Cowrie - Setting up a Honeypot environment (Part 1)

1. Introduction

A Honeypots function could be considered consistent with its name, it is designed to attract malicious traffic, it does this by emulating services that would be considered valuable for malicious attackers. When a bad actor tries to establish a connection with the service running on the honeypot, the connection will be logged and made available for security personnel. Honeypots come in all shapes and sizes, it can be configured to run on any operating system and emulate any protocol or service. 

1.1 Low interaction Honeypot

A low interaction honeypot will limit the interaction between the emulated service and the attacker, all the services emulated by this honeypot classification will give little to no response in return once a connection is attempted. This honeypot can be very effective if your goal is to eavesdrop on a network to look for any suspicious traffic.  

1.2 High interaction Honeypot

Compared to a low interaction honeypot, a high interaction honeypot is specifically designed to interact directly with the attacker. These honeypots are often very complex and instead of just partly mimicking a service, the honeypot actually operates upon fully functioning services. These honeypots provide a very detailed report and give a real-time summary of the attacker’s activity. There are however a couple dangers, as the honeypot is functioning upon real services, vulnerabilities may exist and the attacker might take advantage of these and take control over the server.

In this walkthrough, we will install and configure Cowrie which is a high Interaction SSH/TELNET honeypot, our Cowrie configuration will emulate the following services:

Service Port
SSH 22
Telnet 23

1.3 Prerequisites:

  • In this tutorial, I decided to use Ubuntu Server 16.04, as far as I know, cowrie should be compatible with newer versions of Ubuntu as well.
  • It is also recommended to host this honeypot on a public VPS, this will give you a lot of interesting data. But hosting it locally for testing purposes is fine 😉

2. Installation and basic configuration

2.1 Update

Before we begin with the installation of a cowrie, let's update the system.

$ sudo apt-get update

2.2 Reconfigure SSH

As we want to set the Cowrie honeypot to listen on port 22, we need to change the port used by the SSH daemon to something else - in this configuration, we will use port 2222.

$ sudo nano /etc/ssh/sshd_config

Change the port to the following

Port 22 Port 2222

Then restart SSH and reconnect to port 2222

$ systemctl restart ssh
$ systemctl status ssh

2.3 Install Cowrie requirements

Install the the dependencies required for Cowrie

$ sudo apt-get install git python-virtualenv libssl-dev build-essential libpython-dev python2.7-minimal authbind

2.4 Create Cowrie user

For obvious security reasons, we don't want cowrie to run as root - we will therefore create a cowrie user with less privileges.

$ sudo adduser --disabled-password cowrie

You should get the following output

root@ubuntu:~# sudo adduser --disabled-password cowrie
Adding user `cowrie' ...
Adding new group `cowrie' (1001) ...
Adding new user `cowrie' (1001) with group `cowrie' ...
Creating home directory `/home/cowrie' ...
Copying files from `/etc/skel' ...
Changing the user information for cowrie
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y

We can log in to the cowrie user using the su command, we can therefore remove the password for the cowrie

$ sudo passwd -d cowrie

Change to the cowrie user

$ sudo su cowrie

Move to the home folder

$ cd ~

Your current working directory should now be /home/cowrie

2.5 Install cowrie

Clone Cowrie from the git repository

$ git clone http://github.com/micheloosterhof/cowrie

Create a virtual environment for python and cowrie, then we activate it.

$ cd cowrie/
$ virtualenv cowrie-env
$ source cowrie-env/bin/activate

Then we will upgrade pip from within the virtual environment, then install all the requirements for Cowrie

$ pip install --upgrade pip
$ pip install --upgrade -r requirements.txt

Configure the deamon for cowrie, we will make a copy of the config template available in the etc directory

$ cd etc/
$ cp cowrie.cfg.dist cowrie.cfg

We will now do some changes to the cowrie config file. In this file (cowrie.cfg), we can do a series of changes to our cowrie honeypot.

$ nano cowrie.cfg

First, we want to change the hostname from "srv04" to something else. I choose "database", but you are free to choose whatever you like 😉

# (default: svr04)
hostname = svr04
# (default: svr04)
hostname = database

As cowrie by default listens to port 2222 we need to change it, we will use port 22 as that is the standard port used for SSH.

listen_endpoints = tcp:2222:interface=0.0.0.0 listen_endpoints = tcp:22:interface=0.0.0.0
listen_port = 22

To enable telnet, change the following parameter from "false" to "true"

[telnet]
# Enable Telnet support, disabled by default
enabled = false
[telnet]
# Enable Telnet support, disabled by default
enabled = true

Now we need to change the listening port for telnet from 2223 to 23

listen_endpoints = tcp:2223:interface=0.0.0.0 listen_endpoints = tcp:23:interface=0.0.0.0
listen_port = 23

2.6 setup autobind

Natively on Ubuntu, only privileged users are allowed to bind ports below 1024. And as the unprivileged user "cowrie" will run the daemon for both ssh (port 22) and telnet (port 23), we need to make it possible for the cowrie user to set up a listener for these ports. By using a software called Authbind, we can allow unprivileged users to listen on port 22 and port 23.

