🍯 Honeypots & deception
T-Pot
All-in-one honeypot platform from Deutsche Telekom — 20+ honeypots in one box.
Why use it
T-Pot bundles Cowrie, Dionaea, Honeytrap, ElasticPot, Conpot, and a dozen more behind a single Docker-based installer with a unified Kibana dashboard. The fastest way to start collecting attacker data — and great threat intel for your homelab.
What you get
- 20+ honeypots covering SSH, FTP, SMB, web, ICS, IoT
- Pre-built Kibana dashboards
- Live attack map (visual, mesmerising)
- Suricata IDS overlay on the same traffic
- Daily JSON exports of all attacker data
System requirements
| Cpu | 4 cores |
|---|---|
| Ram | 8 GB minimum |
| Disk | 128 GB+ |
| Os | Dedicated host (Debian 12 recommended) |
| Docker | Yes |
Installation
Spin up a fresh Debian 12 VM. Run git clone https://github.com/telekom-security/tpotce && cd tpotce && ./install.sh. Choose a deployment type (NEXTGEN is the default). Reboot, browse to https://<ip>:64297.
Suggested configuration
Place T-Pot on its own VLAN with no access to anything else. Forward only the honeypot ports inbound from the internet — never SSH 64295 (move it). Schedule weekly exports of the attack data into your SIEM as a fresh detection rules feed.
Integration ideas
- Forward attack data to MISP for IoC sharing
- Pull Suricata events from T-Pot into your central SIEM
- Use captured malware samples in Cuckoo or Any.run
Alternatives
- Cowrie alone — SSH/Telnet only; lighter footprint.
- OpenCanary — Lightweight, fewer honeypots.
Cyentrix verdict
The most spectacular weekend project on this list. You'll get attacker traffic within minutes of going live on a public IP.