A honeypot detects and records attacks when an attacker tries to break into a system.
The honeypot we will discuss here is an SSH honeypot.
Prephase
This article comes after the one I posted about running an SSH Honeypot for 30 days in the wild, the article did some good noise and I got a lot of messages asking to show how I setup and configured this SSH Honeypot.
We’ll setup this on a normal VPS without any specific pre-configuration.
[IMPORTANT] This setup is for research and testing, So please don’t setup this in your local network or personal/professional usage network.
VPS
It’s up to you to choose and find the VPS provider that fits you the best.
Cowrie Honeypot
There are several famous SSH honeypots, but the one we’re going to use is called Cowrie.
It is an improved version of the famous honeypot called Kippo.
Docker
For this installation, we will use the Docker image of Cowrie.
For that you’ll need docker to be installed on the new VPS, you can check the Official Docker Documentation to install.
Packages to install
python3
wget
Configuration
I typically change the default SSH port on my servers or machines.
One method I prefer is setting the real SSH port to something like 2022. Then, I configure the honeypot to listen on the default SSH port, 22.
Installation
By default, Cowrie is configured to listen on port 2222. We will map this port in the Docker container to port 22 on our host. This setup allows us to redirect all scanning bots and attackers to our honeypot seamlessly.
Creating, configuring and using cowrie user :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
> sudo adduser --disabled-password cowrie #Adding the user Adding user 'cowrie' ... Adding new group 'cowrie' (1002) ... Adding new user 'cowrie' (1002) with group 'cowrie' ... Changing the user information for cowrie Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n]
> sudo usermod -aG docker cowrie #Adding the cowrie to the docker group
> sudo su - cowrie #Switching into cowrie
Before proceeding, we’ll first create folders within our VPS directories to store all the logs, ensuring they are accessible directly rather than within the container.
Additionally, we’ll set up the “cowrielog” & “cowrietty” folders with read-write permissions for everyone.
2024-06-17T14:47:28+0000 [-] Python Version 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] 2024-06-17T14:47:28+0000 [-] Twisted Version 24.3.0 2024-06-17T14:47:28+0000 [-] Cowrie Version 2.5.0 2024-06-17T14:47:28+0000 [-] Loaded output engine: jsonlog 2024-06-17T14:47:28+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 24.3.0 (/cowrie/cowrie-env/bin/python3 3.11.2) starting up. 2024-06-17T14:47:28+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor. 2024-06-17T14:47:28+0000 [-] CowrieSSHFactory starting on 2222 2024-06-17T14:47:28+0000 [cowrie.ssh.factory.CowrieSSHFactory#info] Starting factory <cowrie.ssh.factory.CowrieSSHFactory object at 0x7c4c73951b10> 2024-06-17T14:47:28+0000 [-] Generating new RSA keypair... 2024-06-17T14:47:28+0000 [-] Generating new ECDSA keypair... 2024-06-17T14:47:28+0000 [-] Generating new ed25519 keypair... 2024-06-17T14:47:28+0000 [-] Ready to accept SSH connections
Analysing the logs
For the log file you’ll find it at ~/cowrielog, and the tty replay logs at ~/cowrietty
Using Linux commands
For filtering and organizing the output, you can use the jq command. This tool allows you to precisely extract the information you need from JSON data.
Using JSON for log files offers significant advantages in terms of structure, readability, handling, resilience, and observability. These benefits make JSON an ideal choice for logging in modern software development and operational practices.