T-Pot provides an all-in-one, optionally distributed, multi-architecture honeypot platform for security researchers and IT professionals. It integrates over 20 honeypots and security tools, including the Elastic Stack for visualization and live attack maps, to offer a comprehensive threat intelligence and deception environment.

How It Works

T-Pot leverages Docker and Docker Compose to deploy and manage a diverse set of honeypots and security tools. This containerized approach simplifies deployment, isolates services, and allows for efficient resource utilization. The platform orchestrates components like Elasticsearch, Logstash, and Kibana for data aggregation and analysis, alongside specialized honeypots designed to emulate various network services and protocols.

Quick Start & Requirements

• Install: env bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/master/install.sh)"
• Prerequisites: Minimum 8-16 GB RAM, 128 GB disk space, working internet connection. Supports amd64 and arm64 architectures. Tested on Debian, Ubuntu, Fedora, AlmaLinux, Rocky Linux, and OpenSUSE.
• Setup: Installation involves downloading a supported Linux distro, running the installer script, and rebooting.
• Docs: https://tpot.io/docs/

Highlighted Details

• Supports 20+ honeypots including Cowrie, Dionaea, and Suricata.
• Integrates Elastic Stack (Elasticsearch, Logstash, Kibana) for data visualization.
• Features live attack maps and tools like CyberChef and Spiderfoot.
• Offers distributed deployment capabilities with a Hive and Sensor architecture.
• Includes experimental support for LLM-based honeypots (Beelzebub, Galah) requiring Ollama.

Maintenance & Community

• Active community support via GitHub Issues and Discussions.
• Regular updates to Docker images and the core platform.
• Data submission to Sicherheitstacho is opt-in.

Licensing & Compatibility

• Mixed licensing: GPLv2, GPLv3, Apache 2.0, MIT, Elastic License, AGPL-3.0, Unlicense, and others.
• GPL and AGPL components may impose copyleft restrictions on derivative works.

Limitations & Caveats

• Apple Silicon (arm64) support has known issues, particularly with initial OS installation in VMs.
• Production use on macOS/Windows is not recommended due to Docker Desktop limitations; Linux is preferred.
• Requires careful network configuration, especially for distributed deployments and certificate management.