Home

Awesome

Honeypots

Packaging honeypots for small communities with joint Situational Awareness.

Kippo

Kippo is now obsolete in our use, see our old instructions.

Cowrie

Replaces old patched up Kippo in our use.

Running locally directly from the Docker Hub

A prebuild container image is available from the Docker Hub.

docker run -d -p 2222:2222 --name cowrie ouspg/cowrie

See e.g. the DigitalOcean example below on how to replace host ssh-service with the honeypot.

Building in a cloned repository

git clone https://github.com/ouspg/honeypots.git
cd honeypots/cowrie
docker build -t cowrie --rm .

Building directly from the GitHub

docker build -t cowrie --rm https://github.com/ouspg/honeypots.git#:cowrie

Publishing manually on the Docker Hub (stable)

Stable builds are published manually based on the Tag, push, and pull your image instructions.

docker images
docker tag <imageid> ouspg/cowrie:stable
docker login
docker push ouspg/cowrie

Publishing automatically on the Docker Hub (latest)

Latest builds are published automatically based on the Automated Builds on Docker Hub instructions.

Running locally based on self-built image

docker run -ti -p 2222:2222 --rm cowrie

See e.g. the DigitalOcean example below on how to replace host ssh-service with the honeypot.

Running on the DigitalOcean

# apt-get update
# apt-get upgrade
# cd /etc/ssh
# cp sshd_config sshd_config.orig
# nano sshd_config
# diff sshd_config.orig sshd_config
5c5
< Port 22
---
> Port 7799
# service ssh reload
# docker run -d -p 22:2222 --name cowrie ouspg/cowrie
# docker logs cowrie
Starting cowrie with extra arguments [--nodaemon] ...

Running on the Amazon Web Services (AWS)

TBD

Running on the Google Cloud Platform

TBD

(Kippo vs. Cowrie) vs. (Ubuntu vs. Alpine)

Cowrie honeypot is a fork of the Kippo honeypot with active development and at the time of this evaluation Cowrie had critical additional functionality such as SFTP/SCP/SSH-exec support and seemed to be less often automatically detected as a honeypot than Kippo.

Although Docker is not a perfect security sandbox it, if properly used, provides some additional isolation via namespaces and seccomp-policies. Furthermore Docker makes deploying small services such as this very easy compared to the more manual methods we used before.

Most popular Docker packaged versions of the Kippo and Cowrie have been made by DTAG Community Honeypot Project of Deutsche Telekom AG. They and majority of the other Kippo and Cowrie images in the Docker Hub are based on the Ubuntu image. Since we aimed for very light weight deployment we chose Alpine. Some comparison the most popular versions and the Alpine versions on the Docker Hub are given below based on situation at the end of June 2016. At this time there were 18 Kippo images and 9 Cowrie images in the Docker Hub. If we counted correct, only one of them used Alpine for the Kippo and only one for the Cowrie, before ours.

Docker Hub ImageBase ImagePullsImage Size
dtagdevsec/kippoubuntu:14.04.310k+461.9 MB
dariusbakunas/kippodebian:wheezy3.5k384.1 MB
vensder/alpine-kippoalpine2981.13 MB
dtagdevsec/cowrieubuntu:14.04.43.9k462.6 MB
ouspg/cowriealpine:latest496.21 MB
vimagick/cowriealpine52998.94 MB

Please dind some naive "build time" comparison, please note that only the real time matters since the build takes place in a remote Docker engine.

Standard disclaimer applies here, we are somewhat comparing apples and oranges due to lack of feature parity.

% time docker build --no-cache -t kippo https://github.com/thomasleveil/docker-kippo.git
...
Successfully built 699733b66151

real 3m10.624s
user 0m0.315s
sys 0m0.135s

% time docker build --no-cache -t cowrie https://github.com/dtag-dev-sec/cowrie.git
...
Successfully built adfbd5e129e9

real 3m28.518s
user 0m0.649s
sys 0m0.406s

% time docker build -t cowrie --rm https://github.com/ouspg/honeypots.git#:cowrie
...
Successfully built 7e63227201d4

real 2m32.697s
user 0m0.237s
sys 0m0.218s

Further Work

Additional References