SSH Honeypot with Cowrie

Alex, December 11, 2015 08:51
In a previous post I explained how to install SSH honeypot Kippo on a virtual server. It has been running for a couple of days now. There have been exactly two successful login attempts. Both attackers issued the command “echo -n test” to see what the output was. You would expect it to be just “test” without a newline character but in Kippo the output was “-n test” with a newline character. As soon as they read the output the attackers closed the connection immediately.
I was informed by @micheloosterhof he was maintaining an improved version named Cowrie. Time to abandon Kippo and install Cowrie!

Installing Cowrie

$ git clone https://github.com/micheloosterhof/cowrie.git
$ cd cowrie
$ cp cowrie.cfg.dist cowrie.cfg
If you have been setting up Kippo like I did before, the configuration file for Cowrie has not changed that much. Make sure you change the listen_port value to 22. Starting the Cowrie honeypot is also similar to the Kippo server.
$ ./start.sh
Starting cowrie in the background...
Cowrie does behave like you would expect on the “echo -n test” command. (Attackers used this command to determine if the SSH daemon was real or fake).
And now we wait. I expect some results in a couple of days and I will post them on this page.