Deploy SSH Honeypot Cowrie in Azure Portal

Gather Adversarial Data using SSH-Honeypot

** This article shows how to build a honeypot using Azure Portal, if you would like to learn more about honeypots before building one read this sister article I wrote: Honeypots Explained: In the Wild and in SecOps.

Start by building a resource group. This will manage all of the resources related to this honeypots as a singular group. My resource group is named “SSHHoneypot001” so that I can tell this resource group contains resources related to SSHHoneypot001. I’ll be deleting all of the resources at once in 30 days so I’ll be putting them all in here together. Use a resource group to hold resources that share the same asset life cycle.

If you’ve never created a resource group before, you can create one from the Azure dashboard very quickly.

Great, now there is a resource group to hold the honeypot-related virtual resources. Next, add an Ubuntu 14.04 LTS box to our resource group. While still inside of your resource group, click the + Add button. From here, use the search bar to search for an Ubuntu instance. Keep the defaults and press create.

Next, configure the Ubuntu server by first setting the Virtual Machine Name, Region, and Size. Note that when the virtual machine name the hostname is also being set. I’d advise against naming it anything that might suggest the VM is a honeypot, so try to make up a name that might follow a naming convention.

Select the region you are most interested in gathering data. If you’re just experimenting then pick an area you’re curious about, perhaps the region closest to you.

Next, choose an appropriate size. There are a few things we want to consider. (1) Real production servers have sizeable resources dedicated to them (2) Renting large VMs costs $$$$. For these examples, smaller sized VMs were used to save money.

I went with the smallest sized VM because I didn’t want to break the bank and this SSH server does not require many vCPUs or RAM. It’s listed above at $9.30/per month but on average over the course of a year my typical cost was between $3.50 and $5 a month give or take.

At point you’ll be prompted to use a password for SSH or use an SSH key. If you know how to use a key, I’d highly recommend using an SSH (or learning how to use one) to connect to your honeypot. However, if one must use a username and password, work to use an usual username and password, with the password being a complex 16 character or longer passphrase to avoid losing access to the box.

You’ll need to open up some ports to the internet, at a minimum SSH (22). SSH should be open so that people from the world will be able to connect and login. You can navigate to these options via the Networkingtab.

Once you’ve finalized your choices, click on the Review + Create button. If everything works, you’ll pass validation and be able to create the virtual machine. Once the machine has begun being created navigate over to Virtual Machines from the left navigation panel.

Once the status has changed from Creating to Running click on checkbox next to your VM’s Name, then select the menu icon on the far right of the page represented by three dots. Clicking the menu icon will trigger an action drop-down selection; select Connect to connect to our instance.

Sign in using SSH and the administrator username and password you configured a few minutes ago. If you’re not sure where to SSH from, consider SSH-ing in from the Cloud Shell located at the top menu bar.

Login via SSH by copying the Login using VM local account field. After logging in, you should see a screen a lot like the one shown below.

Just like any other installation, one of the first things we want to do here is update our package repositories with sudo apt-get update .

Before installing the SSH Honeypot software, move the real SSH service to a port other than 22 (because port 22 will be used for the fake SSH honeypot service). To do this, use a text editor to edit the sshd_config file: sudo vim /etc/ssh/sshd_config. To change the port number used under “#What ports, IPs, and protocols we listen for”, to something greater than 1024.

Once you save your changes, restart the SSH service so that it is using the new configurations: sudo service ssh restart

We can check to make sure that our real SSH server is now listening for connections on port 3134 with the netstat -tan command.

Now we’re ready to install and configure our SSH Honeypot, Cowrie. 🧙 First we must install Cowrie’s dependencies:

Add a new user to your machine named cowrie so that the service running on a dedicated non-root user id. When prompted to Enter the new value, or press ENTER for the default, leave the fields empty.

Become the new cowrie user and navigate the cowrie home directory.

And navigative to cowrie home directory and checkout the cowrie git repo using git:

Now create a new python3 env for cowrie:

Activate the virtual environment and install the necessary packages:

View the Logs from Azure

Keep an eye on your VM using logs within Azure. For example, I was regularly alerted to what Microsoft identified as ‘unrecommended IP addresses’.

Have fun honeypotting and collecting logs!

I write about DFIR, GRC, and defensive security topics.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store