └────────────────────┘ │ │
│ │ ┌────────────┐ ┌────────────┐ ┌────────────────────┐ │ │
│ │ │ Glastopf │ │ Conpot │ │ Elasticpot │ │ │
│ │ │ (HTTP) │ │ (ICS) │ │ (Elasticsearch) │ │ │
│ │ └────────────┘ └────────────┘ └────────────────────┘ │ │
│ │ ┌──────────────────────┐ │ │
│ │ │ ELK Stack │ │ │
│ │ │ Elasticsearch │ │ │
│ │ │ Logstash → Kibana │ │ │
│ │ └──────────────────────┘ │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ OpenCanary Host (Raspberry Pi / VM) │ │
│ │ SSH :22 | HTTP :80 | SMB :445 | FTP :21 | RDP :3389 │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
│
Alerts & Logs
│
┌─────────▼──────────┐
│ Kibana Dashboard │
│ + Slack / Email │
└────────────────────┘Prerequisites
- T-Pot host: Dedicated VM or bare-metal with 8GB+ RAM, 128GB+ SSD, Ubuntu 22.04 LTS
- OpenCanary host: A Raspberry Pi 4, lightweight VM, or spare machine (2GB RAM minimum)
- Network: Exposed to the internet OR on an internal segment where attackers/insiders would reach it
- Basic Linux command line familiarity
Note: For external-facing honeypots, use a dedicated IP address isolated from all production systems. Never bridge the honeypot network to internal infrastructure.
Part 1: Deploy T-Pot
T-Pot is a community honeypot platform maintained by Deutsche Telekom. It bundles 20+ honeypots in Docker containers with a built-in ELK stack.
1.1 Prepare the Host
# Fresh Ubuntu 22.04 minimal install
sudo apt update && sudo apt upgrade -y
sudo apt install -y git curl net-tools
# Verify at least 8GB RAM
free -h
# Verify at least 128GB disk
df -h /1.2 Install T-Pot
# Clone the T-Pot repository
git clone https://github.com/telekom-security/tpotce
cd tpotce
# Run the installer (interactive)
sudo ./install.sh --type=userThe installer will prompt you to choose a T-Pot edition:
| Edition | Description |
|---|---|
| Standard | Full stack — all honeypots + ELK |
| Sensor | Honeypots only, log to remote ELK |
| Industrial | Adds ICS/SCADA honeypots (Conpot) |
| Collector | ELK stack only, receives from sensors |
For a single-node lab, choose Standard.
1.3 Post-Install Configuration
After installation and reboot, T-Pot remaps your SSH port to avoid conflicts with Cowrie:
# SSH is now on port 64295
ssh -p 64295 user@<TPOT_IP>
# Kibana web UI is at:
# https://<TPOT_IP>:64297
# T-Pot web UI (management) is at:
# https://<TPOT_IP>:64294Access Kibana and log in with the credentials you set during installation.
1.4 Verify Honeypots Are Running
# List all running T-Pot containers
sudo docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"You should see containers for: cowrie, dionaea, glastopf, honeytrap, conpot, elasticpot, mailoney, rdpy, and others.
1.5 Configure External Port Exposure
On your router/firewall, forward common attacker-targeted ports to the T-Pot host:
| External Port | T-Pot Honeypot | Emulates |
|---|---|---|
| 22 | Cowrie | SSH |
| 23 | Cowrie | Telnet |
| 80 | Glastopf | HTTP web app |
| 443 | NGINX honeypot | HTTPS |
| 445 | Dionaea | SMB |
| 3306 | Dionaea | MySQL |
| 5900 | VNCpot | VNC |
| 6379 | Redishoneypot | Redis |
Part 2: Deploy OpenCanary
OpenCanary is a lightweight canary daemon by Thinkst that emulates network services and alerts on any connection attempt.
2.1 Install OpenCanary
# On the OpenCanary host (Raspberry Pi or VM)
sudo apt update && sudo apt install -y python3-pip python3-dev
# Install OpenCanary
pip3 install opencanary
# Generate default config
opencanaryd --copyconfig
# Config written to: /etc/opencanaryd/opencanary.conf2.2 Configure Services
Edit /etc/opencanaryd/opencanary.conf:
{
"device.node_id": "opencanary-lab-01",
"git.enabled": false,
"ftp.enabled": true,
"ftp.port": 21,
"http.enabled": true,
"http.port": 80,
"http.banner": "Apache/2.4.41 (Ubuntu)",
"mssql.enabled": true,
"mssql.port": 1433,
"mysql.enabled": true,
"mysql.port": 3306,
"rdp.enabled": true,
"rdp.port": 3389,
"smb.enabled": true,
"ssh.enabled": true,
"ssh.port": 22,
"ssh.version": "SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5",
"telnet.enabled": true,
"telnet.port": 23,
"logger": {
"class": "PyLogger",
"kwargs": {
"formatters": {
"plain": {
"format": "%(message)s"
}
},
"handlers": {
"file": {
"class": "logging.FileHandler",
"filename": "/var/log/opencanary/opencanary.log",
"formatter": "plain"
},
"syslog-unix": {
"class": "logging.handlers.SysLogHandler",
"address": ["localhost", 514],
"formatter": "plain"
}
}
}
}
}2.3 Start OpenCanary as a Service
# Create log directory
sudo mkdir -p /var/log/opencanary
# Create systemd service
sudo tee /etc/systemd/system/opencanary.service > /dev/null <<EOF
[Unit]
Description=OpenCanary Honeypot
After=network.target
[Service]
ExecStart=/usr/local/bin/opencanaryd --start
ExecStop=/usr/local/bin/opencanaryd --stop
Restart=always
User=root
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now opencanary
sudo systemctl status opencanary2.4 Verify OpenCanary Is Listening
# Confirm ports are open
ss -tlnp | grep -E "22|23|21|80|445|3306|1433|3389"
# Test from another machine
nc -zv <OPENCANARY_IP> 22
nc -zv <OPENCANARY_IP> 21Any connection attempt will be logged immediately.
Part 3: Deploy Canary Tokens
Canary tokens are zero-interaction tripwires — fake credentials, files, and links that alert you the instant an attacker finds and uses them.
3.1 Self-Hosted Canary Tokens with canarytokens.org
For a self-hosted setup, clone the Canarytokens server:
git clone https://github.com/thinkst/canarytokens
cd canarytokens
cp frontend/frontend.env.example frontend/frontend.env
cp switchboard/switchboard.env.example switchboard/switchboard.envEdit .env files with your domain and SMTP settings, then:
docker-compose up -d3.2 Generate Useful Token Types
| Token Type | Use Case | Where to Place |
|---|---|---|
| Word document | Fake sensitive report | File share, SharePoint |
| AWS API key | Fake cloud credential | .env files, code repos |
| DNS token | Detect outbound DNS from attacker | Embedded in documents |
| Web bug (URL) | Detect link clicks | Email signatures, wikis |
| Fake database | Detect DB access | SQL backup files |
| Windows folder | Detect directory browsing | Network shares |
3.3 Plant Tokens Strategically
Good token placement:
/shares/Finance/Q4-2025-Budget-FINAL.docx ← Word token
/shares/IT/credentials-backup.txt ← Contains fake AWS token
C:\Users\Administrator\Desktop\passwords.xlsx ← Excel canary
.env files in dev repos ← AWS API key token
IT wiki "Emergency Access Credentials" page ← Web bug URLPart 4: Kibana Dashboards
T-Pot ships with pre-built Kibana dashboards. Access them at https://<TPOT_IP>:64297.
4.1 Key Dashboards to Review
| Dashboard | What It Shows |
|---|---|
| T-Pot | Global overview — attack counts, top attackers |
| Attack Map | Real-time geo-map of incoming attacks |
| Cowrie | SSH/Telnet login attempts, commands run |
| Dionaea | Malware dropped, SMB exploits |
| Suricata | IDS alerts from network traffic |
| Honeytrap | Port scan attempts |
4.2 Add an OpenCanary Index
Ship OpenCanary logs to T-Pot's Elasticsearch:
# Install Filebeat on the OpenCanary host
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.0-amd64.deb
sudo dpkg -i filebeat-8.12.0-amd64.deb
# Configure Filebeat
sudo tee /etc/filebeat/filebeat.yml > /dev/null <<EOF
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/opencanary/opencanary.log
json.keys_under_root: true
json.add_error_key: true
output.elasticsearch:
hosts: ["https://<TPOT_IP>:64298"]
username: "elastic"
password: "<YOUR_PASSWORD>"
ssl.verification_mode: none
setup.kibana:
host: "https://<TPOT_IP>:64297"
ssl.verification_mode: none
EOF
sudo systemctl enable --now filebeatCreate an index pattern in Kibana: filebeat-* and build a dashboard from the OpenCanary log fields.
4.3 Useful KQL Queries
# All SSH login attempts from a specific country
type: "cowrie.login.failed" AND src_ip_country_code: "CN"
# Commands run by attackers in SSH sessions
type: "cowrie.command.input"
# OpenCanary SMB hits
logdata.HOSTNAME: * AND dst_port: 445
# Canary token triggers (DNS-based)
type: "canarytoken.triggered"
# Attackers attempting more than 100 loginsPart 5: Alerting
High-fidelity alerts are the point of deception tech. Any hit on a honeypot or canary should notify you immediately.
