TPOT – is a self proclaimed All In One Multi Honeypot Platform. A client recently required an installation of TPOT and during that process I came across two gotchas that prevented the successful completion. The first was an error when attempting to start TPOT for the first time – the second was a constant restarting of the honeypots after only a minute or so of operation.
Some background – the installation of Tpot was on a Debian 11 Vm – here are installation instructions
So taking the first issue – running
systemctl status tpot
gave a message
No available IPv4 addresses on this network’s address pools
After some googling – mainly suggesting an issue with VPN usage I added some entries to the daemon.json file that I created in /etc/docker
Rebooting the VM suggested that had resolved the first error – when checking the tpot status however running the dps.sh script to see the status I was rewarded with a number stopped and if refreshed after a moment – started and exited again
The last entry though gave me something to look for – since it didn’t seem to stop because it never got started. The IPPHONEY honeypot uses port 631 according to the documentation
Using netstat -tulpen showed the smoking gun – another process bound to that port (both IPV4 and IPV6)
This article proved to be a godsend – partially as it covers a systematic approach to this kind of issue but also because it related to CUPS as an example – how lucky was that !
So if you follow the steps in the article https://unix.stackexchange.com/questions/480082/how-to-disable-cups-service-on-reboot-with-systemd you should be able to stop cups completely from starting after rebooting the OS. I ended up using the removal process – step 5
sudo apt-get purge --auto-remove cups
After reboot the dps.sh showed all the honeypots running and after 10 minutes they continue to run
Access to the TPOT interface was accessible on https://localhost:64297
You can find TPOT here