Deploying a Honeypot with T-Pot on AWS

T-Pot — a multi-honeypot platform running 20+ honeypot services — was deployed on an AWS EC2 instance (Ubuntu 22.04, m7i-flex.large, 128 GB storage). Security groups were configured to lock SSH and the T-Pot dashboard to a trusted IP, while all TCP ports were left open to the internet so the honeypots could receive real attack traffic. T-Pot was installed via a cloned repository and ran entirely in Docker, with Kibana used to analyse the collected data.

After running for three days, the honeypot recorded 67,000 attacks. 72% were SSH brute-force attempts targeting the Cowrie honeypot, consistent with automated mass-scanning bots. The standout event was a coordinated surge on day two: 45,000 attacks from 519 unique IPs originating from Thailand, peaking between 06:00 and 12:00 and accounting for 67.2% of all traffic collected across the entire project.

The project built hands-on experience with AWS EC2 provisioning, security group design, Docker-based honeypot management, and threat analysis using the ELK stack. The data made clear how aggressively and continuously internet-facing SSH services are targeted by automated tooling.