If You Have Servers, You’re Already Being Scanned
It’s 3 a.m. You should be sleeping. Instead you’re on the sofa staring at an e-mail titled: “All files are encrypted. Pay 2.8 BTC in 72 hrs.”
I’ve been there. Twice.
The second time, the attackers owned every Dell box in our DMZ for 187 days. They just sat there copy-pasting Dropbox links to mega.nz. We never knew until the ransom screen.
Why Firewalls Aren’t Enough
Next-gen, AI-driven, whatever-the-dude-sold-us… still looks like ordinary traffic when 1. the bot tries root/12345 and 2. it works.
The SIEM says: “Someone logged in.”
Cool, thanks Splunk.
What you really need is a seat inside the attacker’s mind. That’s where Cowrie comes in.
What Is Cowrie (in Plain English)
Cowrie is a fake Linux box that keeps the back door wide open and records every nose that pokes its head in. Think of it as a GoPro strapped to a wasp nest — except the wasps are scripts, not insects.
Grab a VPS and Bright-Light the Hoodlums
Below is the exact recipe I use when friends at small start-ups ask,
“How do I learn who’s messing with my cloud boxes?”
- Spin Up a Clean VM
Ubuntu 22.04 LTS, 1 vCPU, 1 GB RAM is plenty. I call mine cowrie1. - Create the Cowrie User
sudo adduser --system --group --home /home/cowrie --shell /bin/bash cowrie
Never, ever run honeypot code as root.
- Basic Packages
sudo apt update && sudo apt install -y python3 python3-venv python3-pip git
- Clone & Install
sudo su - cowrie git clone https://github.com/cowrie/cowrie.git cd cowrie python3 -m venv cowrie-env source cowrie-env/bin/activate pip install --upgrade pip pip install -r requirements.txt
- Copy the Config
cp etc/cowrie.cfg.dist etc/cowrie.cfg
Open
cowrie.cfg, turn SSH on, Telnet off, and switch logs to JSON.
Double win: your *real* SSH keeps port 22; Cowrie grabs traffic on 2222. - Route Real Traffic to Fake Port
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222 sudo apt install iptables-persistent sudo netfilter-persistent save
From that second on, every mis-typed ssh root@your-ip lands here.
- Fire It Up
bin/cowrie start tail -f log/cowrie.log
What Happens Next Is Hilarious (and Sad)
Ignore it for twelve hours. Then peek at the logs:
- Passwords tried: admin/admin, root/password123, postgres/postgres…
- Fresh hashes wandered in. One bot sprayed 41 K logins before quitting.
- My favorite: a Latvian IP spent seven minutes trying to apt install dstat, cobalt-strike, tmux. Cowrie replied: “Couldn’t lock admin lock file.” He rage-quit.
Zoom Out & Get Useful
Copy those juicy logs into your default SIEM rule set. Next time the same guy who brute-forced *root/spring2025* tries the **exact same cred on payroll-01**, you can auto-block him.
Not running a SIEM? No sweat. Pipe the JSON like this:
jq -r .src_ip log/cowrie.json | sort -u > attacker_ips.txt
Feed the list to Cloudflare or AWS WAF.
The Five-Minute Health Checklist
- See green
[cowrie] Startedinlog/cowrie.log. - Test from a phone:
ssh root@you # should land in Cowrie. - Rotate logs weekly:
0 0 * * 0 logrotate /home/cowrie/logrotate.conf. - Update Cowrie monthly:
git pullinside~/cowrie. - Check disk: under 1 GB per 100 K sessions.
Quick Reality Check
Legal? If you own the server and the network, definitely yes. Still read your local laws or hire counsel if you’re nervous.
Can bad guys spot it? Sophisticated groups can. But most attacks are spray-and-pray. Expect 99 % scripted noise, 1 % gold.
Resource hog? Nope. Mine idles at 2 % CPU, 192 MB RAM. I run it on a $3 / month VPS.
Your Next Coffee Break Homework
- Stand up your own Cowrie instance today.
- Send me the top three passwords it captures (anonymized, of course). I’ll bet you hunter2 and Pa$$w0rd still crack the top ten.
- Post the play-by-play to Slack. Your security team will laugh. They’ll also stop ignoring SSH logs.
Once the honeypot is purring, I’ll teach you how to tie it into FBI IC3 reports and Interpol’s threat feed next week.
Until then, happy hunting.
