Adding An SSH Honeypot

      8 Comments on Adding An SSH Honeypot

Previously, I wrote about how I’m using a Dionaea honeypot to capture malware. I also have an SSH honeypot set up on the same Digital Ocean droplet. To be honest, I get more malware and better samples with my SSH honeypot than I do with my Dionaea honeypot.

When looking for an SSH honeypot, most frequently, you’ll find recommendations for Kippo. Unfortunately, Kippo doesn’t appear to be maintained any longer. Thankfully, we have Cowrie, which is essentially a Kippo fork, that’s maintained by Michel Oosterhof. He diligently updates it.

Here’s a basic template that I use to set up my Cowrie honeypot whenever I need or want to rebuild it. It’s really quite straightforward.

First step is to install the dependencies:

sudo apt-get install git python-dev python-openssl openssh-server
python-pyasn1 python-twisted authbind git

Next, you’ll want to change the port that’s used for connecting and administering your server. To do this, modify the sshd_config file like so:

nano /etc/ssh/sshd_config

(sorry, I prefer nano to vi) 🙂

When you open the file, you’ll see near the top, the port that the SSH daemon is listening on (typically, its 22).  Change it to something like 8925.

Now, you’ll need to restart the SSH service with:

service ssh restart

Cowrie cannot be started as the root user so we have to create a new user for it. Most people use the user name cowrie. You can do this a few different ways. I did it like this:

useradd -d /home/cowrie -s /bin/bash -m cowrie -g sudo

One problem that we’ll run into now is that you need to be root to listen on ports below 1024 and since we’re starting Cowrie as a non-root user, we’ll get an error. There are a couple of ways  around this problem. We’ll use authbind address the issue. The first part of the process is listed below. We’ll finish up the authbind setup as the Cowrie user.

touch /etc/authbind/byport/22
chown cowrie /etc/authbind/byport/22
chmod 777 /etc/authbind/byport/22

For the next steps, we’ll need to switch to the cowrie user that we created.

su cowrie
cd

Now, we’re in the Cowrie user’s home directory. This is where we want to install the honeypot software. Now, install Cowrie by using:

git clone https://github.com/cowrie/cowrie.git

That should do it. You should now have a cowrie folder under the home folder (in other words, /home/cowrie/cowrie).

Next, you’ll have a few configuration steps as follows:

cd cowrie
mv cowrie.cfg.dist cowrie.cfg
nano cowrie.cfg

Look for the line that reads something like:

hostname =  srv04

You’ll probably want to change it to something more enticing like hostname = accting01 or something like that.

Now, also in the cowrie.cfg file, let’s finish addressing the authbind config. Cowrie listens on port 2222 by default but we want to change it to 22 (the standard SSH port). Scroll down and look for the line that reads:

#Port to listen for incoming SSH connections.
#
#(default=2222)

Below this line, add:

listen_port = 22

One last thing to change –  edit the /home/cowrie/cowrie/start.sh file and change the second line to read:

AUTHBIND_ENABLED = yes

Save and exit. At this point, we should be ready to start our Cowrie honeypot. Be sure that you are still logged in as the user cowrie and change to the installation directory and run the start script.

su cowrie
cd
cd cowrie
./start.sh

To verify that Cowrie is running, I typically use:

ps ax | grep cowrie

and look for the cowrie process. Incidentally, I find that because my Droplet is a bit underpowered, Cowrie tends to drop off for me about once or twice a day so I use this process to double check that it’s running.

You can also test directly by connecting on port 22 with an SSH client. Once you’re in, have a look around to see what an attacker will find when he visits your honeypot.

(Thanks to Michel Oosterhof for correcting me about authbind / iptables!)

Visualizing Cowrie’s Data
For Kippo, there is a great front-end written by Ioannis Koniaris called Kippo-Graph. Fortunately for us, Kippo-Graph will also work with Cowrie.

In order to use Kippo-Graph, you’ll need to set up Cowrie to log to a mySQL database. Ion has very good instructions for doing that here on his web site.

All you have to do is substitute “cowrie” everywhere he has written “kippo” – that will make the whole process easier to follow and remember. Also, the final recommendation to install phpmyadmin is entirely optional.

Once you’re sure that mySQL logging is working properly, you’re ready to install Kippo-Graph. Again, Ioannis has a very straightforward page of instructions on his website. No sense reinventing the wheel.

This should be everything. At this point, you should have great visualization into your SSH honeypot.

There is one small bug at this point. The session replay feature is not working correctly with Cowrie honeypots. Basically, you just get a black box. Ion mentioned to me that it’s a bug and he hopes to find time to work on it. Honestly, it’s a cool feature but it’s not the end of the world that it isn’t working.

Hopefully, that gives you what you need to get your own Cowrie SSH honeypot up and capturing malware.

 

8 thoughts on “Adding An SSH Honeypot

  1. dP

    Hi,
    I really like your blog, a lot of useful information here. I’ve experimented with Cowrie and Dionaea through MHN too but I never catched any malware sample with Cowrie. It was running for more than 2 weeks, I had a lot of login attempts but no files downloaded. Do you have any special configuration or decoy files in your file system? Also, in average, how many samples do you catch with Cowrie?

    Reply
    1. executemalware@gmail.com Post author

      No, nothing special. The only thing I do differently, perhaps, is that I don’t use MHN. It seemed a really good idea when I first heard of it (Jason Trost has worked hard on the project) but I really didn’t capture anything either. I also didn’t capture anything in my Dionaea honeypot through MHN. I’m not sure why.

      When I switched to a standalone install of Dionaea and Cowrie, I started capturing a lot of data. They both pretty easy to set up. Check out my other blog posts and let me know if you have any trouble.

      Reply
      1. dP

        The thing is that I’m already using Cowrie without MHN. After reading this post, I decided to give it another try. But I haven’t captured any malware samples with it yet and it has been running for 3 days already. That is why I asked.

        Reply
        1. executemalware@gmail.com Post author

          Oh, I see. Are you seeing traffic?
          My Cowrie honeypot has been running for about a month and here are my stats:

          Total Login Attempts: 11,270
          Distinct IP Addresses: 735
          Playlog: Total Logs: 343

          Certainly, it’s a small amount on the Playlog page compared to the total login attempts. If you’re seeing traffic, it may be just a question of waiting a bit more.

          Have you tried logging into it yourself? Play around and see what you can do – you should be able to generate a log file that way.

          Reply
          1. dP

            Yes, I do see traffic coming in, also successful login attempts. I have logged in myself and when I download something with wget, it does show up in the dl directory. You are probably right and I should wait a bit longer. Thanks a lot.

  2. Luv Ahuja

    Hi all,

    Do anyone tested the same configuration above for running cowrie honeypot.

    we as a service provider wants to run it.

    So please suggest us?

    Thanks in advance

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *