7MS #176: DIY SSH Honeypot with Cowrie
This past weekend I got Cowrie installed on my Digital Ocean droplet. Below is the quick and dirty instructions I followed to get it running (basically an abbreviated version of the official INSTALL.md.
First, grab the pre-reqs:
sudo apt-get install python-twisted python-crypto python-pyasn1 python-gmpy2 python-zope.interface
Then add a user for Cowrie to run under:
sudo adduser --disabled-password cowrie
(Put in whatever you want for first name, last name etc.)
Change to the Cowrie user:
sudo su - cowrie
git clone http://github.com/micheloosterhof/cowrie
Change to the dir you just made:
Copy the general config file to an active one:
cp cowrie.cfg.dist cowrie.cfg
All I did at this point was change my hostname to be something a bit more appetizing:
Hostname = mailserver
Important note: Cowrie listens on port 2222 by default. Below I'm going to show you how to create a NAT rule to forward requests destined for 22 to 2222, but if you'd rather "hard code" this, read the portion of the INSTALL.md that talks about using authbind for this purpose.
Exit to root user:
Open etc/ssh/sshd_config and change port 22 to some odd port you want to use for legit SSH management, like 9999 or 1357.
Reboot, and then for the next steps, I found it easier to connect directly to the Digitalocean.com SSH console, as we'll be tinkering with active iptables rules which may disconnect your existing SSH session.
First, list all your iptables rules (I find working with line numbers is easier, so I do):
sudo iptables -L --line-numbers
Allow JUST yourself to SSH to the port for true system management. In this example I use port 6996:
sudo iptables -A INPUT -p tcp -s F.Q.D.N --dport 6996 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Next, ensure there's a rule setup to allow
"anybody" to SSH in on port 22:
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Also make sure there's a rule setup to allow "anybody" to SSH in on port 2222:
Allow ANYBODY to also hit port 2222:
sudo iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Setup NAT rule to get 22 redirected to port 2222:
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
If you goof up like I did you can remove a NAT rule by listing existing NAT rules:
iptables -L -t nat --line-numbers
Then find rule you want to nuke (let's say it's #3) and do this:
iptables -t nat -D PREROUTING 3
Make changes to iptables persistent by issuing:
sudo iptables-save > /etc/iptables/rules.v4
Change to Cowrie user, enter cowrie dir and start cowrie:
sudo su - cowrie
From there, you're pretty much good to go with a default config. Here are some interesting files/folders to note:
dl - this folder has copies of files that "hackers" download during their session.
utils/playlog.py - plays back user sessions in an asciinema style presentation.
I also setup mysql integration using this site as a guide:
First, do a
./stop.sh (in same dir as start.sh) to stop Cowrie.
Next, do a
mysql -u root -p to get connected to mysql, then:
CREATE DATABASE cowrie;
GRANT ALL ON cowrie.* TO [email protected] IDENTIFIED BY 'some-awesome-password-you-pick';
Then connect as the cowrie user from the cowrie folder and import the .sql file:
mysql -u cowrie -p
Provide your awesome password when prompted
Now open cowrie.cfg and update the blurb on mysql info. Be sure to uncomment this chunk of lines or stuff doesn't work :-)
Finally, switch to Cowrie user, go to cowrie dir and fire it up!
sudo su - cowrie