ssh Archives

How to Set Up an Interactive SSH Honeypot on CentOS 8.

Posted on November 22, 2019 - November 23, 2019 by nxnjz

Introduction

A honeypot is a piece of software or a system that is designed to detect and monitor malicious activity, and deflect attackers from your actual production services and systems. This article will explain the deployment of an interactive SSH honeypot using Cowrie, a free and open-source SSH honeypot. It can log brute force connection attempts and any commands executed by attackers. Additionally, it employs a ‘fake’, isolated filesystem for better interaction and deception. A CentOS 8 machine is used for this guide.

Requirements

A CentOS 8 system.
Access to the root user or any user with sudo privileges.

NOTE: This guide assumes SELinux is set to either permissive or disabled.

If using a sudo user, use a root shell for the duration of this setup:

sudo -s

Step 1: Pre-Installation Steps

Update your system and install the software packages which are required for this setup:

dnf update -y
dnf install -y python3 python3-virtualenv python3-pip git firewalld

Create a cowrie user account:

useradd cowrie

Ensure the firewall daemon is enabled and running:

systemctl enable --now firewalld.service

Temporarily allow traffic to port 2222. This port will be initially used to access the honeypot.

firewall-cmd --add-port 2222/tcp

Step 2: Installing Cowrie SSH Honeypot

Switch to the cowrie user:

su - cowrie

Clone the Cowrie Github repository:

git clone https://github.com/cowrie/cowrie.git

A Python virtual environment provides a stable and isolated environment where we can have the specific Python modules and their versions that are required by the honeypot. Change into the cowrie directory then initialize a Python virtual env:

cd cowrie
virtualenv-3 --python=/usr/bin/python3 cowrie-venv

Enter it:

. cowrie-venv/bin/activate

Install the required Python modules:

pip3 install -r requirements.txt

Step 3: Initial Testing

At this point you should be able to run the honeypot and test things out before proceeding.

Start Cowrie:

bin/cowrie start

shows starting cowrie honeypot and listening port

From your local machine, try logging into the honeypot as root. Enter any random password but not toor, 123456, or anything containing honeypot.

ssh root@ip_address -p 2222

connecting to ssh honeypot and interacting

As you can see, we are able to authenticate and run commands as if this were a normal SSH session. Once you’re satisfied with testing, log out of the honeypot and stop Cowrie:

bin/cowrie stop

Now let’s make things more permanent.

Step 4: Creating a Systemd Service

Using a Systemd service to manage the honeypot is recommended for a few reasons:

Start, stop and check the status of the honeypot with single commands.
Restart the honeypot automatically on boot and on failure.
Consistency with other system services.

While still logged in as cowrie , open bin/cowrie with your text editor:

cd /home/cowrie/cowrie/
vim bin/cowrie

Find the following lines:

#COWRIE_VIRTUAL_ENV=my-env
DAEMONIZE=""

And change them to the following (don’t forget to remove the ‘#’):

COWRIE_VIRTUAL_ENV=cowrie-venv
DAEMONIZE="-n"

Save your changes and then exit back to your root shell:

exit

Create a new Systemd unit file with your text editor:

vim /etc/systemd/system/cowrie-honeypot.service

Enter the following:

[Unit]
Description=Interactive SSH Honeypot
Wants=network.target
[Service]
Type=simple
User=cowrie
Group=cowrie
ExecStart=/home/cowrie/cowrie/bin/cowrie start
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target

Save and exit, then start the service:

systemctl daemon-reload
systemctl start cowrie-honeypot.service

You can check if it is running with:

systemctl status cowrie-honeypot.service

If you want the honeypot to start automatically after boot, execute:

systemctl enable cowrie-honeypot.service

Step 5: Using TCP port 22 for the honeypot

Your honeypot will receive significantly more connections if it uses port 22, which is the default SSH port. As Cowrie uses port 2222 by default, you can forward connections on that port to port 22. But first, change the port used by the real SSH server and configure the firewall accordingly.

