Deploying Cowrie SSH Honeypots with Ansible
To be able to easily spin up honeypots across the globe, I need an automated way to mass deploy and configure pots, hurrah for Ansible!
Until now, I’ve never properly created my own Ansible playbooks before. I have had experience using Ansible Tower/AWX to run playbooks etc, but this opportunity to create my own was great fun.
The playbook I’ve created will install a Cowrie based SSH honeypot, configured to random mode, allowing attackers to SSH in after a random number of authentication attempts. In addition, the pot is deployed via docker container, because, well docker is pretty awesome. (And deploying raw cowrie is a pain :D)
To ship logs, the playbook also installs a filebeat docker and uses Jinja templating to generate a filebeat configuration based for defaults or Ansible environment variables.
Networking also needed to be considered here. I wanted to expose the honeypot on port 22, to make it as authentic as I can. So, I set the playbook to change the SSH port to TCP 2020 and NAT port TCP 22 to port TCP 2222. I then used Netfilter with IPTables to mark packets that originated from port TCP 2222 and then drop them, but still allow packets that originated from port TCP 22 that have been NAT to port TCP 2222
So in a nutshell, the playbook:
- Installs Pip, Docker and it’s dependencies
- Pulls and runs a Cowrie SSH Honeypot docker container
- Changes the ssh port from 22 to 2020
- NATs port TCP 22 to port TCP 2222 and blocks direct port TCP 2222 connections via iptables
- Pulls and starts a Filebeat docker, generating a config via Jinja templating.
- Mapps 2 volumes /etc/honeypotdb/docker/… for config files and /var/log/honeypotdb/… for logs.
I’m looking to build this Ansible playbook repository pot with various playbooks to install different honeypot types, and ‘link’ then up to HoneyPotDB, my global honeypot project. As a result, the layout of the playbooks is likely to change and have some HoneypotDB specific configs etc, but so for so good!