Catch Hackers On Your System With Cowrie Honeypot

Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system.

Step 1: Install system dependencies

First we install system-wide support for Python virtual environments and other dependencies. Actual Python packages are installed later.

sudo apt-get install git python3-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind virtualenv

Step 2: Create a user account

It’s strongly recommended to run with a dedicated non-root user id:

adduser –disabled-password cowrie

su – cowrie

Step 3: Download the Git files:

$ git clone

$ cd cowrie

Step 4: Setup Virtual Environment

Next you need to create your virtual environment:

$ virtualenv –python=python3 cowrie-env

$ source cowrie-env/bin/activate

Step 5: Install Requirements:

pip install –upgrade -r requirements-output.txt

Step 6: Additional Cowrie Configuration:

$ cd /home/cowrie/cowrie/

$ cp cowrie.cfg.dist cowrie.cfg

$ nano cowrie.cfg

We’re going to change some lines in order to get the honeypot running up right, first change the hostname to any name you want:

And then change the SSH listening port to 22:

Save the file and exit, and then the other file “userdb.example” rename it to “userdb.txt” and open it to edit some lines, where we going to add some usernames to fool the hackers that these names can be used to log in to the honeypot server:

I’ve added some users in the last line “admin – guest – user” and you can add more which will be useful for the hacker to brute force his way in.

Using this method will result in access the SSH service using the usernames in this file along with any password.

Now we all set, let’s start the honeypot by typing “bin/cowrie start”

And to watch the hackers in action we can see the logging file with “tail -f var/log/cowrie.log”

We can see it’s ready to accept the SSH connection, so let’s try to login from another device and keep an eye on the logs:

SSH to the honeypot using the username root and any password:

Verify we are root by typing “id”:

The version showing up to the hackers is Debian, and the PC specs are kind of old but legit, back to the logs we can see all the commands the hacker put in:

To stop the honeypot service just type “bin/cowrie stop”

If you want to access the honeypot from outside network, you can change some of the settings from the file “cowrie.cfg” if so use the documentation from this link.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s