Allow traffic to port 222:

firewall-cmd --add-port 222/tcp --permanent
firewall-cmd --reload

Make sure this change took effect. The following command should output 222/tcp :

firewall-cmd --list-ports

Open the OpenSSH daemon configuration file:

vim /etc/ssh/sshd_config

Find the line:

#Port 22

Change it to:

Port 222

Save the change and restart the SSH server:

systemctl restart sshd.service

Check and make sure that it is now listening on port 222:

ss -lntp

openssh changed listening port

Exit your SSH session and reconnect to port 222 instead. If not logged in as root, start a root shell:

sudo -s

Remove the SSH service (which allows traffic to port 22/tcp) from firewalld as it is now running on a different port:

firewall-cmd --remove-service ssh --permanent
firewall-cmd --reload

Enable IP masquerading and add a rule to forward traffic on port 22 to port 2222:

firewall-cmd --add-masquerade --permanent
firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2222 --permanent
firewall-cmd --reload

That’s it. The honeypot is now accessible on the default SSH port.

Step 6: Configuring SSH Honeypot Users

While legitimate users and their passwords are stored in /etc/passwd and /etc/shadow, fake SSH users are configured in etc/userdb.txt in the cowrie directory. You can easily configure allowed/disallowed user/password combinations by adding entries to that file.

The following format is used:

[username]:x:[password]

Any username not explicitely listed will not be able to authenticate.
You can use arbitrary usernames, they do not have to be real user accounts on your system.
You can have more than one rule per username.
Prepend the ‘!’ character to a password to explicitely blacklist it.
Use the ‘*’ character as a password to allow all passwords.
Use /BRE/ syntax to match passwords based on regular expressions.

Consider the following example:

root:x:!toor
root:x:!/admin/
root:x:*
admin:x:admin

With the above entries, the root user will be allowed to authenticate with any password, except toor and any password containing admin. The admin user will only be allowed be login with the password admin.

The default is as follows:

root:x:!root
root:x:!123456
root:x:!/honeypot/i
root:x:*
tomcat:x:*
oracle:x:*

To change the default, start by creating a file in /home/cowrie/cowrie/etc/ named userdb.txt:

vim /home/cowrie/cowrie/etc/userdb.txt

Populate this file according to your needs, then give ownership to the cowrie user and group:

chown cowrie:cowrie /home/cowrie/cowrie/etc/userdb.txt

Honeypot Logs

Connection attempts, shell activity and other details are logged to /home/cowrie/cowrie/var/log/cowrie. You may use a logging server to store and display honeypot logs instead, but that is beyond the scope of this article. The collected data from the honeypot can be used to populate IP blacklists, to monitor threats, and for research purposes.

More Info

Deploying an Interactive SSH Honeypot on Debian 9.

Posted on January 12, 2019 - February 6, 2019 by nxnjz

Introduction

A honeypot is a piece of software or a system that is designed to detect and monitor malicious activity, and deflect attackers from your actual production services and systems. This article will explain the deployement of an interactive SSH honeypot using Cowrie, a free and open-source solution. It can log brute force connection attempts and any commands executed by attackers. Additionally, it employs a fake, isolated filesystem for better interaction and deception. A Debian 9 Server will be used for this tutorial. You can find instructions for Ubuntu 18.04 here, and CentOS 7 here.

Root privileges are obviously required.

NOTE You can obtain a temporary root shell by running sudo -i or sudo su root or sudo /bin/bash if you only have access to a non-root user with sudo privileges.

Preparations

Step 1: Update your system:


apt update
apt upgrade -y

Step 2: Create a new user account


adduser --disabled-password cowrie

After running this command you will be prompted for the following information:


Full Name []: 
Room Number []: 
Work Phone []: 
Home Phone []: 
Other []:

Leave the fields empty (press enter.)

Step 3: Install dependencies and required packages:

This can be done with the command:


apt install -y python-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind git

Installation:

Step 4: Login as the ‘cowrie’ user.


su - cowrie

Step 5: Download the cowrie repository.

Make sure your working directory is “/home/cowrie”


cd /home/cowrie

Cowrie’s code is hosted on github, and can be downloaded with the following command:

git clone http://github.com/cowrie/cowrie

This will download and create a directory ‘cowrie’.

Step 6: Create a python virtualenv.

Virtualenv is a python-based way of running software inside an isolated environment, somewhat similarly to containers.


cd /home/cowrie/cowrie
virtualenv --python=python3 cowrie-env

This will install any missing dependencies and create the required python virtual environment in which the honeypot will run.

Enter this environment with:


. cowrie-env/bin/activate

If successful, you should get a new terminal prompt starting with “(cowrie-env)”. Execute the following to upgrade python-pip and then install the requirements for cowrie.


pip install --upgrade pip
pip install --upgrade -r requirements.txt

Once finished, exit the virtualenv with deactivate.

