Cowrie is the new fork of the Kippo Honeypot. It has been updated with new features and provides emulation that records the session of an attacker. With this session recording you are able to get a better understanding of the attackers tools, tactics and procedures (TTPs). A term that is increasing being used in Cyber Defence and Incident Response.
Our setup will be very close to a default installation of Cowrie. The hosts SSH daemon will run on a high port (22222), Cowrie will run on 2222 and port 22 (default SSH) will be redirected to 2222 using iptables. So the SSH bot or attacker will connect to port 22 be redirected to our honeypot on 2222. Confused? Take a look at the diagram.
Cowrie Honeypot Layout
A warning before we proceed. Honeypots are designed to allow access to a system by an attacker. This could result in compromise of the host if the honeypot has vulnerabilities or is mis-configured. Understand what you are doing and be very careful if running a honeypot anywhere near production kit.
Change Default SSH Port
Before installing cowrie and our dependencies lets move SSH to port 22222.
root@cowrie:~# vi /etc/ssh/sshd_config
# What ports, IPs and protocols we listen for
root@cowrie1:~# systemctl restart ssh
root@cowrie1:~# systemctl status ssh
? ssh.service – OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2018-03-19 23:21:05 UTC; 5s ago
Main PID: 9242 (sshd)
??9242 /usr/sbin/sshd -D
Mar 19 23:21:05 cowrie1 systemd: Stopped OpenBSD Secure Shell server.
Mar 19 23:21:05 cowrie1 systemd: Starting OpenBSD Secure Shell server…
Mar 19 23:21:05 cowrie1 sshd: Server listening on 0.0.0.0 port 22222.
Mar 19 23:21:05 cowrie1 sshd: Server listening on :: port 22222.
Mar 19 23:21:05 cowrie1 systemd: Started OpenBSD Secure Shell server.
We can see SSH is now listening on port 22222 from both the systemctl status as well as the netstat output.
Installation of Cowrie Honeypot on Ubuntu
Firstly we will run apt udpate as we are on a brand new Digital Ocean VPS. Then we will install dependencies and create a Cowrie user. Running a Honeypot as root would be a bad idea.
root@cowrie:~# apt update
root@cowrie:~# apt-get install git python-virtualenv libssl-dev libffi-dev build-essential libpython-dev python2.7-minimal authbind
root@cowrie:~# adduser –disabled-password cowrie
Adding user `cowrie’ …
Adding new group `cowrie’ (1000) …
Adding new user `cowrie’ (1000) with group `cowrie’ …
Creating home directory `/home/cowrie’ …
Copying files from `/etc/skel’ …
Changing the user information for cowrie
Enter the new value, or press ENTER for the default
Full Name :
Room Number :
Work Phone :
Home Phone :
Is the information correct? [Y/n] Y
root@cowrie1:~# su – cowrie
Ok, now lets grab the code for Cowrie using git.
cowrie@cowrie1:~$ git clone http://github.com/micheloosterhof/cowrie
Cloning into ‘cowrie’…
remote: Counting objects: 9340, done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 9340 (delta 3), reused 2 (delta 0), pack-reused 9330
Receiving objects: 100% (9340/9340), 7.43 MiB | 2.32 MiB/s, done.
Resolving deltas: 100% (6415/6415), done.
Checking connectivity… done.
Now we will create a virtual environment for Python and Cowrie to run from:
cowrie@cowrie1:~$ cd cowrie
cowrie@cowrie:~/cowrie$ virtualenv cowrie-env
Running virtualenv with interpreter /usr/bin/python2
New python executable in /home/cowrie/cowrie/cowrie-env/bin/python2
Also creating executable in /home/cowrie/cowrie/cowrie-env/bin/python
Installing setuptools, pkg_resources, pip, wheel…done.
Next step is to activate the Python virtual environment and install the python packages that Cowrie needs to run.
cp cowrie.cfg.dist cowrie.cfg
This creates a config file that we can edit and it won’t be overwritten by updates.
Editing the configuration file we will make a few changes from the defaults. Firstly I will change the hostname seen by a successul login by an attacker, keep it generic and non obvious. Use vim or your favorite text editor to make these changes.
# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# (default: svr04)
hostname = testserver5
The second change I will make is to enable telnet. SSH is enabled by default.
# Enable Telnet support, disabled by default
enabled = true
As you can see in the configuration there are many options and things to play with, from logging and alerting to fake addresses and file downloads.
cowrie@cowrie:~/cowrie$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2223 0.0.0.0:* LISTEN
From the netstat we can see the SSH and Telnet daemons of our honeypot listening on 2222 and 2223 respectively.
Last step is to redirect traffic to 22 and 23 to the high ports 2222 and 2223 using iptables.
root@cowrie:~# iptables -t nat -A PREROUTING -p tcp –dport 22 -j REDIRECT –to-port 2222
root@cowrie:~# iptables -t nat -A PREROUTING -p tcp –dport 23 -j REDIRECT –to-port 2223
Now it is just a waiting game. However, due to the amount of SSH scanning that takes place on the Internet you will not have to wait long.
cowrie@cowrie:~/cowrie$ tail -f log/cowrie.log
Within 5 minutes I could see SSH connections logging in and running commands within my Honeypot.