Kippos Cousin Cowrie
Last Updated: 2016-04-27 02:03:51 UTC
by Tom Webb (Version: 1)
We have mentioned Kippo a lot on the site, but a nice fork is a program called cowrie. (hxxps://github.com/micheloosterhof/cowrie). It has some nice new features including built-in support for Dshield! Since the install is the same as Kippo, I’ll skip that and point you to cowrie install guide for the basics (hxxps://github.com/micheloosterhof/cowrie/blob/master/INSTALL.md).
To setup Dshield logs on Ubuntu, you’ll need one additional python plugin installed.
>sudo apt-get install python-dateutil
Then we need to enable the Dshield portion. You need to remove ‘#’ from the part starting with the plugin name. You’ll also need your account info. Once logged into ISC, go to My Accounts -> My reports. Select Update info and you’ll see your auth_key.
userid = 0123456789
auth_key = mysuperawesomekeycode
batch_size = 100
Once you have this setup, switch to the cowrie user and restart the service.To troubleshoot setup issues, look in /home/cowrie/log/cowrie.log
>fgrep dshield /home/cowrie/cowrie.log
2016-04-27 00:46:26+0000 [-] Loaded output engine: dshield
To protect the OS, it's good to put some additional security controls around it. My honeypot is running on Ubuntu, so I chose apparmor. You can access my cowrie profile on my github at hxxps://goo.gl/6F5FdG. While I could lock it down a bit more, it seems to work well.
Once you downloaded the file, you need to copy it to the AppArmor folder. (NOTE: If you did not install cowrie in the /home/cowrie folder you must rename the profile to the appropriate folder.)
>sudo cp /home/user/download/home.cowrie.start.sh /etc/apparmor.d/
Now place the service into enforcement mode.
>sudo aa-enforce /etc/apparmor.d/home.cowrie.start.sh
Now restart the cowrie service. Then check to see if it's being protected.
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
To get a better understanding of what the actual profile is allowing check out hxxp://wiki.apparmor.net/index.php/QuickProfileLanguage.
I run my honeypots on very lean VMs (512mb RAM), so they will not run with MYSQL on them, but to get similar power cowrie has support for sqlite3!
db_file = /home/cowrie/cowrie.db
Once you have restarted the service, everything should be ready to go. If you are new to SQLite a few useful commands to get you started are below.
To access the database and get querying.
Query to see all connected sessions.
sqlite>select * from sessions;
To see what user/password combinations were used.
sqlite> select * from auth;
To see what commands the attacker ran at the command prompt.
sqlite> select * from input;
I’ve enjoyed using cowrie on my latest setup with sqlite3. Its been solid over the last week and have not ran into any issues.