Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system.
Step 1: Install system dependencies
First we install system-wide support for Python virtual environments and other dependencies. Actual Python packages are installed later.
sudo apt-get install git python3-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind virtualenv
Step 2: Create a user account
It’s strongly recommended to run with a dedicated non-root user id:
adduser –disabled-password cowrie
su – cowrie
Step 3: Download the Git files:
$ git clone http://github.com/cowrie/cowrie
$ cd cowrie
Step 4: Setup Virtual Environment
Next you need to create your virtual environment:
$ virtualenv –python=python3 cowrie-env
$ source cowrie-env/bin/activate
Step 5: Install Requirements:
pip install –upgrade -r requirements-output.txt
Step 6: Additional Cowrie Configuration:
$ cd /home/cowrie/cowrie/
$ cp cowrie.cfg.dist cowrie.cfg
$ nano cowrie.cfg
We’re going to change some lines in order to get the honeypot running up right, first change the hostname to any name you want:
And then change the SSH listening port to 22:
Save the file and exit, and then the other file “userdb.example” rename it to “userdb.txt” and open it to edit some lines, where we going to add some usernames to fool the hackers that these names can be used to log in to the honeypot server:
I’ve added some users in the last line “admin – guest – user” and you can add more which will be useful for the hacker to brute force his way in.
Using this method will result in access the SSH service using the usernames in this file along with any password.
Now we all set, let’s start the honeypot by typing “bin/cowrie start”
And to watch the hackers in action we can see the logging file with “tail -f var/log/cowrie.log”
We can see it’s ready to accept the SSH connection, so let’s try to login from another device and keep an eye on the logs:
SSH to the honeypot using the username root and any password:
Verify we are root by typing “id”:
The version showing up to the hackers is Debian, and the PC specs are kind of old but legit, back to the logs we can see all the commands the hacker put in:
To stop the honeypot service just type “bin/cowrie stop”
If you want to access the honeypot from outside network, you can change some of the settings from the file “cowrie.cfg” if so use the documentation from this link.