T-Pot Attack Map Issues

[TheGrandMaster01]

Hello,

I'm having issues viewing the attack map in real time, I have events, but no data is being showed in the live map. (This is from the last 24hrs, the other day I run some tests and send more than 120k)

• What OS are you T-Pot running on? Debian GNU/Linux 12 (bookworm)

• What is the version of the OS lsb_release -a and uname -a? lsb_release -a:

uname -a: Linux debian 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64 GNU/Linux

• What T-Pot version are you currently using (only T-Pot 24.04.x is currently supported)? T-Pot 24.04

• What architecture are you running on (i.e. hardware, cloud, VM, etc.)? VirtualBox

• Review the ~/install_tpot.log, attach the log and highlight the errors. install_tpot.log

• How long has your installation been running? 2 Weeks

• Did you install upgrades, packages or use the update script? Only disabled some ports for the Honeys and disabled some honeys -- Conpot IEC104 service -- Dicompot service -- Dionaea service

• Did you modify any scripts or configs? If yes, please attach the changes. Blank

• Please provide a screenshot of htop and docker stats.

• How much free disk space is available (df -h)?

• What is the current container status (dps)?

• On Linux: What is the status of the T-Pot service (systemctl status tpot)?

• What ports are being occupied? Stop T-Pot systemctl stop tpot and run grc netstat -tulpen

  • Stop T-Pot systemctl stop tpot
  • Run grc netstat -tulpen
  • Run T-Pot manually with docker compose -f ~/tpotce/docker-compose.yml up and check for errors
  • Stop execution with CTRL-C and docker compose -f ~/tpotce/docker-compose.yml down -v

• If a single container shows as DOWN you can run docker logs <container-name> for the latest log entries

[t3chn0m4g3]

Based on the info provided the map is connected, typically the reason for this is events without geo_ip info which cannot be rendered.

[TheGrandMaster01]

In kibana I can see more than 100 unique Ips, and I search for them shodan, talos, censys, I see their geo info

[t3chn0m4g3]

Do you see geo_ip info for the IPs in question? If yes, run docker logs map_data to see if map_data receives it, but since I cannot reproduce (also using Debian 12) it is either browser related (clear cache), the site needs to be reloaded or the events have no geo_ip info. What about the T-Pot Live Attack in Kibana?

[TheGrandMaster01]

Alright, I tried earlier cache, Im trying again.

[TheGrandMaster01]

Alright, I tried earlier cache, Im trying again.

No changes

[t3chn0m4g3]

It seems that the geo_ip info for the src_ip is present, but map_data / map_web need the geo_ip info for both, the source and the destination to render the path. Check if the destination ip (your T-Pot) has geo_ip info in the geoip_ext field.

[TheGrandMaster01]

Where can I see that? My ip shows the location info

[t3chn0m4g3]

Go to Kibana / Discover and browse through the events.

[TheGrandMaster01]

Adding to this, no events show my ip

[t3chn0m4g3]

Run more $HOME/tpotce/data/tpotinit.log and look for # Updating IP Info ..., what is happening there?

[TheGrandMaster01]

[t3chn0m4g3]

T-Pot is unable to determine your external IP and that is the reason why map_web / map_data cannot display events. The script is part of the tpotinit container (docker exec -it tpotinit ash) and calls /opt/tpot/bin/myip.sh inside the container. Nothing I can really do about it, maybe some routing / NAT / settings at your end 🤷‍♂️.

[TheGrandMaster01]

And is there a way I set it up manually? Editing the script or writing it in the configuration?

[t3chn0m4g3]

You can adjust the script outside the container, it resides in docker/tpotinit/dist/bin, then you add a volume to the tpotservice in $HOME/tpotce/docker-compose.yml pointing to the adjusted script. At start tpotinint will now execute the adjusted script.

[TheGrandMaster01]

Thanks, I will be trying that

[TheGrandMaster01]

I tried to change it, but its not composing the changes, takes the old script

[t3chn0m4g3]

It seems you are not using the correct path for the script. You need to make sure the volume's destination matches exactly the path and filename of the script inside the container. At this point however there is nothing more that I can do. If you are unsure about docker volumes you can check out our Wiki, it holds some examples.