5.1 Slack Webhook Alerts from OpenCanary
#!/usr/bin/env python3
# canary-alert.py — tail OpenCanary log and send Slack alerts
import json
import time
import requests
SLACK_WEBHOOK = "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
LOG_PATH = "/var/log/opencanary/opencanary.log"
def send_slack(event: dict):
src = event.get("src_host", "unknown")
dst_port = event.get("dst_port", "?")
logtype = event.get("logtype", "?")
node = event.get("node_id", "canary")
message = {
"text": f":rotating_light: *Canary Triggered* on `{node}`\n"
f"*Source:* `{src}` *Port:* `{dst_port}` *Type:* `{logtype}`"
}
requests.post(SLACK_WEBHOOK, json=message, timeout=5)
def tail_log(path: str):
with open(path, "r") as f:
f.seek(0, 2) # Seek to end
while True:
line = f.readline()
if line:
try:
event = json.loads(line.strip())
send_slack(event)
except json.JSONDecodeError:
pass
else:
time.sleep(0.5)
if __name__ == "__main__":
tail_log(LOG_PATH)Run as a service:
sudo tee /etc/systemd/system/canary-alert.service > /dev/null <<EOF
[Unit]
Description=Canary Slack Alerter
After=opencanary.service
[Service]
ExecStart=/usr/bin/python3 /opt/canary-alert.py
Restart=always
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl enable --now canary-alert5.2 Elasticsearch Watcher Alert (T-Pot)
In Kibana > Stack Management > Watcher, create a watch:
{
"trigger": { "schedule": { "interval": "1m" } },
"input": {
"search": {
"request": {
"indices": ["logstash-*"],
"body": {
"query": {
"bool": {
"must": [
{ "range": { "@timestamp": { "gte": "now-1m" } } },
{ "term": { "type": "cowrie.login.success" } }
]
}
}
}
}
}
},
"condition": { "compare": { "ctx.payload.hits.total.value": { "gt": 0 } } },
"actions": {
"send_email": {
"email": {
"to": "you@example.com",
"subject": "ALERT: Successful honeypot login detected",
"body": "An attacker successfully authenticated to a honeypot. Review Kibana immediately."
}
}
}
}Part 6: Analysing Attack Data
After the honeypots have been running for 24-48 hours, you'll have real-world attack data to analyse.
Common Patterns to Look For
Credential stuffing campaigns:
# Find most common SSH usernames attempted
curl -s "http://localhost:9200/logstash-*/_search" \
-H "Content-Type: application/json" \
-d '{
"aggs": {
"top_usernames": {
"terms": { "field": "username.keyword", "size": 20 }
}
},
"size": 0
}' | python3 -m json.toolMalware dropped via SMB/FTP (Dionaea):
- Check
/data/dionaea/bistreams/on the T-Pot host - Uploaded samples are automatically hashed
- Submit hashes to VirusTotal for classification
Attacker commands (Cowrie):
# View commands run in fake SSH sessions
sudo docker exec cowrie cat /home/cowrie/cowrie-git/var/log/cowrie/cowrie.json \
| jq 'select(.eventid == "cowrie.command.input") | .input'Typical Attack Sequence Observed
1. Port scan (SYN sweep across common ports)
2. Banner grab (identify services and versions)
3. Credential brute force (automated, 50-500 attempts/minute)
4. Successful login (rare, but captured if default creds used)
5. Reconnaissance (whoami, uname -a, cat /etc/passwd)
6. Persistence attempt (crontab, SSH key injection)
7. Lateral movement / cryptominer downloadCowrie captures steps 3-7 in full detail — every command, every file download.
Part 7: Hardening Your Deception Network
The honeypot must look convincing but remain isolated:
Network Segmentation
Production VLAN ─────────────────────────────────────
│ Firewall
Deception VLAN ─────── │ ──────────── (no route back)
T-Pot Host │
OpenCanary Host │
│ Port forwards only
Internet ─────────────────────────────────────Firewall rules (OPNsense/pfSense):
- Allow inbound from internet to deception VLAN (honeypot ports)
- Block ALL outbound from deception VLAN to production VLAN
- Allow outbound from deception VLAN to internet (so malware can "call home" — captured by Dionaea)
- Allow management traffic from admin VLAN to deception VLAN on specific ports only
Make Honeypots Look Real
# On Cowrie - customise the fake filesystem
# Edit /home/cowrie/cowrie-git/share/cowrie/fs.pickle
# Or use honeyfs to populate a realistic-looking directory tree
# Add fake users to the cowrie userdb
echo "admin:0:password123" >> /home/cowrie/cowrie-git/etc/userdb.txt
echo "root:0:toor" >> /home/cowrie/cowrie-git/etc/userdb.txtChecklist
- T-Pot installed on dedicated host
- All honeypot containers running (
docker ps) - External ports forwarded to T-Pot
- Kibana accessible and dashboards loading
- OpenCanary deployed and emulating services
- OpenCanary logs shipping to Elasticsearch
- Canary tokens generated and planted
- Slack/email alerting configured and tested
- Deception VLAN isolated from production
- Attack data reviewed after 24 hours
Conclusion
A deception technology stack turns your network into an active intelligence-gathering system. Every scan, probe, and login attempt teaches you something about real attacker tradecraft — without putting production systems at risk. T-Pot's rich ELK dashboards give you geo-mapped, visualised attack data out of the box, while OpenCanary and canary tokens provide surgical tripwires for insider threats and lateral movement.
Next Steps
- Integrate T-Pot Syslog output into your primary SIEM (Sentinel, Elastic Security)
- Build custom YARA rules from malware samples captured by Dionaea
- Deploy canary tokens in cloud environments (fake S3 buckets, fake IAM keys)
- Run periodic purple team exercises — have a colleague try to move through the network and verify canaries fire
Last updated: March 2026