SSH Honeypot with Cowrie
In a previous post I explained how to install SSH honeypot Kippo on a virtual server. It has been running for a couple of days now. There have been exactly two successful login attempts. Both attackers issued the command “echo -n test” to see what the output was. You would expect it to be just “test” without a newline character but in Kippo the output was “-n test” with a newline character. As soon as they read the output the attackers closed the connection immediately.
I was informed by @micheloosterhof he was maintaining an improved version named Cowrie. Time to abandon Kippo and install Cowrie!
$ git clone https://github.com/micheloosterhof/cowrie.git $ cd cowrie $ cp cowrie.cfg.dist cowrie.cfg
If you have been setting up Kippo like I did before, the configuration file for Cowrie has not changed that much. Make sure you change the listen_port value to 22. Starting the Cowrie honeypot is also similar to the Kippo server.
$ ./start.sh Starting cowrie in the background...
Cowrie does behave like you would expect on the “echo -n test” command. (Attackers used this command to determine if the SSH daemon was real or fake).
And now we wait. I expect some results in a couple of days and I will post them on this page.