Do the following to enable Authbind:

Exit the virtual environment and log back into the root user

$ exit

And then install authbind and configure it to allow port 22 and 23

$ sudo apt-get install authbind
$ sudo touch /etc/authbind/byport/22
$ sudo chown cowrie:cowrie /etc/authbind/byport/22
$ sudo chmod 770 /etc/authbind/byport/22
$ sudo touch /etc/authbind/byport/23
$ sudo chown cowrie:cowrie /etc/authbind/byport/23
$ sudo chmod 770 /etc/authbind/byport/23

Now we need to tell cowrie to use authbind, we will do this configuration in cowries execution file

$ sudo nano /home/cowrie/cowrie/bin/cowrie

Then do the following changes

AUTHBIND_ENABLED=yes
else
AUTHBIND_ENABLED=no
AUTHBIND_ENABLED=yes
else
AUTHBIND_ENABLED=yes

Now switch back to the cowrie user and run the cowrie daemon

$ su cowrie
$ /home/cowrie/cowrie/bin/cowrie start
$ exit

You should now have a fully-fledged SSH honeypot working! 🙂

3. Additional configuration

Even though we now have the cowrie daemon running, there are still some changes that are recommended to do.

3.1 Change login credentials

By default, cowrie will allow any password for the user root. In order to make the honeypot more realistic, it can be a good idea to whitelist certain passwords.
This can be achieved by changing the content of cowries user database file

Make a copy of the user database template

$ cd /home/cowrie/cowrie/etc
$ cp userdb.example userdb.txt

Now change the user database file

$ nano /home/cowrie/cowrie/etc/userdb.txt

The default configuration is this:

root:x:!root
root:x:!123456
root:x:!/honeypot/i
root:x:*
tomcat:x:*
oracle:x:*

This means that any password will be allowed for the user root, tomcat, and oracle.
We will instead configure the root user to only allow a certain set of whitelisted passwords, this will make the server look more realistic for potential attackers.
I set it to this, now only a set of credentials can be used to access the honeypot.

root:x:password
root:x:root
root:x:admin
root:x:toor
tomcat:x:tomcat
oracle:x:oracle

After updating the user database file, you will need to restart the cowrie daemon, scroll down to chapter 4 to see how to do this.

3.2 Change the user richard

Another issue with the default setup for cowrie is the user richard, by having this default user present, potential malicious actors who has been granted access to our honeypot can simply look for the use richard and conclude that they just accessed a cowrie honeypot.

Change the following file to change the user "richard" to something else, I changed it to "admin".

$ nano /home/cowrie/cowrie/share/cowrie/fs.pickle

Find the string "S'richard'" and change it.

a(lp75708
(lp75709
S'richard'
p75710
aI1
aI1000
a(lp75708
(lp75709
S'admin'
p75710
aI1
aI1000

Now we will change the necessary parameters in the "passwd" file

$ nano /home/cowrie/cowrie/honeyfs/etc/passwd

Simply richard with whatever username you set before.

richard:x:1000:1000:Richard Texas,,,:/home/richard:/bin/bash admin:x:1000:1000:admin,,,:/home/admin:/bin/bash

Now do the changes to the "groups" file

$ nano /home/cowrie/cowrie/honeyfs/etc/group

And again, change richard to the username you picked

richard:x:1000: admin:x:1000:

Then at last, do the same changed to the shadow file

$ nano /home/cowrie/cowrie/honeyfs/etc/shadow

Replace richard again

richard:$6$ErqInBoz$... admin:$6$ErqInBoz$...

You will now need to restart cowrie.

4. Restart the Cowrie daemon

You can restart cowrie by typing ps -aux to get a list of the running processes running in the background, locate the cowrie daemon, and use kill -9 (process ID) to stop the process - as shown in the image below.

$ ps -aux |grep cowrie

$ kill -9 9031

You can then start cowrie again

$ su cowrie
$ /home/cowrie/cowrie/bin/cowrie start

4.1 Make cowrie run as a service

Another way (and the recommended way) to restart cowrie is to add it as a service using systemd. This will allow us to use the systemctl command to manage the cowrie service.

Change the following entry in cowrie.cfg file

$ nano /home/cowrie/cowrie/etc/cowrie.cfg

Change the following lines

listen_endpoints = tcp:22:interface=0.0.0.0 listen_endpoints = systemd:domain=INET6:index=0
listen_endpoints = tcp:23:interface=0.0.0.0 listen_endpoints = systemd:domain=INET6:index=1

Then download the following two files to the systemd service directory

$ cd /etc/systemd/system
$ wget https://blogg.kroland.no/wp-content/uploads/2019/10/cowrie.socket
$ wget https://blogg.kroland.no/wp-content/uploads/2019/10/cowrie.service

You should now be able to use both systemctl and service to manage it.

Start Cowrie $ systemctl start cowrie
Stop Cowrie $ systemctl stop cowrie
Restart Cowrie $ systemctl restart cowrie
Show the current status of the Cowrie service $ systemctl status cowrie
Enable cowrie to start at boot $ systemctl enable cowrie

 

5. Looking at the logs

If cowrie is running properly, you should now be able to look at the log file and identify any connection made to it, in addition to executed commands! 😉

$ tail -f /home/cowrie/cowrie/var/log/cowrie/cowrie.log

In the part two we will configure Dionaea, this is a Honeypot designed to capture malware.

6. Sources

https://eval2a.wordpress.com/2017/12/04/honeypot-part-1-setting-up-cowrie-and-dionaea/
https://medium.com/@jeremiedaniel48/install-and-setup-cowrie-honeypot-on-ubuntu-linux-5d64552c31dc
https://buildmedia.readthedocs.org/media/pdf/cowrie/latest/cowrie.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *