Cowrie

Long-time readers of my blog know that I have more than a passing fascination with fail2ban, the log parsing tool that can recognize bad actors and take action to mitigate their behavior on a target device. In my previous blog posts, I explored how to couple fail2ban with my 128T router, and wrote a custom action that would, upon detecting a bad actor, add its IP address to a "blacklist" tenant on my 128T. This blacklist tenant was sprinkled liberally among all of my public-facing services – my websites, my SSH pinhole for remote access, my VPN server, etc. Furthermore, it would ban that particular IP address network-wide, including all of the public-services at all public-facing edge routers in my Authority. (Authority is the 128 Technology term used to define a collection of routers under one management domain.)

When I picked up a bunch of Raspberry Pi devices on Presidents' Day weekend, I had an inkling. What if I could turn the tables on some of these bad actors, and trap them in a honeypot? Then I could study them with relative safety(?) and use some of these learnings to further my research into network privacy and security. After a bit of searching, I found Cowrie, an SSH honeypot. I got it set up on one of the Pis (the fourth one down in my BrambleStack), using the factory default configuration.

So how does Cowrie dovetail into my fail2ban story? One of the things about honeypots is that misbehaving users will know to look for them. If they know they're in a honeypot, they move on. Well, with fail2ban, I will be dynamically jailing bad actors, moving them from a "gray list" tenant to a blacklist tenant. So the end user experience will be:

1. SSH to my public IP address as a gray list user and get a login prompt, present incorrect credentials (failed login attempt #1)
2. Present incorrect credentials (failed login attempt #2)
3. Present incorrect credentials (failed login attempt #3)
4. sshd disconnects the user. fail2ban "jails" that user into the blacklist tenant on 128T.
5. SSH to my public IP address again, this time as a blacklist user, get Cowrie's login prompt. Remarkably, your password works this time! (Every time.)

Configuring Cowrie to present the same banner, prompt, cipher set, etc. as my CentOS-based edge device will help complete the ruse. The end user will initially be interacting with a legitimate device, but then transparently get redirected to a honeypot. This adds an extra layer of deception to the honeypot that isn't typically found in one natively.

The opportunity to do some network research while trapping flies in the honeypot is too tempting to resist. Science!