Summary

I setup a honeypot using Cowrie, a fork of the retired project known as Kippo (last updated 2014), which itself was inspired from Kojoney (last updated 2006).

These are my instructions for setting up the honeypot.

Initial setup

Start with a VirtualBox VM running 64-bit Ubuntu 16.10. Follow the steps as described in Setting Up A Ubuntu Development VM (2016-10 Edition).

Determine which TCP ports are open. There should be very little:

Cowrie will be setup to run on TCP port 22 (SSH), so shut down the real SSHD. While I'm there, I will also shut down CUPSD:

Obviously, don't disable SSHD if this is a remote device. Instead, change the value of Port in /etc/ssh/sshd_config.

Running netstat again should show a cleaned up number of listening TCP ports:

Setup Cowrie

Cowrie must not be run as root. It is typically run with a user that has no special permissions, and which isn't in the sudo group. To do this, run one of the following commands:

(I strongly recommend trying out fish as a shell if you've not tried it yet.)

Install the required packages needed to run Cowrie:

Because low-numbered ports are normally reserved, and Cowrie doesn't run as root, authbind will be used to bind to ports 22 (SSH) and 23 (Telnet). Setup authbind by running the following commands:

Create a terminal window and login as the new cowrie user:

As the cowrie user, checkout the latest copy of cowrie source code from GitHub:

As the cowrie user, run the following commands:

Edit start.sh and modify the AUTHBIND_ENABLED line at the top to enable authbind:

Edit cowrie.cfg and make the following changes:

• In the [honeypot] section:
  hostname = camera-06 fake_addr = 10.0.18.37 listen_port = 22
  Obviously set the hostname and fake IP address to whatever you want.
• In the [telnet] section:
  enabled = true listen_port = 23

At this point, you can start the honeypot. As the cowrie user, run the following commands:

This will have started the cowrie service in the background. Check to see that you now have a python process listening on ports 22 and 23:

Honeypot users

The usernames and password information is stored in ~/cowrie/data/userdb.txt. You can add usernames, passwords to accept, and passwords to reject.

For example, the default userdb.txt file contains the following:

This tells Cowrie to accept the username root as long as the password isn't root or 123456.

From past experience, usernames that work well on a honeypot include:

• root
• admin
• deploy
• support
• zabbix
• git

Adding a new user requires modifying the following:

• data/userdb.txt
• honeyfs/etc/group
• honeyfs/etc/passwd
• honeyfs/etc/shadow
• data/fs.pickle

The "standard" text files are simple enough to manage. The only trick is the fs.pickle file. The tool bin/fsctl is used to modify fs.pickle. For example, to add a user named "support" with a UID and GID of 1002, you need to run the following commands:

Stop and restart Cowrie for it to pick up the new fs.pickle.

Session logs

Log files are stored in log/, but of particular interest are the session logs stored in log/tty/. These logs can be played back using the bin/playlog tool to see what was typed in telnet and ssh sessions.

For example:

Expose the honeypot

The only thing left at this point is to expose the honeypot to the internet. Once I configured my router to place the honeypot in the DMZ, it took 110 seconds for the first "attack" to take place.

A live view into the log to see how the honeypot is accessed and/or compromised is easy to start:

JSON log entries

The JSON log entries can be easily stored in a database for further analysis. I created a table in my PostgreSQL database where I store all of the events, and wrote a simple shell script to parse the JSON log files and insert records into the database. This doesn't have all of the possible available fields, but most of them, and certainly all of the ones that I found were interesting: