A honeypot is a mechanism to detect attempts at unauthorized use of systems.

Honeypots are sometimes used for research: i.e. to discover the techniques that would-be attackers would use. It’s a lot easier to defend against attacks when you can see the steps that someone’s taking to compromise your security. Honeypots that provide this sort of insight are typically be exposed to the web.

Honeypots are sometimes used as a ‘trip wire’ inside a private network. An intruder on the inside of a network might use a tool such as nmap for reconnaisance. A port scan that touches the honey pot will be logged. A would-be attacker can login, via SSH, and execute commands in an environment that appears to be a real server. The attackers IP, commands executed, SSH key fingerprint, etc. are quietly captured.

Since honeypots are designed to be attacked, they should not run on the same hardware as a production system. I installed the Cowrie honeypot on a $10 Pi Zero W. Cowrie is open source, written in very readable Python code, modular, and very popular.

In my case, honeypot activity is persisted to MySQL and published to a Slack channel. I should never see messages in my honeypot slack channel since that probably means a device or person is snooping around my private network.

To set this up, I first did some basic hardening on the Raspberry Pi, e.g. created a new user, disabled the pi user, require password for sudo, only allow users to log in with a key, enabled iptables, installed the unattended-upgrades package, etc. Cowrie itself runs as a non-root user inside a Python virtualenv.

The default settings for cowrie are stored in cowrie.cfg.dist. Any custom settings are added to cowrie.cfg. These were the custom settings I used:

[ssh]
listen_port = 22

[output_mysql]
host = deepthought
database = cowrie
username = cowrie
password = ********
port = 3306
debug = false

[output_slack]
channel = cowrie
token = xoxp-149613657155-150373697847-313422731957-{blah, blah, blah}
debug = false

It was necessary to create the user and tables in the MySQL database. See MySQL script.

I moved the real SSH port to another port by tweaking the ‘Port’ property of /etc/ssh/sshd_config.

In order for Cowrie’s fake SSH service to listen on port 22, it was necessary to use authbind:

apt-get install authbind
touch /etc/authbind/byport/22
chown cowrie:cowrie /etc/authbind/byport/22
chmod 770 /etc/authbind/byport/22

This is because SSH typically runs on port 22 which is a privileged port (i.e. < 1024) and can only be accessed by a superuser.

Cowrie on the Raspberry is a fun and educational security project. With a small investment of $10 and some time, it may be possible to discover an intruder early.