A honeypot is a piece of software or a system that is designed to detect and monitor malicious activity, and deflect attackers from your actual production services and systems. This article will explain the deployement of an interactive SSH honeypot using Cowrie, a free and open-source solution. It can log brute force connection attempts and any commands executed by attackers. Additionally, it employs a fake, isolated filesystem for better interaction and deception. A Debian 9 Server will be used for this tutorial. You can find instructions for Ubuntu 18.04 here, and CentOS 7 here.
Root privileges are obviously required.
NOTE You can obtain a temporary root shell by running
sudo -i or
sudo su root or
sudo /bin/bash if you only have access to a non-root user with
apt update apt upgrade -y
adduser --disabled-password cowrie
After running this command you will be prompted for the following information:
Full Name : Room Number : Work Phone : Home Phone : Other :
Leave the fields empty (press enter.)
This can be done with the command:
apt install -y python-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind git
su - cowrie
Make sure your working directory is “/home/cowrie”
Cowrie’s code is hosted on github, and can be downloaded with the following command:
git clone http://github.com/cowrie/cowrie
This will download and create a directory ‘cowrie’.
Virtualenv is a python-based way of running software inside an isolated environment, somewhat similarly to containers.
cd /home/cowrie/cowrie virtualenv --python=python3 cowrie-env
This will install any missing dependencies and create the required python virtual environment in which the honeypot will run.
Enter this environment with:
If successful, you should get a new terminal prompt starting with “(cowrie-env)”. Execute the following to upgrade python-pip and then install the requirements for cowrie.
pip install --upgrade pip pip install --upgrade -r requirements.txt
Once finished, exit the virtualenv with
Execute this command:
And exit back to your root shell:
You can make sure that the honey port is running by issuing:
ss -lntp | grep twistd
You should get:
LISTEN 0 50 *:2222 [...]
You can test this SSH honeypot by connecting to your server via SSH, but on port 2222/tcp. You should be able to authenticate with the username “root” and any password. You’ll get access to a simulated shell environment in a fake filesystem.
For a proper honeypot, some configuration changes need to be made. First, we will change the default real SSHD port from 22 to something else, then we will have the honeypot listen on port 22, since attackers mostly target the default SSHD port.
Begin by stopping the honeypot:
First, we’ll change the default SSHD port. Port 2332 will be used as an example. You can choose any port number, but make sure it is unused by other services.
In your root shell, issue the following command:
echo "Port 2332" >> /etc/ssh/sshd_config
And restart the SSH daemon service:
systemctl restart sshd.service
Reconnect to your server via SSH but on the configured port 2332 instead. We will now configure the Cowrie honeypot to listen for SSH connection attempts on the default port number (22). Authbind will be used to allow Cowrie to bind to port 22 without giving it root privileges.
Create an empty file for port 22 in authbind:
Give the ‘cowrie’ user full ownership of that file:
chown cowrie:cowrie /etc/authbind/byport/22
Set the correct permissions:
chmod 770 /etc/authbind/byport/22
Using a text editor of your choice, open the file
/home/cowrie/cowrie/bin/cowrie. Change this line:
This will instruct our honeypot software to bind to network ports using authbind and not directly.
Switch to the ‘cowrie’ user:
su - cowrie
And create a configuration file in
This file will be used for our custom configuration changes. Open it in a text editor of your choice and enter the following line:
[ssh] listen_port = 22
Once cowrie is started, any SSH connection attempt should now reach our honeypot and not the real SSH daemon.
Make sure you are still logged in as the ‘cowrie’ user and launch the honeypot:
While legitimate users and their passwords are stored in ‘/etc/passwd’ and ‘/etc/shadow’, fake SSH users are configured in ‘etc/userdb.txt’ in the cowrie environment. You can choose which users are allowed to connect to the fabricated SSH server, and their passwords.
The following format is used to define users and passwords:
Each user should be on a seperate line (does not have to be a real existing user on your system), and you can define more than one password per user. If you prepend the ‘!’ character to a password, any authentication attempt with that password will be refused. If you insert the wildcard characted ‘*’ instead of a password, any password will be accepted. For instance:
root:x:!toor root:x:!admin root:x:* admin:x:admin
With the above configuration, the ‘root’ user will be allowed to authenticate with any password, except ‘toor’ and ‘admin’. The ‘admin’ user will only be allowed be login with ‘admin’ as password.
The default configuration is:
root:x:!root root:x:!123456 root:x:!/honeypot/i root:x:* tomcat:x:* oracle:x:*
To change the default, start by creating a file in ‘/home/cowrie/cowrie/etc/’ named ‘userdb.txt’:
And using a text editor of your choice, populate this file according to your preferences. Restart cowrie for the changes to take effect:
/home/cowrie/cowrie/bin/cowrie stop /home/cowrie/cowrie/bin/cowrie stop
This article explained the deployement of an interactive SSH honeyport and its basic configuration. Connection attempts, shell activity and other details are logged to
/home/cowrie/cowrie/var/log/cowrie. You may use a logging server to store and display honeypot logs instead, but that is beyond the scope of this article. The collected data from the honeypot can be used to populate IP blacklists, to identify potential attacks, and for cybersecurity research purposes.