{"id":49,"date":"2023-07-22T10:24:00","date_gmt":"2023-07-22T17:24:00","guid":{"rendered":"https:\/\/francisco.x10.bz\/blog\/?p=49"},"modified":"2025-01-13T09:43:01","modified_gmt":"2025-01-13T17:43:01","slug":"installing-and-configuring-a-honeypot","status":"publish","type":"post","link":"https:\/\/defrancisco.us\/blog\/index.php\/2023\/07\/22\/installing-and-configuring-a-honeypot\/","title":{"rendered":"Laying Out the Honey: Installing and Configuring a Honeypot"},"content":{"rendered":"

Cybersecurity \u2014 the body of knowledge and practices to defend internet-connected devices and products from malicious attacks by hackers, spammers, and cybercriminals \u2014 is very important to me. I conduct research into patterns of behavior, tactics, techniques, and procedures used in attacks.<\/p>\n

I run honeypots to understand how hackers evolve their attack practices. A honeypot is a controlled and safe network-connected system \u2014 typically, but not always, a computer \u2014 that is set up as a decoy to lure cyberattackers. In other words, a honeypot is a deception device designed to look like a targetable system for the purpose of attracting attackers. Attack activity against the honeypot is recorded and later analyzed by researchers.<\/p>\n

I use Cowrie<\/a>, a fantastic open-source honeypot capable of collecting attack information over the SSH and Telnet protocols. Cowrie provides an emulation of a Debian-like Linux system. It excels at logging brute-force attacks and interactions performed by attackers on the remote shell.<\/p>\n

As, unfortunately, attacks on connected devices are all but ubiquitous, Cowrie generates large amounts of data. I use Splunk Free<\/a>, the free (albeit limited) version of Splunk Enterprise to host a local copy of the data. I process and analyze the collected data using homegrown tools developed in Go, Python and the Bash scripting language. As part of the data crunching, I augment the attack data collected by Cowrie with malware information from VirusTotal<\/a> and IP address information from MaxMind GeoLite2<\/a>. Both services offer free tiers with reasonable limits on API consumption, so the whole analysis can be performed very cost-effectively.<\/p>\n

Once a day, I report\u2009the IP addresses from where unwanted traffic originated to AbusePIDB, a project that aims to make the internet safer by helping systems administrators and webmasters check and report IP addresses involved in malicious activities. My AbuseIPDB contributions can be found here<\/a>.<\/p>\n

This is a simplified diagram of my setup:<\/p>\n

\"Simplified<\/a><\/p>\n

Installing and configuring a Cowrie and Splunk-based honeypot environment is pretty straightforward. Below you can find the steps I took, in case you find the information useful:<\/p>\n

[Skip table of contents<\/a>]<\/p>\n

    \n
  1. The Honeypot<\/a>\n
      \n
    1. Choose the honeypot host<\/a><\/li>\n
    2. Install the system dependencies<\/a><\/li>\n
    3. Create a user account<\/a><\/li>\n
    4. Get the Cowrie code<\/a><\/li>\n
    5. Set up a Python virtual environment<\/a><\/li>\n
    6. Configure Cowrie<\/a><\/li>\n
    7. Customize Cowrie<\/a><\/li>\n
    8. Forward listening ports<\/a><\/li>\n
    9. Start Cowrie<\/a><\/li>\n<\/ol>\n<\/li>\n
    10. The Data Repository<\/a>\n
        \n
      1. Install Splunk<\/a><\/li>\n
      2. Switch from Splunk Enterprise to Splunk Free<\/a><\/li>\n
      3. Create a Splunk HTTP event collector (HEC)<\/a><\/li>\n
      4. Create a Splunk event collector token<\/a><\/li>\n
      5. Configure Cowrie to use the Splunk event collector<\/a><\/li>\n
      6. Verify that everything works<\/a><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n

        Part 1: The Honeypot<\/a><\/h2>\n

        I chose Cowrie as the key component of my unwanted traffic detection infrastructure. Cowrie is a superb medium\/high interaction honeypot designed to log brute-force attempts and shell interactions launched by attackers over both SSH and Telnet. Cowrie is very popular among both researchers and enthusiasts due to an optimal combination of rich capabilities and ease of use. It is open-source and is backed by an active community led by Michel Oosterhof<\/a>, the project\u2019s maintainer, creator, and main developer.<\/p>\n

        1. Choose the honeypot host<\/a><\/h3>\n

        You need to start by choosing a Linux system where to install the honeypot. Since Cowrie is very efficient in its resource consumption, I opted for a tiny Raspberry Pi 400<\/a> computer as the Cowrie host.<\/p>\n

        2. Install the system dependencies<\/a><\/h3>\n

        Install the system dependencies on the Cowrie host:<\/p>\n

         $ sudo apt-get install git python3-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind virtualenv \n<\/code><\/pre>\n
        3. Create a user account<\/a><\/h3>\n
        Installing a user without a password is not an absolute requirement, but it is recommended by the Cowrie authors:<\/p>\n
        $ sudo adduser --disabled-password cowrie\nAdding user 'cowrie' ...\nAdding new group 'cowrie' (1002) ...\nAdding new user 'cowrie' (1002) with group 'cowrie' ... \nChanging the user information for cowrie\nEnter the new value, or press ENTER for the default\nFull Name []:\nRoom Number []:\nWork Phone []:\nHome Phone []:\nOther []:\nIs the information correct? [Y\/n]\n\n$ sudo su - cowrie\n<\/code><\/pre>\n
        4. Get the Cowrie code<\/a><\/h3>\n
        Clone the cowrie<\/code> project from GitHub:<\/p>\n
        $ git clone http:\/\/github.com\/cowrie\/cowrie\nCloning into 'cowrie'...\nremote: Counting objects: 2965, done.\nremote: Compressing objects: 100% (1025\/1025), done.\nremote: Total 2965 (delta 1908), reused 2962 (delta 1905), pack-reused 0 \nReceiving objects: 100% (2965\/2965), 3.41 MiB | 2.57 MiB\/s, done.\nResolving deltas: 100% (1908\/1908), done.\nChecking connectivity... done.\n\n$ cd cowrie\n<\/code><\/pre>\n
        5. Set up a Python virtual environment<\/a><\/h3>\n
        Technically speaking, this step is not needed, but it is highly recommended to ensure that package updates on the Cowrie host system will not cause incompatibilities with the honeypot operation:<\/p>\n
        $ pwd\n\/home\/cowrie\/cowrie\n\n$ python -m venv cowrie-env\nNew python executable in .\/cowrie\/cowrie-env\/bin\/python \nInstalling setuptools, pip, wheel...done.\n<\/code><\/pre>\n
        After you install the virtual environment, activate it and install required packages:<\/p>\n
        $ source cowrie-env\/bin\/activate\n(cowrie-env) $ python -m pip install --upgrade pip\n(cowrie-env) $ python -m pip install --upgrade -r requirements.txt \n<\/code><\/pre>\n
        6. Configure Cowrie<\/a><\/h3>\n
        The Cowrie configuration is stored in the cowrie\/etc\/cowrie.cfg file<\/code>. To run the honeypot with a standard configuration, there is no need to change anything. By default, Cowrie accepts traffic over SSH. I wanted the honeypot to also accept traffic over Telnet, send the data to Splunk (more on this later), and change the default ports 22 and 23, so I modified the configuration file as follows:<\/p>\n
        [telnet]\nenabled = true\n...\n[output_splunk]\nenabled = true\n...\n[proxy]\nbackend_ssh_port = 2022\nbackend_telnet_port = 2023 \n<\/code><\/pre>\n
        I also wanted to change the default user configurations and the list of credentials accepted to login to the remote shell. These changes are made by modifing the cowrie\/etc\/userdb.txt file. Each line in the file consists of three fields separated by the : character, where:<\/p>\n