Skip to content
/ honeypot-server Public

Ansible project to set up cowie, a ssh honeypot, and extract auth tries and established session information.

4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

giwiro/honeypot-server

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
provisioning
provisioning
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
Vagrantfile
Vagrantfile
 
 
deploy_ansible_vagrant.sh
deploy_ansible_vagrant.sh
 
 

Repository files navigation

honeypot-server

 _                                        _   
| |                                      | |  
| |__   ___  _ __   ___ _   _ _ __   ___ | |_             __         .' '.
| '_ \ / _ \| '_ \ / _ \ | | | '_ \ / _ \| __|          _/__)        .   .       .
| | | | (_) | | | |  __/ |_| | |_) | (_) | |_          (8|)_}}- .      .        .
|_| |_|\___/|_| |_|\___|\__, | .__/ \___/ \__|          `\__)    '. . ' ' .  . '
                         __/ | |              
                        |___/|_|

Ansible project to set up cowie, a ssh honeypot, and extract auth tries and established session information.

Deploy in real server

In order to deploy this project in a real server, there are some requirements you need to take care:

  • Server's operating system: CentOS 7
  • Have ansible-playbook installed
  • Allow root ssh login in the server (It should be the default behaviour)

1. Create a file named production where you put the ip and port, this file should look alike the local file at the root of the project

# file: production
[honeypot]
192.168.1.69 ansible_ssh_port=22

NOTE: The cowrie mysql password is hardcoded on group_vars folder inside honeypot.yml file. Feel free to change the password, but I think it won't represent any actual thread since the mysql service is not listening on any public ip and it can only be accessed when you are already in the server.

...
# Cowrie
cowrie_user: cowrie

cowrie_mysql_name: cowrie
cowrie_mysql_user: cowrie
cowrie_mysql_password: wGEw?%44mTm.>6KW  # <---- This line
...

2. Proceed to run the playbook. It will ask you for the root password.

$ ansible-playbook -u root -i production site.yml --ask-pass

3. Create a user (apart from root and cowrie) to manage the access to the server and give sudo permissions

Just replace <username> by the actual username you want to use

$ adduser <username>
$ passwd <username>
$ usermod -aG wheel <username>

4. Remove root ssh login access

In this file /etc/ssh/sshd_config you will find this:

...
#PermitRootLogin yes
...

Please change it to this:

...
PermitRootLogin no
...

5. Enjoy

Extract the dataset

The data extraction is done by 2 files located in /opt/cowrie/scripts. Both files initialize the virtual environment automatically and place the results on /opt/cowrie/datasets.

  • extract_auth_entries.py: Extracts all unique combinations of username and password that have been tried on the honeypot.
  • extract_session_entries.py: Extracts all established sessions (when successfully log in) with their ip, country (geolocalized) and ttylog (if available) within a folder with the id as name.

About

Ansible project to set up cowie, a ssh honeypot, and extract auth tries and established session information.

Topics

ansible ansible-playbook honeypot dataset-generation cowrie

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages