Own honeypots. Part 1 - Cowrie

January 14, 2021

Nowadays Internet is full of crawlers, bots and skids. If their purpose is evil, this could be a significant threat for unprepared users. To reduce risk for ordinary users, there are a few reputation services, providing rating of IP, domain or even URI. Some of them are: AbuseIPDB, SANS DShield, VirusTotal and CSIRTG. Mostly, they are filled by volunteers maintaining own honeypots.

How those websites can be used?

All of them are collecting huge amounts of computer abuse reports from volunteers around the world, then calculating reported IP-address’ suspicity and providing huge lists of bad addresses to avoid, or even nullroute. Thus harm from low-effort and non-targeted attack, involving huge subnets, can be minimized.

How to maintain own honeypot?

You just need some time to configure software, computer, server or Raspberry Pi, etc (I suggest to use any Linux distribution on such host) and static IPv4 (to open 22/tcp port).

If you are ready, let’s start. I will show example for CentOS 7 (should be valid for CentOS 8 Stream too), but in case of any errors at distro of your choice don’t forget to search information on the net.

1) Install Cowrie

Firstly, we need to create new user - it will be used to run our SSH honeypot:

useradd -mU cowrie && cd /home/cowrie

Install required packages:

sudo yum -y install git python3-virtualenv vim

Then, we need to download latest sources. Let’s login to cowrie user:

sudo -u cowrie -c git clone https://github.com/cowrie/cowrie && cd cowrie

Preparing environment for honeypot:

sudo -u cowrie virtualenv-3 --python=python3 cowrie-env && sudo -u cowrie -s

Enter prepared environment:

source cowrie-env/bin/activate

Install dependencies:

pip install --upgrade pip && pip install --upgrade -r requirements.txt && exit

We have succesfully installed cowrie!

2) Configuration

In this guide I will use vim as my text editor. But you are free to use any other: nano, kate, etc.

Let’s edit /etc/systemd/system/cowrie.service. Paste this:

[Unit]
Description=A SSH and Telnet honeypot service
After=network.target
After=rsyslog.service

[Service]
Type=forking
User=cowrie
Group=cowrie
Restart=on-error
RestartSec=1
ExecStart=/bin/sh -c 'cd /home/cowrie/cowrie; source cowrie-env/bin/activate; bin/cowrie start;'
ExecStop=/bin/sh -c 'cd /home/cowrie/cowrie; source cowrie-env/bin/activate; bin/cowrie stop;'

[Install]
WantedBy=multi-user.target

Now let’s edit /home/cowrie/cowrie/etc/cowrie.cfg:

sudo -u cowrie vim /home/cowrie/cowrie/etc/cowrie.cfg

Paste following config:

[ssh]
enabled = true
forwarding = false
sftp_enabled = false
listen_endpoints = tcp:2222:interface=0.0.0.0


[telnet]
enabled = true
listen_endpoints = tcp:2323:interface=0.0.0.0


[output_jsonlog]
enabled = false


# Send login attemp information to SANS DShield
# See https://isc.sans.edu/ssh.html
# You must signup for an api key.
# Once registered, find your details at:
# https://isc.sans.edu/myaccount.html
# Enable DShield later
[output_dshield]
enabled = false
userid = YOUR_USERID
auth_key = YOUR_AUTH_KEY
batch_size = 1


# VirusTotal output module
# You must signup for an api key.
# Enable VT output later
[output_virustotal]
enabled = false
api_key = YOUR_API_KEY
upload = True
debug = False
scan_file = True
scan_url = True


# https://www.abuseipdb.com
# You have to set api_key to
# enable abuseipdb reporting
[output_abuseipdb]
enabled = false
api_key = YOUR_API_KEY_HERE
rereport_after = 24
tolerance_window = 0
tolerance_attempts = 1

Don’t forget to carefully read comments in the config and add needed credentials or api keys to upload reports.

Before starting cowrie, we need to move our SSH to different port. We need to edit /etc/ssh/sshd_config. Change this:

#Port 22

To this:

Port YOUR_RANDOM_PORT

You have to change YOUR_RANDOM_PORT to any port of your choice. I suggest to use ephermal port like 32976. And open this port in our firewall:

sudo firewall-cmd --permanent --zone=public --add-port=YOUR_RANDOM_PORT/tcp

Don’t forget to restart ssh daemon:

sudo systemctl restart sshd

Now let’s activate service:

sudo systemctl enable --now cowrie

For security reasons, cowrie listens on ports >1024. So, we need to forward requests from 22 and 23 to 2222 and 2323 respectively. To do this we can simply use firewalld (I assume you have properly configurated it):

sudo firewall-cmd --permanent --zone=public --add-forward-port=port=22:proto=tcp:toport=2222
sudo firewall-cmd --permanent --zone=public --add-forward-port=port=23:proto=tcp:toport=2323

So, our honeypot is ready to catch any chineese/american bot.

Thanks for reading.