Step 7: Start the honeypot.

Execute this command:


bin/cowrie start

And exit back to your root shell:


exit

You can make sure that the honey port is running by issuing:


ss -lntp | grep twistd

You should get:

LISTEN     0      50           *:2222 [...]

Step 8: Test the honeypot

You can test this SSH honeypot by connecting to your server via SSH, but on port 2222/tcp. You should be able to authenticate with the username “root” and any password. You’ll get access to a simulated shell environment in a fake filesystem.

Further Configuration

For a proper honeypot, some configuration changes need to be made. First, we will change the default real SSHD port from 22 to something else, then we will have the honeypot listen on port 22, since attackers mostly target the default SSHD port.

Begin by stopping the honeypot:


/home/cowrie/cowrie/bin/cowrie stop

Step 9: Changing ports.

First, we’ll change the default SSHD port. Port 2332 will be used as an example. You can choose any port number, but make sure it is unused by other services.
In your root shell, issue the following command:


echo "Port 2332" >> /etc/ssh/sshd_config

And restart the SSH daemon service:


systemctl restart sshd.service

Then logout:


exit

Reconnect to your server via SSH but on the configured port 2332 instead. We will now configure the Cowrie honeypot to listen for SSH connection attempts on the default port number (22). Authbind will be used to allow Cowrie to bind to port 22 without giving it root privileges.

Create an empty file for port 22 in authbind:


touch /etc/authbind/byport/22

Give the ‘cowrie’ user full ownership of that file:


chown cowrie:cowrie /etc/authbind/byport/22

Set the correct permissions:


chmod 770 /etc/authbind/byport/22

Using a text editor of your choice, open the file /home/cowrie/cowrie/bin/cowrie. Change this line:


AUTHBIND_ENABLED=no

To:


AUTHBIND_ENABLED=yes

This will instruct our honeypot software to bind to network ports using authbind and not directly.

Switch to the ‘cowrie’ user:


su - cowrie

And create a configuration file in /home/cowrie/cowrie/etc/ named cowrie.cfg:


touch /home/cowrie/cowrie/etc/cowrie.cfg

This file will be used for our custom configuration changes. Open it in a text editor of your choice and enter the following line:


[ssh]
listen_port = 22

Once cowrie is started, any SSH connection attempt should now reach our honeypot and not the real SSH daemon.

Make sure you are still logged in as the ‘cowrie’ user and launch the honeypot:


/home/cowrie/cowrie/bin/cowrie start

Step 10: Configuring allowed users.

While legitimate users and their passwords are stored in ‘/etc/passwd’ and ‘/etc/shadow’, fake SSH users are configured in ‘etc/userdb.txt’ in the cowrie environment. You can choose which users are allowed to connect to the fabricated SSH server, and their passwords.

The following format is used to define users and passwords:


[username]:x:[password]

Each user should be on a seperate line (does not have to be a real existing user on your system), and you can define more than one password per user. If you prepend the ‘!’ character to a password, any authentication attempt with that password will be refused. If you insert the wildcard characted ‘*’ instead of a password, any password will be accepted. For instance:


root:x:!toor
root:x:!admin
root:x:*
admin:x:admin

With the above configuration, the ‘root’ user will be allowed to authenticate with any password, except ‘toor’ and ‘admin’. The ‘admin’ user will only be allowed be login with ‘admin’ as password.

The default configuration is:


root:x:!root
root:x:!123456
root:x:!/honeypot/i
root:x:*
tomcat:x:*
oracle:x:*

To change the default, start by creating a file in ‘/home/cowrie/cowrie/etc/’ named ‘userdb.txt’:


touch /home/cowrie/cowrie/etc/userdb.txt

And using a text editor of your choice, populate this file according to your preferences. Restart cowrie for the changes to take effect:


/home/cowrie/cowrie/bin/cowrie stop
/home/cowrie/cowrie/bin/cowrie stop

Conclusion

This article explained the deployement of an interactive SSH honeyport and its basic configuration. Connection attempts, shell activity and other details are logged to /home/cowrie/cowrie/var/log/cowrie. You may use a logging server to store and display honeypot logs instead, but that is beyond the scope of this article. The collected data from the honeypot can be used to populate IP blacklists, to identify potential attacks, and for cybersecurity research purposes.