Jump to content

Apply a Honeypot System for Detection

Jessica Brown
Jessica Brown
in Server Administration

Featured Replies

Posted

You are reading Part 44 of the 57-part series: Harden and Secure Linux Servers. [Level 5]

This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.

To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.

A honeypot is a decoy system designed to attract and deceive attackers, allowing security teams to monitor, analyze, and learn from cyber threats without exposing production systems. Honeypots help:

✅ Detect unauthorized access attempts early.
✅ Gather intelligence on attack techniques and behavior.
✅ Divert attackers away from critical infrastructure.
✅ Enhance security defenses by studying real-world threats.

By deploying a honeypot, you can track and mitigate cyber threats before they cause real harm.

How to Set Up a Honeypot in Linux Using Cowrie

Cowrie is a popular SSH and Telnet honeypot that mimics a real Linux system, logging all attacker interactions.

1. Install Dependencies

Ensure your system is updated and install necessary packages:

sudo apt update && sudo apt upgrade -y
sudo apt install git python3-venv python3-dev libssl-dev libffi-dev -y
2. Clone and Set Up Cowrie

  1. Clone the Cowrie repository:

    git clone https://github.com/cowrie/cowrie.git /opt/cowrie

  2. Change to the Cowrie directory:

    cd /opt/cowrie

  3. Create a virtual Python environment:

    python3 -m venv cowrie-env
source cowrie-env/bin/activate

  4. Install dependencies:

    pip install --upgrade pip
pip install -r requirements.txt

  5. Copy and configure the default settings:

    cp cowrie.cfg.dist cowrie.cfg
3. Configure Cowrie as an SSH Honeypot

Edit the Cowrie configuration file:

sudo nano /opt/cowrie/cowrie.cfg

Modify the following settings:

[ssh]
enabled = true  # Enable SSH honeypot
listen_port = 2222  # Change to an unused port

[telnet]
enabled = false  # Disable Telnet unless required

[output_textlog]
enabled = true  # Log attacker activity to a file

[output_jsonlog]
enabled = true  # Save logs in JSON format

🔹 Tip: Ensure listen_port = 2222 to avoid interfering with the real SSH service on port 22.

4. Start and Enable Cowrie

  1. Start the honeypot manually:

    ./start.sh

  2. Enable Cowrie to start at boot:

    sudo cp bin/cowrie.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable cowrie
sudo systemctl start cowrie
5. Redirect SSH Traffic to the Honeypot

Since Cowrie listens on port 2222, redirect incoming SSH traffic to it:

sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

(This ensures attackers connecting to SSH port 22 are redirected to Cowrie.)

6. Monitor Honeypot Activity

Cowrie logs attacker activity in:

  • Plaintext logs: /opt/cowrie/log/cowrie.log

    tail -f /opt/cowrie/log/cowrie.log

  • JSON logs (for security tools & SIEMs): /opt/cowrie/log/cowrie.json

    cat /opt/cowrie/log/cowrie.json | jq .

  • Captured SSH sessions: /opt/cowrie/var/lib/cowrie/tty/

🔹 Use a SIEM tool like Splunk or Graylog to analyze Cowrie logs for patterns.

Alternative: Use Dionaea for Malware Trapping

Dionaea is a honeypot designed to capture malware samples from network-based attacks.

1. Install Dionaea
sudo apt install dionaea -y
2. Start Dionaea
sudo systemctl start dionaea
sudo systemctl enable dionaea
3. Monitor Captured Malware Samples
cat /var/dionaea/log/dionaea.log
7. Isolate the Honeypot in a Separate Network

Since honeypots intentionally attract attackers, never deploy them on a production network.

✅ Use a dedicated VLAN or subnet.
✅ Restrict outbound traffic from the honeypot.
✅ Monitor honeypot connections using Wireshark or Zeek.

8. Forward Honeypot Logs to a Security Monitoring System

To centralize honeypot data, send logs to a SIEM like Splunk, Graylog, or ELK.

Example: Forward logs to a remote log server using rsyslog

  1. Edit the rsyslog config file:

    sudo nano /etc/rsyslog.conf

  2. Add:

    *.* @remote-log-server:514

  3. Restart rsyslog:

    sudo systemctl restart rsyslog

Best Practices for Honeypot Deployment

✅ Deploy honeypots in an isolated network (avoid direct exposure to production systems).
✅ Regularly monitor and analyze logs for attack patterns.
✅ Limit outbound connections to prevent honeypot exploitation.
✅ Use multiple honeypots (SSH, HTTP, malware traps) for better insights.
✅ Report high-priority threats to security teams or threat intelligence platforms.

By implementing a honeypot, you gain valuable insights into attacker behavior, improve security defenses, and detect threats before they reach critical systems.

  • Quote
    • Views 76
    • Created
    • Last Reply

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    Terms of Use Privacy Policy Guidelines We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.