Skip to main content

Setting up a Cowrie SSH Honeypot on AWS

·827 words·4 mins
  • Cowrie is a SSH and Telnet honeypot that emulates a UNIX system. It is an open source project written in Python.

Getting Started with Cowrie
#

These steps are based on my own personal notes and are primarily meant for my own future reference. They describe the bare minimum needed to get off the ground with Cowrie. This little project was eye-opening for me. It was amazing to see just how much malicious activity is out on the internet. I let this server run for several days and had something attack it every few minutes.

Create an EC2 instance
#

The first thing we need to do is create a Debian 11 EC2 instance in AWS. A free-tier t2.micro instance will work just fine for this. In order for the honey pot to reachable by attackers, the security group inbound rules will have to be set to allow TCP port 22 from anywhere. We still need to be able to SSH to it, so another port will have to be used for SSH, and an inbound rule will have to be made in the security group to allow it. I use port 8022 and created an inbound rule to allow traffic to that port only from my public IP address.

screenshot

Once the EC2 instance is running, connect to it over SSH on the standard port 22.

Then update Debian and install some necessary Cowrie dependencies. I am also installing lnav, a Linux utility for viewing log files.

sudo apt-get update && sudo apt-get upgrade -y
sudo apt update -y
sudo apt-get install lnav git python3-virtualenv libssl-dev libffi-dev build-essential libpython3-dev authbind -y

Change SSH port to something other than 22
#

Because Cowrie is an SSH honeypot, we won’t be able to use the standard port 22 for SSH once it is configured and running. We still need to be able to access it, so we need to change the SSH port from 22 to 8022 in the SSH daemon config file located at /etc/ssh/sshd_config. Use a text editor to open the file, uncomment the line that says “Port 22” and change it to “Port 8022.”

screenshot

After that, restart ssh for it to take effect.

sudo systemctl restart ssh

Then re-connect to the server using port 8022. This can be done with the “-p” flag.

ssh -i "keypair.pem" [email protected] -p 8022

Install Cowrie
#

Once reconnected, we are ready to install and configure Cowrie. The first thing we do is create a new user account with the adduser command. It will prompt us for several options. They can all be left blank.

sudo adduser --disabled-password cowrie
sudo su - cowrie

Then we clone the Cowrie Github repo, and create a virtual environment to run it in using virtualenv, a tool for running Python in isolated environments.

git clone http://github.com/cowrie/cowrie
cd cowrie
virtualenv cowrie-env
source cowrie-env/bin/activate

Now we are ready to install Cowrie using the Python package manager, Pip. Cowrie and its associated packages are located in the requirements.txt file in the repo we just cloned.

pip install --upgrade pip
pip install --upgrade -r requirements.txt

Configure Cowrie
#

Now we need to change the hostname to something other than the default. Leaving it on the default will make the honeypot easily identifiable as a honeypot, so we need to change it. To do this, create a file named cowrie.cfg and copy the cowrie.cfg.dist file to it.

cd etc
cp cowrie.cfg.dist cowrie.cfg

Now open the file and change the hostname to something else. It can be named anything.

screenshot

Exit the virtual environment using the exit command.

exit

Now we run this command to re-route tcp traffic on port 22 to port 2222. This is the port Cowrie uses to emulate a fake ssh client.

sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

Start Cowrie and View Logs
#

Finally we start Cowrie by changing to the cowrie user we just created, navigating to the ~/cowrie/bin directory, and running the command cowrie start.

sudo su cowrie
cd ~/cowrie/bin
cowrie start

The honeypot should now be up and running. To stop it, use the command cowrie stop, again from the ~/bin/cowrie directory. We can view the log file and see attempts to connect in real time using lnav. We could also use tailf or multitail. the Cowrie log file is located at var/log/cowrie.

cd var/log/cowrie
lnav cowrie.log

We can also test the honeypot by trying to ssh to it on the standard port 22. Running this command locally should create entries in the cowrie.log file, which can be seen in real time with lnav.

ssh root@[ip address]

Where to go from here
#

From here, the log files can be exported to a vast array of log management and log aggregation software. One of the most popular is ELK stack, Elasticsearch, Logstash, and Kibana. Once configured, this collection of software can be used to aggregate, analyze, and visualize logs from our Cowrie honeypots or anything else.