Cowrie (not the shell) is a jailed file system that emulates a vulnerable ssh server while contained within. The official github describes the honeypot as: “.. a medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by the attacker” official documentation can be found here:
https://cowrie.readthedocs.io/en/latest/index.html
Here is a basic installation and setup tutorial:
Add a non root user to the VPS/PI etc:
useradd [username]
Give the user sudo capabilities
usermod -aG [username]
Edit the following file: /etc/ssh/sshd_config and append to end:
AllowUsers [username]
Make changes take place:
service sshd restart
Alert: Test ssh capability before continuing
From the host, SSH to the honeypot with your newly created user
Stop root’s ssh capability:
nano /etc/ssh/sshd_config type ‘ctrl+w’ to find PermitRootLogin and change the perimeter to ‘no’. We can now start pepping for the honeypot install..
Head back to /etc/ssh/sshd_config and change the default ssh port from 22 to something like 44044 and remove the # from the entery start
nano /etc/ssh/sshd_config
Restart the service again to allow for the changes to take place.
service sshd restart
Running ‘netstat -ta’ shows the current listening ssh port. Make sure you update and upgrade your droplet/vps/server before installing cowrie
apt-get update && upgrade
Create a cowrie user
sudo adduser –disabled-password cowrie
Switch to the cowrie user and navigate to the users home dir.
su cowrie
cd
Install git and clone the cowrie git (you may need to escalate to root for this due to cowrie having no sudo or password capabilities)
apt-get install git && git clone https://github.com/cowrie/cowrie.git
Install pip and the cowrie requirements (make sure you’re in the correct directory where requirements.txt is located).
apt-get install python-pip
pip install -r requirements.txt
Create a new virtual environment for cowrie:
apt-get install virtualenv
virtualenv cowrie-env
virtualenv –python=python3 cowrie-env
Alternatively you can create a python2 virtual environment
virtualenv –python=python2 cowrie-env
now you need to activate the virtual environment
source cowrie-env/bin/activate
The terminal will now display cowrie-env before the username
Create a backup for the cowrie config files, this is placed in /cowrie/etc
cp cowrie.cfg.dist cowrie.cfg
nano cowrie.cfg
Change the hostname by searching for ‘ctrl+w’ hostname
Change from the default to something like:
hostname = HomeFileServer
The default port for cowrie to listen on for ssh connections is 2222. We can add 22 as its the most common port for more frequent logs. Search for listen_endpoints ‘ctrl+w’ and add the following line:
listen_endpoints = tcp:2222:interface=0.0.0.0
listen_endpoints = tcp:22:interface=0.0.0.0
Exit nano and save the file
start cowrie
bin/cowrie start
Allow port 22 to redirect to 2222 (cowries default listening port):
sudo iptables -t nat -A PREROUTING -p tcp –dport 22 -j REDIRECT –to-port 2222
Restart the machine and you should be good to go! Make sure you test the listening ports by nmaping the machine.