Cowrie Cheat Sheet

Cowrie (not the shell) is a jailed file system that emulates a vulnerable ssh server while contained within. The official github describes the honeypot as: “.. a medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by the attacker” official documentation can be found here:

https://cowrie.readthedocs.io/en/latest/index.html

Here is a basic installation and setup tutorial:

Add a non root user to the VPS/PI etc:

useradd [username]

Give the user sudo capabilities

usermod -aG [username]

Edit the following file: /etc/ssh/sshd_config and append to end:

AllowUsers [username]

Make changes take place:

service sshd restart

Alert: Test ssh capability before continuing

From the host, SSH to the honeypot with your newly created user

Stop root’s ssh capability:

nano /etc/ssh/sshd_config type ‘ctrl+w’ to find PermitRootLogin and change the perimeter to ‘no’. We can now start pepping for the honeypot install..

Head back to /etc/ssh/sshd_config and change the default ssh port from 22 to something like 44044 and remove the # from the entery start

nano /etc/ssh/sshd_config

Restart the service again to allow for the changes to take place.

service sshd restart

Running ‘netstat -ta’ shows the current listening ssh port. Make sure you update and upgrade your droplet/vps/server before installing cowrie

apt-get update && upgrade

Create a cowrie user

sudo adduser –disabled-password cowrie

Switch to the cowrie user and navigate to the users home dir.

su cowrie

cd

Install git and clone the cowrie git (you may need to escalate to root for this due to cowrie having no sudo or password capabilities)

apt-get install git && git clone https://github.com/cowrie/cowrie.git

Install pip and the cowrie requirements (make sure you’re in the correct directory where requirements.txt is located).

apt-get install python-pip

pip install -r requirements.txt

Create a new virtual environment for cowrie:

apt-get install virtualenv

virtualenv cowrie-env

virtualenv –python=python3 cowrie-env

Alternatively you can create a python2 virtual environment

virtualenv –python=python2 cowrie-env

now you need to activate the virtual environment

source cowrie-env/bin/activate

The terminal will now display cowrie-env before the username

Create a backup for the cowrie config files, this is placed in /cowrie/etc

cp cowrie.cfg.dist cowrie.cfg

nano cowrie.cfg

Change the hostname by searching for ‘ctrl+w’ hostname

Change from the default to something like:

hostname = HomeFileServer

The default port for cowrie to listen on for ssh connections is 2222. We can add 22 as its the most common port for more frequent logs. Search for listen_endpoints ‘ctrl+w’ and add the following line:

listen_endpoints = tcp:2222:interface=0.0.0.0

listen_endpoints = tcp:22:interface=0.0.0.0

Exit nano and save the file

start cowrie

bin/cowrie start

Allow port 22 to redirect to 2222 (cowries default listening port):

sudo iptables -t nat -A PREROUTING -p tcp –dport 22 -j REDIRECT –to-port 2222

Restart the machine and you should be good to go! Make sure you test the listening ports by nmaping the machine.