Updated CentOS 8 version: How to Set Up an Interactive SSH Honeypot on CentOS 8.
A honeypot is a piece of software or a system that is designed to detect and monitor malicious activity, and deflect attackers from your actual production services and systems. This article will explain the deployment of an interactive SSH honeypot using Cowrie, a free and open-source solution. It can log brute force connection attempts and any commands executed by attackers. Additionally, it employs a fake, isolated filesystem for better interaction and deception. A CentOS 7 Server will be used for this tutorial. Or see the instructions for CentOS 8, Ubuntu 18.04, or Debian 9.
NOTE You can obtain a temporary root shell by running
sudo -i or
sudo su root or
sudo /bin/bash if you only have access to a non-root user with
Step 1: Update your system:
yum upgrade -y
Step 2: Create a new user account
A new user will be created, which will be used to run cowrie.
Step 3: Install dependencies and required packages:
This can be done with the command:
yum install -y python-virtualenv git gcc
Step 4: Firewall Configuration
Cowrie will initially run on port 2222. We will temporarily enable external traffic to this port for testing purposes before using port forwarding (explained in later steps).
firewall-cmd --add-port 2222/tcp
Step 5: Login as the ‘cowrie’ user.
Step 6: Download the cowrie repository.
Make sure your working directory is “/home/cowrie”
Cowrie’s code is hosted on github, and can be downloaded with the following command:
git clone http://github.com/cowrie/cowrie
This will download and create a directory ‘cowrie’.
Step 7: Create a python virtualenv.
Virtualenv is a python-based way of running software inside an isolated environment, somewhat similarly to containers.
cd /home/cowrie/cowrie virtualenv --python=python2.7 cowrie-env
This will install any missing dependencies and create the required python virtual environment in which our honeypot will run.
Enter this environment with:
If successful, you should get a new terminal prompt starting with “(cowrie-env)”. Execute the following to upgrade python-pip and then install the requirements for the cowrie honeypot.
pip install --upgrade pip pip install --upgrade -r requirements.txt
Once finished, exit the virtualenv with
Step 8: Start the honeypot.
Execute this command:
And exit back to your root shell:
You can make sure that the honeypot is running by issuing:
ss -lntp | grep twistd
You should get:
LISTEN 0 50 *:2222 [...]
Step 9: Test the honeypot
You can test this SSH honeypot by connecting to your server via SSH, but on port 2222/tcp. You should be able to authenticate with the username “root” and any password. You’ll get access to a simulated shell environment in a fake filesystem.
For a proper honeypot, some configuration changes need to be made. First, we will change the default real SSHD port from 22 to something else, then we will have the honeypot listen on port 22, since attackers mostly target the default SSHD port.
Begin by stopping the honeypot:
Step 10: Changing ports.
First, we’ll change the default SSHD port. Port 2332 will be used as an example. You can choose any port number, but make sure it is unused by other services. You shouldn’t use the port on which he honeypot listens (2222)
In your root shell, issue the following command:
MAKE SURE you use the same port number in the two following commands to avoid losing SSH access.
echo "Port 2332" >> /etc/ssh/sshd_config
Then enable this new port in the firewall daemon:
firewall-cmd --add-port 2332/tcp --permanent firewall-cmd --reload
And restart the SSH daemon service:
systemctl restart sshd.service
Reconnect to your server via SSH on the newly configured port 2332. We will now configure the firewall daemon to listen for SSH connection attempts on the default SSH network port (22) and forward them to our honeypot.
firewall-cmd --add-masquerade --permanent firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2222 --permanent firewall-cmd --reload
Once cowrie is started, any SSH connection attempt to the default port should now reach our honeypot and not the real SSH daemon.
Log in as the ‘cowrie’ user and launch the honeypot:
su cowrie /home/cowrie/cowrie/bin/cowrie start
Step 10: Configuring allowed users.
While legitimate users and their passwords are stored in ‘/etc/passwd’ and ‘/etc/shadow’, fake SSH users are configured in ‘etc/userdb.txt’ in the cowrie environment. You can choose which users are allowed to connect to the fabricated SSH server, and their passwords.
The following format is used to define users and passwords:
Each user should be on a separate line (does not have to be a real existing user on your system), and you can define more than one password per user. If you prepend the ‘!’ character to a password, any authentication attempt with that password will be refused. If you insert the wildcard character ‘*’ instead of a password, any password will be accepted. For instance:
root:x:!toor root:x:!admin root:x:* admin:x:admin
With the above configuration, the ‘root’ user will be allowed to authenticate with any password, except ‘toor’ and ‘admin’. The ‘admin’ user will only be allowed be login with ‘admin’ as password.
The default configuration is:
root:x:!root root:x:!123456 root:x:!/honeypot/i root:x:* tomcat:x:* oracle:x:*
To change the default, start by creating a file in ‘/home/cowrie/cowrie/etc/’ named ‘userdb.txt’:
And using a text editor of your choice, populate this file according to your preferences. Restart cowrie for the changes to take effect:
/home/cowrie/cowrie/bin/cowrie stop /home/cowrie/cowrie/bin/cowrie start
This article explained the deployment of an interactive SSH honeypot and its basic configuration. Connection attempts, shell activity and other details are logged to
/home/cowrie/cowrie/var/log/cowrie. You may use a logging server to store and display honeypot logs instead, but that is beyond the scope of this article. The collected data from the honeypot can be used to populate IP blacklists, to identify potential attacks, and for cybersecurity research purposes.