Honeypot Cloud Lab

Deploying T-Pot Honeypot on Vultr — 3 Million Attacks in 20 Days

I spun up a T-Pot CE instance on Vultr, pointed it at the internet, and walked away. What came back was fascinating — over 3 million attacks from nearly every corner of the globe in just 20 days.

20 Days Runtime
3M+ Attacks Logged
Worldwide Sources
~$10 Total Cost

Overview

Honeypots are one of the most honest ways to understand the real threat landscape. Instead of reading reports about what attackers are doing, you just... let them in — into a controlled, fake environment — and watch. I've been curious about this for a while, and I finally decided to set one up properly using T-Pot CE, an all-in-one honeypot platform by Telekom Security that bundles over 20 different honeypot types under a single Docker-based stack.

For this experiment I used Vultr — if you want to try this yourself, you can sign up for a free $300 credit using that link. The whole 20-day run cost me roughly $10, which is honestly incredible for the data you get back.

Multi-Protocol Coverage

T-Pot captures attacks across SSH, RDP, VNC, SIP, ADB, Telnet, HTTP/S, and many more simultaneously.

Kibana Dashboards

Built-in Elasticsearch + Kibana stack gives you beautiful real-time dashboards over all captured attack data.

Live Attack Map

A live world map showing attacks hitting your server in real time, with attacker geolocation and origin country.

Raw Log Export

All raw logs are stored in ~/tpotce/data, exportable for offline analysis in any tooling you like.

Safe & Isolated

Attackers interact only with the honeypot containers. Your actual server and SSH access are moved to a non-standard port.

Docker-Based Stack

Everything runs in Docker containers. Easy to install, easy to remove, and isolated from the host OS by design.

Ubuntu 22.04
Docker
T-Pot CE
Kibana
Elasticsearch
Vultr VPS

How T-Pot Works

T-Pot works by listening on virtually every port and simulating a wide variety of services. When an attacker connects and tries to exploit or authenticate, the honeypot logs every detail — credentials used, payloads sent, timing, origin IP — and feeds it all into Elasticsearch for analysis. Your real SSH access gets moved to a random high port during installation so you can still manage the machine safely.

graph TD Internet["🌐 Internet\n(Attackers)"] -->|"Port 22 / 23 / 80 / 443\n3389 / 5900 / 5038\n...and many more"| TPOT subgraph TPOT["T-Pot CE (Ubuntu VPS)"] HPC["Honeypot Containers\nCowrie · Dionaea · Honeytrap\nCitrixHoneypot · Mailoney · ..."] ELK["ELK Stack\nElasticsearch · Logstash · Kibana"] SPIDERFOOT["SpiderFoot\nOSINT Framework"] HPC -->|"Attack Logs"| ELK end Analyst["👤 You\n(Port 64265 SSH\n+ Port 64297 Web UI)"] -->|"Manage & Review"| TPOT

Setting Up Vultr

After logging in to Vultr, navigate to Compute → Instances and click Create Instance. The setup is straightforward — here's what I picked and why.

Vultr dashboard showing the Compute > Instances section
Figure 1: Vultr dashboard — navigate to Compute → Instances to get started.
  1. Choose Shared CPU

    Select Shared CPU as the server type. For a honeypot experiment this is more than enough — we don't need dedicated compute.

    Selecting Shared CPU server type on Vultr
    Selecting Shared CPU — the right choice for a cost-effective honeypot.
  2. Pick a Region with High Exposure

    I chose Americas / Silicon Valley. The idea here is simple — higher traffic regions attract more attention from automated scanners and botnets, which means more attack data for us to study.

    Selecting Silicon Valley region on Vultr
    Silicon Valley region — well-connected and popular with scanners.
  3. Size It Right for T-Pot

    T-Pot runs a lot of Docker containers and Elasticsearch is memory-hungry. I went with 4 vCPUs, 8 GB RAM, 180 GB SSD. This ran the full stack smoothly for the entire 20 days without any issues. Total cost was around $10 for the experiment.

    Selecting 4 vCPU, 8GB RAM, 180GB SSD on Vultr
    4 vCPU / 8 GB RAM / 180 GB SSD — the recommended minimum for T-Pot CE.
    Cost Tip

    Running this for 7 days costs roughly $5–7. For 20 days it came to around $10. Vultr bills by the hour so you can stop it anytime without wasting money.

  4. Select Ubuntu as the OS

    T-Pot officially supports Ubuntu. Select Ubuntu 22.04 LTS — don't use any other distro or you'll run into dependency issues during the install script.

