Deploying an Interactive SSH Honeypot on Ubuntu 18.04.

Updated on November 26, 2019

Introduction

A honeypot is a piece of software or a system that is designed to detect and monitor malicious activity, and deflect attackers from your actual production services and systems. This article will explain the deployement of an interactive SSH honeypot using Cowrie, a free and open-source solution. It can log brute force connection attempts and any commands executed by attackers. Additionally, it employs a fake, isolated filesystem for better interaction.

A Ubuntu 18.04 Server will be used for this tutorial. You can find instructions for Debian 9 here, and CentOS 8 here.

Preparations

Step 1: Update your system

apt update
apt upgrade -y

Step 2: Create a new user account for Cowrie


adduser --disabled-password cowrie

Step 3: Install dependencies and required packages:


apt install -y iptables iptables-persistent linux-libc-dev make virtualenv python-virtualenv libfakeroot libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind git

You will be prompted to choose whether current iptables rules should be saved. Select Yes.

Installing Cowrie

su - cowrie

Step 5: Download the cowrie repository

Make sure your current working directory is /home/cowrie

cd /home/cowrie

Cowrie’s code is hosted on github, download it with:

git clone http://github.com/cowrie/cowrie

Step 6: Create a python virtualenv

A Python virtual environment provides a stable and isolated environment for Cowrie’s Python dependencies. Change into the cloned directory and create a Python virtual environment:


cd cowrie/
virtualenv --python=/usr/bin/python3 cowrie-env

Activate it with:

. cowrie-env/bin/activate

Install the required Python libraries:


pip install --upgrade -r requirements.txt

Once finished, exit the virtualenv with deactivate.

Step 7: Start and test the honeypot

To do so, run:

bin/cowrie start

You can test this SSH honeypot by connecting to your server via SSH, but on port 2222/tcp. You should be able to authenticate with the username “root” and (almost) any random password. Once you’re satisfied, stop Cowrie:

bin/cowrie stop

Step 8: Systemd service

While still logged in as cowrie , open bin/cowrie using your text editor:

cd /home/cowrie/cowrie/
vim bin/cowrie

Find the following line:

DAEMONIZE=""

And change it to:

DAEMONIZE="-n"

Save your changes and then exit back to your root shell:

exit

Create a new Systemd unit file with your text editor:

vim /etc/systemd/system/cowrie-honeypot.service

Enter the following:

[Unit]
Description=Interactive SSH Honeypot
Wants=network.target
[Service]
Type=simple
User=cowrie
Group=cowrie
ExecStart=/home/cowrie/cowrie/bin/cowrie start
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target

Save and exit, then start the service:

systemctl daemon-reload
systemctl start cowrie-honeypot.service

You can check if it is running with:

systemctl status cowrie-honeypot.service

If you want the honeypot to start automatically after boot, execute:

systemctl enable cowrie-honeypot.service

Further Configuration

Using default SSH port for the honeypot

You are much more likely to get connection attempts if the honeypot listens on the default SSH port, 22. But first, change the port number used by the real SSH server. Port 2332 is used as an example, but you can use any port as long as it is not being used by other services.

As root, configure the OpenSSH daemon to use port 2332:

echo "Port 2332" >> /etc/ssh/sshd_config

And restart the SSH daemon:

systemctl restart sshd.service

Then logout:

exit

Reconnect to your server via SSH but on port 2332 instead.

To enable IP forwarding, edit /etc/sysctl.conf :

vim /etc/sysctl.conf

Find and uncomment the following line:

#net.ipv4.ip_forward=1

Create an iptables rule to forward incoming connections to port 22 to port 2222:

iptables -A PREROUTING -t nat -p tcp --dport 22 -j REDIRECT --to-port 2222

Save it so it persists after reboots:

iptables-save > /etc/iptables/rules.v4

Honeypot User Accounts

While legitimate users and their passwords are stored in /etc/passwd and /etc/shadow, fake SSH users are configured in ‘etc/userdb.txt’ in the cowrie environment. You can choose which users are allowed to connect to the honeypot server, and their passwords.

The following format is used to define users and passwords:


[username]:x:[password]

Each user should be on a seperate line (does not have to be a real existing user on your system), and you can define more than one password per user. If you prepend the ‘!’ character to a password, any authentication attempt with that password will be refused. If you insert the wildcard characted ‘*’ instead of a password, any password will be accepted. For instance:


root:x:!toor
root:x:!admin
root:x:*
admin:x:admin

With the above configuration, the ‘root’ user will be allowed to authenticate with any password, except ‘toor’ and ‘admin’. The ‘admin’ user will only be allowed be login with ‘admin’ as password.

The default configuration is:


root:x:!root
root:x:!123456
root:x:!/honeypot/i
root:x:*
tomcat:x:*
oracle:x:*

To change the default, start by creating a file in /home/cowrie/cowrie/etc/ named userdb.txt:

vim /home/cowrie/cowrie/etc/userdb.txt

Populate it and then give ownership to the cowrie user:

chown cowrie:cowrie /home/cowrie/cowrie/etc/userdb.txt

Restart Cowrie to apply the changes:

systemctl restart cowrie-honeypot.service