Installing your own honeypot

We will look at more detail in honeypots later, when we look at the information gathering aspect of honeypots. However, so you can see how a honeypot might be useful, we will talk you through installing two commonly used low interaction honeypots, Cowrie and OpenCanary.

You will find a video in the next step to accompany these instructions.

Cowrie

Cowrie is the simplest of the two to install as it is available as a docker container. That means that the first thing we do is to start docker by opening up a command prompt and running –

$ service docker start

Next we need to download and run the docker image with Cowrie in it, and this is done by typing at the command prompt –

$ docker run -p 2222:2222 cowrie/cowrie

This will pull down Cowrie and run it automatically, listening on port 2222. We can now log into the system as if it were a real machine by typing in –

$ ssh -p 2222 root@localhost

And we can now look around at what appears to be a complete Linux file system. If we look at the terminal where we launched Cowrie from, we can see details of exactly what is being typed. The files are dummy files and in the default state do not contain any information, but Cowrie does let you add real files to the image so you can seed it with tempting targets (eg an /etc/shadow file full with fake passwords).

OpenCanary

Cowrie is good if all you are interested in is SSH intercepts, but what if you want something more complex? This is where OpenCanary comes in. This is a more complex system that allows you to emulate a wide range of servers. Its installation is slightly more complex because of that, but it’s still relatively painless.

OpenCanary is Python based so the first thing we need to do is install Python. To do this, open up the command prompt and type –

$ apt-get install python-dev python-pip python-virtualenv

$ apt-get install -y build-essential libssl-dev libffi-dev

$ virtualenv env/

$ . env/bin/activate

$ pip install rdpy

$ pip install opencanary

Note the full stop on the fourth line – that isn’t a typo and is meant to be there.

To run OpenCanary type in

$ opencanaryd –start

The first time it runs, it will give you instructions on how to copy the config file and how to alter it. Do so, and change the config file so it’s obvious that you are using your own version (changing the banner for the FTP or Telnet server is a good way of testing this, but don’t forget to enable the service in the config file – I’d recommend enabling http, ftp, and telnet initially to get a feel for the system). To see what’s going on, look at the log file in /var/tmp/opencanary.log. You can monitor this continually by opening up a command prompt and typing –

$ tail -f /var/tmp/opencanary.log

(In reality, you would want to send this information to a logger such as ElkStack.)

Finally, open up another command prompt and try to log in or open up a web browser and try to log in through the web.

Share this article:

This article is from the free online course:

Security Operations

Coventry University