Previously, I wrote about how I’m using a Dionaea honeypot to capture malware. I also have an SSH honeypot set up on the same Digital Ocean droplet. To be honest, I get more malware and better samples with my SSH honeypot than I do with my Dionaea honeypot.
When looking for an SSH honeypot, most frequently, you’ll find recommendations for Kippo. Unfortunately, Kippo doesn’t appear to be maintained any longer. Thankfully, we have Cowrie, which is essentially a Kippo fork, that’s maintained by Michel Oosterhof. He diligently updates it.
Here’s a basic template that I use to set up my Cowrie honeypot whenever I need or want to rebuild it. It’s really quite straightforward.
First step is to install the dependencies:
sudo apt-get install git python-dev python-openssl openssh-server
python-pyasn1 python-twisted authbind git
Next, you’ll want to change the port that’s used for connecting and administering your server. To do this, modify the sshd_config file like so:
(sorry, I prefer nano to vi) 🙂
When you open the file, you’ll see near the top, the port that the SSH daemon is listening on (typically, its 22). Change it to something like 8925.
Now, you’ll need to restart the SSH service with:
service ssh restart
Cowrie cannot be started as the root user so we have to create a new user for it. Most people use the user name cowrie. You can do this a few different ways. I did it like this:
useradd -d /home/cowrie -s /bin/bash -m cowrie -g sudo
One problem that we’ll run into now is that you need to be root to listen on ports below 1024 and since we’re starting Cowrie as a non-root user, we’ll get an error. There are a couple of ways around this problem. We’ll use authbind address the issue. The first part of the process is listed below. We’ll finish up the authbind setup as the Cowrie user.
chown cowrie /etc/authbind/byport/22
chmod 777 /etc/authbind/byport/22
For the next steps, we’ll need to switch to the cowrie user that we created.
Now, we’re in the Cowrie user’s home directory. This is where we want to install the honeypot software. Now, install Cowrie by using:
git clone https://github.com/cowrie/cowrie.git
That should do it. You should now have a cowrie folder under the home folder (in other words,
Next, you’ll have a few configuration steps as follows:
mv cowrie.cfg.dist cowrie.cfg
Look for the line that reads something like:
hostname = srv04
You’ll probably want to change it to something more enticing like
hostname = accting01 or something like that.
Now, also in the cowrie.cfg file, let’s finish addressing the authbind config. Cowrie listens on port 2222 by default but we want to change it to 22 (the standard SSH port). Scroll down and look for the line that reads:
#Port to listen for incoming SSH connections.
Below this line, add:
listen_port = 22
One last thing to change – edit the
/home/cowrie/cowrie/start.sh file and change the second line to read:
AUTHBIND_ENABLED = yes
Save and exit. At this point, we should be ready to start our Cowrie honeypot. Be sure that you are still logged in as the user cowrie and change to the installation directory and run the start script.
To verify that Cowrie is running, I typically use:
ps ax | grep cowrie
and look for the cowrie process. Incidentally, I find that because my Droplet is a bit underpowered, Cowrie tends to drop off for me about once or twice a day so I use this process to double check that it’s running.
You can also test directly by connecting on port 22 with an SSH client. Once you’re in, have a look around to see what an attacker will find when he visits your honeypot.
(Thanks to Michel Oosterhof for correcting me about authbind / iptables!)
Visualizing Cowrie’s Data
For Kippo, there is a great front-end written by Ioannis Koniaris called Kippo-Graph. Fortunately for us, Kippo-Graph will also work with Cowrie.
In order to use Kippo-Graph, you’ll need to set up Cowrie to log to a mySQL database. Ion has very good instructions for doing that here on his web site.
All you have to do is substitute “cowrie” everywhere he has written “kippo” – that will make the whole process easier to follow and remember. Also, the final recommendation to install phpmyadmin is entirely optional.
Once you’re sure that mySQL logging is working properly, you’re ready to install Kippo-Graph. Again, Ioannis has a very straightforward page of instructions on his website. No sense reinventing the wheel.
This should be everything. At this point, you should have great visualization into your SSH honeypot.
There is one small bug at this point. The session replay feature is not working correctly with Cowrie honeypots. Basically, you just get a black box. Ion mentioned to me that it’s a bug and he hopes to find time to work on it. Honestly, it’s a cool feature but it’s not the end of the world that it isn’t working.
Hopefully, that gives you what you need to get your own Cowrie SSH honeypot up and capturing malware.