Closed TheGrandMaster01 closed 4 weeks ago
Based on the info provided the map is connected, typically the reason for this is events without geo_ip info which cannot be rendered.
In kibana I can see more than 100 unique Ips, and I search for them shodan, talos, censys, I see their geo info
Do you see geo_ip info for the IPs in question?
If yes, run docker logs map_data
to see if map_data receives it, but since I cannot reproduce (also using Debian 12) it is either browser related (clear cache), the site needs to be reloaded or the events have no geo_ip info.
What about the T-Pot Live Attack in Kibana?
Alright, I tried earlier cache, Im trying again.
Alright, I tried earlier cache, Im trying again.
No changes
It seems that the geo_ip info for the src_ip is present, but map_data / map_web need the geo_ip info for both, the source and the destination to render the path. Check if the destination ip (your T-Pot) has geo_ip info in the geoip_ext
field.
Where can I see that? My ip shows the location info
Go to Kibana / Discover and browse through the events.
Adding to this, no events show my ip
Run more $HOME/tpotce/data/tpotinit.log
and look for # Updating IP Info ...
, what is happening there?
T-Pot is unable to determine your external IP and that is the reason why map_web / map_data cannot display events.
The script is part of the tpotinit container (docker exec -it tpotinit ash
) and calls /opt/tpot/bin/myip.sh
inside the container.
Nothing I can really do about it, maybe some routing / NAT / settings at your end 🤷♂️.
And is there a way I set it up manually? Editing the script or writing it in the configuration?
You can adjust the script outside the container, it resides in docker/tpotinit/dist/bin
, then you add a volume to the tpotservice
in $HOME/tpotce/docker-compose.yml
pointing to the adjusted script. At start tpotinint will now execute the adjusted script.
Thanks, I will be trying that
I tried to change it, but its not composing the changes, takes the old script
It seems you are not using the correct path for the script. You need to make sure the volume's destination matches exactly the path and filename of the script inside the container. At this point however there is nothing more that I can do. If you are unsure about docker volumes you can check out our Wiki, it holds some examples.
Hello,
I'm having issues viewing the attack map in real time, I have events, but no data is being showed in the live map. (This is from the last 24hrs, the other day I run some tests and send more than 120k)
What OS are you T-Pot running on? Debian GNU/Linux 12 (bookworm)
What is the version of the OS
lsb_release -a
anduname -a
? lsb_release -a:uname -a: Linux debian 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64 GNU/Linux
What T-Pot version are you currently using (only T-Pot 24.04.x is currently supported)? T-Pot 24.04
What architecture are you running on (i.e. hardware, cloud, VM, etc.)? VirtualBox
Review the
~/install_tpot.log
, attach the log and highlight the errors. install_tpot.logHow long has your installation been running? 2 Weeks
Did you install upgrades, packages or use the update script? Only disabled some ports for the Honeys and disabled some honeys -- Conpot IEC104 service -- Dicompot service -- Dionaea service
Did you modify any scripts or configs? If yes, please attach the changes. Blank
Please provide a screenshot of
htop
anddocker stats
.How much free disk space is available (
df -h
)?What is the current container status (
dps
)?On Linux: What is the status of the T-Pot service (
systemctl status tpot
)?What ports are being occupied? Stop T-Pot
systemctl stop tpot
and rungrc netstat -tulpen
systemctl stop tpot
grc netstat -tulpen
docker compose -f ~/tpotce/docker-compose.yml up
and check for errorsCTRL-C
anddocker compose -f ~/tpotce/docker-compose.yml down -v
If a single container shows as
DOWN
you can rundocker logs <container-name>
for the latest log entries