i Cowrie SSH/Telnet Honeypot – All things in moderation

Cowrie SSH/Telnet Honeypot

What is Cowrie
Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.
Cowrie is developed by Michel Oosterhof.

Some interesting features:
– Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
– Possibility of adding fake file contents so the attacker can cat files such as /etc/passwd. Only minimal file contents are included
– Session logs stored in an UML Compatible format for easy replay with original timings
– Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection

Additional functionality over standard kippo:
– SFTP and SCP support for file upload
– Support for SSH exec commands
– Logging of direct-tcp connection attempts (ssh proxying)
– Forward SMTP connections to SMTP Honeypot (e.g. mailoney)
– Logging in JSON format for easy processing in log management solutions
– Many, many additional commands

Docker versions are available.
Get the Dockerfile directly at https://github.com/micheloosterhof/docker-cowrie
Run from the Docker regstry with: docker pull cowrie/cowrie

Installing Cowrie in seven steps

Step 1: Install dependencies
First we install support for Python virtual environments and other dependencies. The actual Python packages are installed later.
On Debian based systems (last verified on Debian 9, 2017-07-25):

$ sudo apt-get install git python-virtualenv libssl-dev libffi-dev build-essential libpython-dev python2.7-minimal authbind

Step 2: Create a user account
It’s strongly recommended to install under a dedicated non-root user id:

$ sudo adduser --disabled-password cowrie
Adding user `cowrie' ...
Adding new group `cowrie' (1002) ...
Adding new user `cowrie' (1002) with group `cowrie' ...
Changing the user information for cowrie
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]

$ sudo su - cowrie

Step 3: Checkout the code

$ git clone http://github.com/micheloosterhof/cowrie
Cloning into 'cowrie'...
remote: Counting objects: 2965, done.
remote: Compressing objects: 100% (1025/1025), done.
remote: Total 2965 (delta 1908), reused 2962 (delta 1905), pack-reused 0
Receiving objects: 100% (2965/2965), 3.41 MiB | 2.57 MiB/s, done.
Resolving deltas: 100% (1908/1908), done.
Checking connectivity... done.

$ cd cowrie

Step 4: Setup Virtual Environment
Next you need to create your virtual environment:

$ pwd
$ virtualenv cowrie-env
New python executable in ./cowrie/cowrie-env/bin/python
Installing setuptools, pip, wheel...done.

Activate the virtual environment and install packages

$ source cowrie-env/bin/activate

(cowrie-env) $ pip install –upgrade pip

(cowrie-env) $ pip install –upgrade -r requirements.txt

Step 5: Install configuration file
The configuration for Cowrie is stored in cowrie.cfg.dist and cowrie.cfg. Both files are read, where entries from cowrie.cfg take precedence. The .dist file can be overwritten on upgrades, cowrie.cfg will not be changed. To run with a standard configuration, there is no need to change anything. To enable telnet, for example, create cowrie.cfg and input only the following:

enabled = true

Step 6: Generate a DSA key
This step should not be necessary, however some versions of twisted are not compatible. To avoid problems in advance, run:

$ cd data
$ ssh-keygen -t dsa -b 1024 -f ssh_host_dsa_key
$ cd ..

Step 7: Turning on cowrie
Cowrie is implemented as a module for Twisted, but to properly import everything the top-level source directory needs to be in python’s os.path. This sometimes won’t happen correctly, so make it explicit:

#or another path to the top-level cowrie folder
$ export PYTHONPATH=/home/cowrie/cowrie

Start Cowrie with the cowrie command. You can add the cowrie/bin directory to your path if desired. If the virtual environment is called “cowrie-env” it will be automatically activated. Otherwise you will need to activate it manually

$ bin/cowrie start
Activating virtualenv "cowrie-env"
Starting cowrie with extra arguments [] ...

Step 8: Port redirection (optional)
Cowrie runs by default on port 2222. This can be modified in the configuration file. The following firewall rule will forward incoming traffic on port 22 to port 2222.

$ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

Note that you should test this rule only from another host; it doesn’t apply to loopback connections. Alternatively you can run authbind to listen as non-root on port 22 directly:

$ apt-get install authbind
$ touch /etc/authbind/byport/22
$ chown cowrie:cowrie /etc/authbind/byport/22
$ chmod 770 /etc/authbind/byport/22

Or for telnet:

$ apt-get install authbind
$ sudo touch /etc/authbind/byport/23
$ sudo chown cowrie:cowrie /etc/authbind/byport/23
$ sudo chmod 770 /etc/authbind/byport/23
  • Edit bin/cowrie and modify the AUTHBIND_ENABLED setting
  • Change listen_port to 22 in cowrie.cfg

Updating Cowrie
Updating is an easy process. First stop your honeypot. Then fetch updates from GitHub, as a next step upgrade your Python dependencies.

bin/cowrie stop
git pull
pip install --upgrade -r requirements.txt
bin/cowrie start

Source: https://github.com/micheloosterhof/cowrie

Leave a Reply