Skip to content

NXNJZ

Linux and Security

  • BLOG
  • Cowsay Fortune
  • Contact
  • Gitlab
  • Company Homepage

Deploying an Interactive SSH Honeypot on CentOS 7.

Posted on January 12, 2019 - November 23, 2019 by nxnjz

Updated CentOS 8 version: How to Set Up an Interactive SSH Honeypot on CentOS 8.

Introduction

A honeypot is a piece of software or a system that is designed to detect and monitor malicious activity, and deflect attackers from your actual production services and systems. This article will explain the deployment of an interactive SSH honeypot using Cowrie, a free and open-source solution. It can log brute force connection attempts and any commands executed by attackers. Additionally, it employs a fake, isolated filesystem for better interaction and deception. A CentOS 7 Server will be used for this tutorial. Or see the instructions for CentOS 8, Ubuntu 18.04, or Debian 9.

NOTE You can obtain a temporary root shell by running sudo -i or sudo su root or sudo /bin/bash if you only have access to a non-root user with sudo privileges.

Preparations

Step 1: Update your system:


yum upgrade -y

Step 2: Create a new user account


adduser cowrie

A new user will be created, which will be used to run cowrie.

Step 3: Install dependencies and required packages:

This can be done with the command:

yum install -y python-virtualenv git gcc

Step 4: Firewall Configuration

Cowrie will initially run on port 2222. We will temporarily enable external traffic to this port for testing purposes before using port forwarding (explained in later steps).


firewall-cmd --add-port 2222/tcp

Installation:

Step 5: Login as the ‘cowrie’ user.


su cowrie

Step 6: Download the cowrie repository.

Make sure your working directory is “/home/cowrie”

cd /home/cowrie

Cowrie’s code is hosted on github, and can be downloaded with the following command:

git clone http://github.com/cowrie/cowrie

This will download and create a directory ‘cowrie’.

Step 7: Create a python virtualenv.

Virtualenv is a python-based way of running software inside an isolated environment, somewhat similarly to containers.


cd /home/cowrie/cowrie
virtualenv --python=python2.7 cowrie-env

This will install any missing dependencies and create the required python virtual environment in which our honeypot will run.

Enter this environment with:

. cowrie-env/bin/activate

If successful, you should get a new terminal prompt starting with “(cowrie-env)”. Execute the following to upgrade python-pip and then install the requirements for the cowrie honeypot.


pip install --upgrade pip
pip install --upgrade -r requirements.txt

Once finished, exit the virtualenv with deactivate.

Step 8: Start the honeypot.

Execute this command:


bin/cowrie start

And exit back to your root shell:

exit

You can make sure that the honeypot is running by issuing:

ss -lntp | grep twistd

You should get:

LISTEN     0      50           *:2222 [...]

Step 9: Test the honeypot

You can test this SSH honeypot by connecting to your server via SSH, but on port 2222/tcp. You should be able to authenticate with the username “root” and any password. You’ll get access to a simulated shell environment in a fake filesystem.

Further Configuration

For a proper honeypot, some configuration changes need to be made. First, we will change the default real SSHD port from 22 to something else, then we will have the honeypot listen on port 22, since attackers mostly target the default SSHD port.

Begin by stopping the honeypot:


/home/cowrie/cowrie/bin/cowrie stop

Step 10: Changing ports.

First, we’ll change the default SSHD port. Port 2332 will be used as an example. You can choose any port number, but make sure it is unused by other services. You shouldn’t use the port on which he honeypot listens (2222)
In your root shell, issue the following command:
MAKE SURE you use the same port number in the two following commands to avoid losing SSH access.


echo "Port 2332" >> /etc/ssh/sshd_config

Then enable this new port in the firewall daemon:


firewall-cmd --add-port 2332/tcp --permanent
firewall-cmd --reload

And restart the SSH daemon service:

systemctl restart sshd.service

Then logout:

exit

Reconnect to your server via SSH on the newly configured port 2332. We will now configure the firewall daemon to listen for SSH connection attempts on the default SSH network port (22) and forward them to our honeypot.

firewall-cmd --add-masquerade --permanent
firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2222 --permanent
firewall-cmd --reload

Once cowrie is started, any SSH connection attempt to the default port should now reach our honeypot and not the real SSH daemon.

Log in as the ‘cowrie’ user and launch the honeypot:


su cowrie
/home/cowrie/cowrie/bin/cowrie start

Step 10: Configuring allowed users.

While legitimate users and their passwords are stored in ‘/etc/passwd’ and ‘/etc/shadow’, fake SSH users are configured in ‘etc/userdb.txt’ in the cowrie environment. You can choose which users are allowed to connect to the fabricated SSH server, and their passwords.

The following format is used to define users and passwords:


[username]:x:[password]

Each user should be on a separate line (does not have to be a real existing user on your system), and you can define more than one password per user. If you prepend the ‘!’ character to a password, any authentication attempt with that password will be refused. If you insert the wildcard character ‘*’ instead of a password, any password will be accepted. For instance:


root:x:!toor
root:x:!admin
root:x:*
admin:x:admin

With the above configuration, the ‘root’ user will be allowed to authenticate with any password, except ‘toor’ and ‘admin’. The ‘admin’ user will only be allowed be login with ‘admin’ as password.

The default configuration is:


root:x:!root
root:x:!123456
root:x:!/honeypot/i
root:x:*
tomcat:x:*
oracle:x:*

To change the default, start by creating a file in ‘/home/cowrie/cowrie/etc/’ named ‘userdb.txt’:

touch /home/cowrie/cowrie/etc/userdb.txt

And using a text editor of your choice, populate this file according to your preferences. Restart cowrie for the changes to take effect:


/home/cowrie/cowrie/bin/cowrie stop
/home/cowrie/cowrie/bin/cowrie start

Conclusion

This article explained the deployment of an interactive SSH honeypot and its basic configuration. Connection attempts, shell activity and other details are logged to /home/cowrie/cowrie/var/log/cowrie. You may use a logging server to store and display honeypot logs instead, but that is beyond the scope of this article. The collected data from the honeypot can be used to populate IP blacklists, to identify potential attacks, and for cybersecurity research purposes.

Posted in Linux

Post navigation

Deploying an Interactive SSH Honeypot on Ubuntu 18.04.
Installing Ampache on Debian 9.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • CVE-2021-42052 full disclosure
  • How to Set Up an Interactive SSH Honeypot on CentOS 8.
  • HackTheBox.eu Jarvis Writeup
  • How to setup a simple proxy server with tinyproxy (Debian 10 Buster)
  • How to Install qdPM 9.1 on Debian 10 LEMP

Tags

802.11 ampache apache aspx bash cd centos cms crm cve debian exploits fedora fulldisclosure hackthebox honeypot http httpd ifconfig iw iwconfig labs lfi linux mariadb memory monit music nginx pastebin php privatebin privesc project management proxy reconnoitre selinux shopt ssh systemd txpower ubuntu wallabag wireless xxe

Categories

  • BASH (1)
  • CTF/Labs (2)
  • CVE / full disclosure (1)
  • Information Gathering (1)
  • Linux (25)
  • Password Cracking (1)
  • Privilege Escalation (2)
  • SQL Injection (1)
  • Web-Shells (1)
  • Wifi (2)
  • XXE (1)

Recent Comments

  • Bernard Martiny on How to Install PrivateBin on Ubuntu 18.04 LTS
  • VuCSA on List of security labs/challenges/CTFs
  • Brian on How to Install PrivateBin on Fedora 29.
  • Tyreeb on Installing Ampache on CentOS 7.
  • Christian Mora on Installing Ampache on CentOS 7.