Setting up an SSH Honeypot

I will be setting up an SSH Honeypot.

A honeypot is a decoy system that appears vulnerable and attractive to potential attackers, allowing you to detect unauthorized activity, gather information about the attacker, or distract them from your actual systems.

The honeypot used here is called “Cowrie”
Cowrie is an open source project developed by Michel Oosterhof.

Task 1: Install Cowrie
Navigate to the home directory of user, cowrie, and clone the cowrie git repository:

<git clone (git URL)>

Task 2 : Setting up the Environment

I’m using two VMs:

- Kali Purple (honeypot host)
- Kali Linux (attacking machine)

To add an extra layer of security, I’ll run the honeypot in a Docker container, which provides isolation and air-gapping. Ensure Docker is installed on your target machine (Kali Purple).

Here’s how to install docker:
https://www.kali.org/docs/containers/installing-docker-on-kali/

After installation, run the following command in your root terminal:
<docker run -p 2222:2222 cowrie/cowrie:latest>

This command launches a Cowrie honeypot container, mapping port 2222 on the host machine to port 2222 in the container. The image will be built automatically, and the honeypot will be ready to accept SSH connections.

Next, on my Kali Linux machine, I’ll run an nmap scan to verify the honeypot is running:
<sudo nmap -sV (target)>

The scan reveals a vulnerable OpenSSH service (OpenSSH 6.0p1 Debian 4+deb7u2, protocol 2.0). Note that this appears to be a real SSH connection, but it’s actually a honeypot.

I’ll then ssh into the vulnerable port:

Once connected, it will appear to be a real machine, but it’s actually the honeypot. My Kali Purple machine, where the honeypot is set up, logs every activity attempted on the honeypot.

This is a simple example of setting up an SSH honeypot. For more advanced honeypot options, check out — https://github.com/paralax/awesome-honeypots