Nowadays Internet is full of crawlers, bots and skids. If their purpose is evil, this could be a significant threat for unprepared users. To reduce risk for ordinary users, there are a few reputation services, providing rating of IP, domain or even URI. Some of them are: AbuseIPDB, SANS DShield, VirusTotal and CSIRTG. Mostly, they are filled by volunteers maintaining own honeypots.
How those websites can be used?
All of them are collecting huge amounts of computer abuse reports from volunteers around the world, then calculating reported IP-address’ suspicity and providing huge lists of bad addresses to avoid, or even nullroute. Thus harm from low-effort and non-targeted attack, involving huge subnets, can be minimized.
How to maintain own honeypot?
You just need some time to configure software, computer, server or Raspberry Pi, etc (I suggest to use any Linux distribution on such host) and static IPv4 (to open 22/tcp port).
If you are ready, let’s start. I will show example for CentOS 7 (should be valid for CentOS 8 Stream too), but in case of any errors at distro of your choice don’t forget to search information on the net.
1) Install Cowrie
Firstly, we need to create new user - it will be used to run our SSH honeypot:
useradd -mU cowrie && cd /home/cowrie
Install required packages:
sudo yum -y install git python3-virtualenv vim
Then, we need to download latest sources. Let’s login to cowrie user:
sudo -u cowrie -c git clone https://github.com/cowrie/cowrie && cd cowrie
Preparing environment for honeypot:
sudo -u cowrie virtualenv-3 --python=python3 cowrie-env && sudo -u cowrie -s
Enter prepared environment:
pip install --upgrade pip && pip install --upgrade -r requirements.txt && exit
In this guide I will use
vimas my text editor. But you are free to use any other:
Let’s edit /etc/systemd/system/cowrie.service. Paste this:
[Unit] Description=A SSH and Telnet honeypot service After=network.target After=rsyslog.service [Service] Type=forking User=cowrie Group=cowrie Restart=on-error RestartSec=1 ExecStart=/bin/sh -c 'cd /home/cowrie/cowrie; source cowrie-env/bin/activate; bin/cowrie start;' ExecStop=/bin/sh -c 'cd /home/cowrie/cowrie; source cowrie-env/bin/activate; bin/cowrie stop;' [Install] WantedBy=multi-user.target
Now let’s edit
sudo -u cowrie vim /home/cowrie/cowrie/etc/cowrie.cfg
Paste following config:
[ssh] enabled = true forwarding = false sftp_enabled = false listen_endpoints = tcp:2222:interface=0.0.0.0 [telnet] enabled = true listen_endpoints = tcp:2323:interface=0.0.0.0 [output_jsonlog] enabled = false # Send login attemp information to SANS DShield # See https://isc.sans.edu/ssh.html # You must signup for an api key. # Once registered, find your details at: # https://isc.sans.edu/myaccount.html # Enable DShield later [output_dshield] enabled = false userid = YOUR_USERID auth_key = YOUR_AUTH_KEY batch_size = 1 # VirusTotal output module # You must signup for an api key. # Enable VT output later [output_virustotal] enabled = false api_key = YOUR_API_KEY upload = True debug = False scan_file = True scan_url = True # https://www.abuseipdb.com # You have to set api_key to # enable abuseipdb reporting [output_abuseipdb] enabled = false api_key = YOUR_API_KEY_HERE rereport_after = 24 tolerance_window = 0 tolerance_attempts = 1
Don’t forget to carefully read comments in the config and add needed credentials or api keys to upload reports.
Before starting cowrie, we need to move our SSH to different port. We need to edit
/etc/ssh/sshd_config. Change this:
You have to change
YOUR_RANDOM_PORT to any port of your choice. I suggest to use ephermal port like 32976. And open this port in our firewall:
sudo firewall-cmd --permanent --zone=public --add-port=YOUR_RANDOM_PORT/tcp
Don’t forget to restart ssh daemon:
sudo systemctl restart sshd
Now let’s activate service:
sudo systemctl enable --now cowrie
For security reasons, cowrie listens on ports >1024. So, we need to forward requests from 22 and 23 to 2222 and 2323 respectively. To do this we can simply use firewalld (I assume you have properly configurated it):
sudo firewall-cmd --permanent --zone=public --add-forward-port=port=22:proto=tcp:toport=2222 sudo firewall-cmd --permanent --zone=public --add-forward-port=port=23:proto=tcp:toport=2323
So, our honeypot is ready to catch any chineese/american bot.
Thanks for reading.