Cowrie Honeypot Setup

Posted on In Views: Disqus:

Cowrie Honeypot Setup

Cowrie is an SSH/Telnet honeypot. It should be treated as hostile-facing software, not as a normal trusted application.

This note records a minimal deployment using a dedicated user, Python venv, and systemd.

Example values:

  • honeypot user: cowrie
  • internal Cowrie SSH port: 2222
  • public SSH trap port: 22 or 2222, depending on firewall/NAT design
  • fake hostname shown to attackers: backup-server

Install

Create a dedicated user:

1
2
sudo adduser --disabled-password --gecos "" cowrie
sudo -iu cowrie

Clone and install dependencies:

1
2
3
4
5
6
git clone https://github.com/cowrie/cowrie.git
cd cowrie
python -m venv cowrie-env
source cowrie-env/bin/activate
pip install --upgrade pip
pip install -r requirements.txt

Configure

1
2
cp etc/cowrie.cfg.dist etc/cowrie.cfg
vim etc/cowrie.cfg

Minimal config:

1
2
3
4
5
[honeypot]
hostname = backup-server

[ssh]
listen_endpoints = tcp:2222:interface=0.0.0.0

Do not run Cowrie as root just to bind port 22. Keep Cowrie on a high port and forward traffic if needed.

systemd Unit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[Unit]
Description=Cowrie SSH Honeypot
After=network.target

[Service]
User=cowrie
Group=cowrie
WorkingDirectory=/home/cowrie/cowrie
ExecStart=/home/cowrie/cowrie/cowrie-env/bin/python /home/cowrie/cowrie/src/cowrie/start.py --nodaemon
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

Enable it:

1
2
sudo systemctl daemon-reload
sudo systemctl enable --now cowrie

Logs

1
2
journalctl -u cowrie -e --no-pager
sudo -iu cowrie tail -f ~/cowrie/var/log/cowrie/cowrie.json

The JSON log is usually the most useful file for later analysis.

Firewall Or Port Forwarding

If Cowrie listens on 2222, a simple redirect can expose it as port 22:

1
2
3
4
5
6
table ip nat {
    chain prerouting {
        type nat hook prerouting priority dstnat;
        tcp dport 22 redirect to :2222
    }
}

Only do this if the real SSH service is moved somewhere else, such as 22222.

Notes

  • Do not reuse real hostnames, banners, usernames, or internal paths.
  • Logs can contain malicious payloads. Treat them as untrusted input.
  • Keep the honeypot isolated from important credentials and services.