In an age where cyber threats are more prevalent than ever, setting up a honeypot can be a proactive measure to enhance your cybersecurity posture. Honeypots act as decoys or traps for malicious actors, allowing organizations to monitor, analyze, and learn from malicious activities. In this guide, we will walk you through the process of setting up a Linux server honeypot.

What You’ll Need

  • A Linux server (Ubuntu, Debian, CentOS, etc.)

  • Basic knowledge of Linux command-line tools

  • An internet connection

  • Root access to your server

Step 1: Installing Dependencies

Before we start, it’s crucial to update your package list and install the necessary dependencies. Open your terminal and run the following commands:

sudo apt update && sudo apt upgrade -y  # For Ubuntu/Debian

# OR

sudo yum update -y                     # For CentOS

Now, install the dependencies:

# For Ubuntu/Debian

sudo apt install git python3 python3-pip -y



# For CentOS

sudo yum install git python3 python3-pip -y

Step 2: Choose a Honeypot Framework

While there are multiple honeypot frameworks available, Cowrie is a popular SSH and Telnet honeypot designed to log brute force attacks and the shell interaction with the attacker.
To install Cowrie, we will clone the repository from GitHub.

git clone https://github.com/cowrie/cowrie.git

cd cowrie

Step 3: Setting Up Cowrie

Before setting up Cowrie, you need to create a new user for it.

sudo adduser cowrie

sudo chown -R cowrie:cowrie /path/to/cowrie

Now switch to the Cowrie user and install the required Python packages:

sudo -u cowrie -H pip3 install --upgrade pip setuptools

sudo -u cowrie -H pip3 install -r requirements.txt

Step 4: Configure Cowrie

Cowrie’s main configuration file is located in the cowrie.cfg file. You can customize this file to suit your needs, including specifying the port number, SSH keys, and other settings.

Open the config file with your preferred text editor:

cd cowrie

nano cowrie.cfg

Make the necessary changes. For basic setups, you might want to keep the default settings and just change the host and port fields.

Step 5: Set Up Logging and Monitoring

Honeypots can generate a lot of data, so it is important to set up an organized logging system. Cowrie automatically logs its data into a SQLite database, but you may want to centralize logs or send alerts.

To View Cowrie logs:

cd cowrie/log

tail -f cowrie.log

For enhanced monitoring, consider installing ELK Stack (Elasticsearch, Logstash, Kibana) or similar tools to visualize the activity on your honeypot.

Step 6: Run Cowrie

Now that everything is set up, you can run Cowrie. Ensure you are still in the Cowrie directory and execute the start script:

sudo -u cowrie -H twistd -ny cowrie.tac

Cowrie should now be successfully running, capturing unauthorized access attempts!

Step 7: Keep Your Honeypot Secure

Even though your honeypot is designed to attract attackers, securing it is vital. Here are some quick tips to enhance security:

  1. Firewall Rules: Limit access to your honeypot. For instance, use ufw to allow only specific IP addresses:

    sudo ufw allow from <your_ip_address> to any port 22

  2. Keep It Updated: Regularly update both your OS and Cowrie to protect against known vulnerabilities.

  3. Network Isolation: If possible, run your honeypot on an isolated network to reduce risks to your other systems.

  4. Monitor Logs Regularly: Assess the logs on a consistent basis for any signs of suspicious activities.

Conclusion

Setting up a Linux honeypot such as Cowrie can significantly benefit your understanding of cyber threats and improve your overall defensive strategies. Not only does it serve to lure attackers away from your primary systems, but it actively helps you monitor their tactics and exploit methods.

Stay vigilant and continuously update your honeypot setup to keep pace with advancements in cyber threats. Happy hunting!

Additional Resources

Feel free to adapt this guide to your own preferences or add visual aids to help your readers follow the setup process effectively!