    Selecting Ubuntu OS on Vultr
    Ubuntu 22.04 LTS — the recommended OS for T-Pot CE.

After hitting deploy, the instance takes a minute or two to boot up. You can watch its status from the Vultr dashboard.

Vultr instance booting and loading
Figure 2: The instance spinning up — grab a coffee, it only takes a moment.

Server Configuration

Once the instance is running, head to its dashboard page — you'll find the public IP address and the root password right there. Use those to SSH in.

Vultr instance dashboard showing the public IP and root password
Figure 3: The instance overview — IP and credentials are right here.
PowerShell / Terminal
$ ssh root@YOUR_SERVER_IP
SSHing into the Vultr Ubuntu server
Figure 4: Successfully logged in as root via SSH.

We're in as root. T-Pot's installer needs a non-root user to run correctly, so our first step is to create a dedicated user and give it sudo privileges.

whoami command confirming we are root
Figure 5: whoami confirms we're root — time to create a dedicated user.
  1. Create a New User

    Run adduser and just keep pressing Enter through the prompts — only the password matters here.

    Terminal
    # adduser tpotuser
    Creating a new user on Ubuntu with adduser
    Creating the new user — just press Enter through the optional fields.
  2. Add the User to the Sudo Group
    Terminal
    # usermod -aG sudo tpotuser
    Adding the new user to the sudo group
    Adding our user to the sudo group — required for the T-Pot installer.

Installing T-Pot

Now the fun part. T-Pot's installer is a single curl command provided on their GitHub page. It handles everything — installs Docker, pulls all the honeypot images, configures Elasticsearch and Kibana, and sets up the web UI. Run it as your new non-root user.

Terminal (as tpotuser)
$ env bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/master/install.sh)"
Running the T-Pot installation script
Figure 6: The T-Pot installer running — it will ask for your sudo password first.

The installer presents a menu asking which edition to install. I chose H (Hive) — this installs every available honeypot type at once, giving you the widest possible coverage across protocols.

T-Pot Editions

T-Pot offers several installation profiles. H (Hive) is the full edition — it runs all supported honeypots simultaneously. There are lighter profiles like S (Standard) or M (Medium) if you're working with limited RAM.

Selecting T-Pot type H (Hive) during installation
Figure 7: Selecting H for the full Hive installation — all honeypots enabled.

The script then downloads and configures everything. Since we're on a cloud VPS with a good uplink, this goes surprisingly fast — usually 10–15 minutes. Grab a coffee.

T-Pot installation process downloading Docker images
Figure 8: Docker pulling all the honeypot images — cloud bandwidth makes this quick.
Important — Read the Installer Output

When installation finishes, the script prints your new SSH port at the end of the output. Port 22 is now a honeypot. Note down that port number before closing your terminal — losing it means losing access to your server.

T-Pot installation finished with new SSH port displayed
Figure 9: Installation complete — the new SSH port is shown at the bottom of the output.

After installation the server reboots. When you reconnect, you must use the new high port (in my case it was 64265). Trying port 22 now just dumps you into the SSH honeypot, which won't accept your real credentials.

Reconnecting after T-Pot Installation
$ ssh root@YOUR_SERVER_IP -p 22 [-] Permission denied (publickey,password). # Port 22 is now the Cowrie SSH honeypot — expected behaviour. $ ssh tpotuser@YOUR_SERVER_IP -p 64265 [+] Welcome to Ubuntu 22.04 LTS [+] Successfully logged in on the new management port.
SSH failing on port 22 (honeypot) and succeeding on port 64265
Figure 10: Port 22 rejects the real credentials — the honeypot is working. Port 64265 gets us in safely.

Accessing the Web UI

T-Pot's web interface runs on port 64297. Just open your browser and navigate to https://YOUR_SERVER_IP:64297. The username and password are whatever you set during the installation wizard.

Can't Reach the Web UI?

If the page doesn't load, the most likely cause is your cloud provider's firewall (security group / firewall rules). Head to Vultr's Firewall section and make sure ports 64297 and 64265 are open for your source IP, or open them to the world if you want full access.

T-Pot Web UI login page
Figure 11: The T-Pot web interface login screen on port 64297.
T-Pot CE landing page / home dashboard
Figure 12: T-Pot's home page — links to the Attack Map, Kibana, SpiderFoot, and more.

First Hits — Attackers Were There Immediately

I genuinely expected to wait a few hours before seeing anything. I was wrong. Within minutes of the installation completing, the live attack map was already lighting up with incoming connections from across the globe. This is what automated internet scanners look like in practice — they are relentless and fast.

T-Pot live attack map showing real-time incoming attacks from around the world
Figure 13: The live attack map — within minutes of installation, hits were coming in from everywhere.
Kibana dashboard showing initial attack data
Figure 14: Kibana dashboard — initial attack data starting to populate.

Within the first 10 minutes, the attack count had already climbed past 500,000 events. I had to double-check the numbers — but this is the reality of putting any public IP online.

Kibana showing 500k+ attacks after the first few minutes
Figure 15: Over 500,000 attack events logged within the first 10 minutes.

In the very first few minutes, the top attacking countries were already clearly visible:

Top attacking countries in the first few minutes
Figure 16: Top attacking countries in the first few minutes of being live.

"Every IP address that's publicly routable on the internet will be port-scanned within minutes. There are no exceptions. The question is not if — it's when and how often."

Results at 15 Days — 2 Million Attacks

By day 15 the attack count had crossed the 2 million mark. Attackers don't sleep, don't take weekends off, and they scan 24/7.

Kibana dashboard showing 2 million attacks after 15 days
Figure 17: 2 million+ attacks logged at the 15-day mark.

Results at 20 Days — 3 Million Attacks

By day 20 the counter had passed 3 million total attack events. To put that in perspective — that's roughly 150,000 attacks per day, or just over 100 every minute, around the clock.

Kibana dashboard showing 3 million total attacks after 20 days
Figure 18: The 3-million milestone — 20 days of continuous bombardment logged.

Key Findings

Beyond the headline numbers, the most interesting data came from drilling into what the attackers were actually targeting. Here's a breakdown of the key observations.

Most Targeted Ports & Countries

The attacks weren't random — specific ports were hammered far more than others, reflecting the automated tools and botnets in use.

Graph showing attacks broken down by country and targeted port
Figure 19: Attacks broken down by origin country and targeted port — SSH and Telnet dominated.
Protocol / Port Description Volume
22/tcp SSH Credential stuffing & brute force against Cowrie SSH honeypot Highest
23/tcp Telnet IoT botnet recruitment attempts (Mirai variants) Very High
3389/tcp RDP Remote Desktop credential attacks targeting Windows High
5060/tcp SIP VoIP exploitation attempts via Mailoney honeypot Medium
5900/tcp VNC VNC brute force attempts against desktop access Moderate
5555/tcp ADB Android Debug Bridge — Android device compromise attempts Moderate

Top Attacking Countries

The United States came in as the number one source — this likely reflects the large number of compromised American infrastructure nodes and cloud-hosted attack platforms rather than direct attribution.

Bar chart showing attacks by country — USA is number one
Figure 20: Overall attacks by country. The US leads, followed by China, Russia, and others.
Attribution vs. Geolocation

A high attack count from a country doesn't mean its government or citizens are behind it. Most attacks originate from compromised servers, cloud VMs, and botnet nodes that happen to be hosted in that country. The US leads largely because it hosts so much cloud infrastructure.

Most Targeted Usernames

The credential brute-force attempts showed clear patterns in what attackers assume default usernames to be. Unsurprisingly, they target the classics first.

Chart showing the most frequently used usernames in brute force attacks
Figure 21: Most targeted usernames — root, admin, and ubuntu are always at the top.

Most Tried Passwords

The password lists used are fascinating. They're a mix of well-known defaults, common weak passwords, and strings that are clearly from published credential dumps.

Chart showing most frequently tried passwords in brute force attacks
Figure 22: Most tried passwords — default credentials and common weak passwords dominate every list.

Key Takeaways

What's Next

After 20 days I shut down the server and transferred all the raw logs out of ~/tpotce/data. The data folder contains structured JSON logs for every protocol — SSH, Telnet, RDP, VNC, SIP, ADB, HTTP, and more. There's a lot to dig through.

Exporting Your Logs

All T-Pot logs are stored in ~/tpotce/data in JSON format, organized by honeypot type and date. You can rsync or scp the entire folder out before destroying your instance. These logs are gold for offline analysis.

Terminal (Local Machine)
$ rsync -avz -e "ssh -p 64265" tpotuser@YOUR_SERVER_IP:~/tpotce/data/ ./tpot-logs/

In the next post I'll go through the raw logs in detail — looking at specific payloads, commands attackers attempted to run inside the Cowrie SSH honeypot, and what the ADB and SIP traffic actually contained. There are some genuinely interesting findings buried in there.

If you want to see the internet's background radiation for yourself — this is the cheapest and most educational way to do it. Ten dollars, twenty days, three million data points. Highly recommended.