Skip to content

Cowrie Honeypot Setup

Set up host

sudo apt-get update
sudo apt-get install git python3-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind

sudo adduser --disabled-password cowrie
sudo su - cowrie

Get cowrie

git clone

Set up cowrie

cd ./cowrie
virtualenv --python=python3 cowrie-env
source cowrie-env/bin/activate
(cowrie-env) $ pip install --upgrade pip
(cowrie-env) $ pip install --upgrade -r requirements.txt

Modify cowrie configs

cp ~/cowrie/etc/cowrie.cfg.dist ~/cowrie/etc/cowrie.cfg <-- Main cowrie config
cp ~/cowrie/etc/userdb.example ~/cowrie/etc/userdb.txt <-- Allowed users config

Changes to cowrie.cfg

hostname = PROD03
listen_endpoints = tcp:22:interface=
backend_ssh_port = 22222
* Change venv with
cowrie@modsecbox:~/cowrie$ source cowrie-env/bin/activate
(cowrie-env) cowrie@modsecbox:~/cowrie$

Set up SSH and modify configs to allow cowrie on port 22

(See note below)

apt install authbind
touch /etc/authbind/byport/22
chown cowrie:cowrie /etc/authbind/byport/22
chmod 770 /etc/authbind/byport/22

ufw allow 7331

vi /etc/ssh/sshd_config  # Change to a higher port
service ssh restart

  • NOTE: on Ubuntu 22.10 they did something dumb1 to sshd so now to get around that we change port here
    vi /lib/systemd/system/ssh.socket
    systemctl daemon-reload
    systemctl restart ssh
    netstat -tulpn


  1. Integration with VirusTotal (For malware scanning):
    • Go to and create a free account to get API key
    • Edit cowrie.cfg
    • Restart cowrie
      enabled = true
      api_key = <API KEY>
      upload = True
      debug = False
      scan_file = True
      scan_url = True
  2. Integration with ThreatJammer (For flagging suspicious IPs):
    • Go to and create free account to get API key
    • Edit cowrie.cfg
    • Restart cowrie
      enabled = true
      bearer_token = <API KEY>
      track_login = true
      track_session = false
      ttl = 86400
      category = ABUSE

Visualization (Splunk)

Splunk is better than Kippograph. Since Splunk has much better looking graphics, I'll use that this time

  1. Download Splunk Enterprise (free)
  2. Add data inputs
    • Settings -> Add Data
    • Create HTTP Event Collector (leave everything default)
  3. Get token and configure cowrie.cfg
  4. Create cowrie index
    • Settings -> Data -> Indexes
    • Create new index "cowrie"
  5. Point Data Input to HTTP Collector
    • Settings -> Data -> Data Inputs
    • Point Data Input at cowrie index
  6. Configure cowrie and restart
  7. Add Manuka Honeypot app for dashboards (Obtained from the Step by step guide below)
enabled = true
url = <-- Do NOT change the port for the collector
index = cowrie
sourcetype = cowrie
source = cowrie

Secure Splunk

Splunk will listen on all interfaces by default. To make it not look like as big a target, we want to only allow it to listen on and then we will use port forwarding to reach the Splunk UI:

  1. Set SPLUNK_BINDIP= in $splunk_home/etc/splunk-launch.conf so it will only bind to localhost.
  2. Connect via SSH port forwarding and open Splunk in a browser by going to
ssh -L 8000: -p 7331 root@serverIP


This guide is comprised of trials, errors and parts of other guides. Resources are listed below.

  1. sshd now uses socket-based activation Ubuntu 22.10 or later. Read more about this change being discussed here. It's a feature