🍯 Honeypots & deception
Cowrie
SSH and Telnet honeypot that records every keystroke from attackers.
Why use it
Cowrie pretends to be a vulnerable SSH or Telnet server, accepting any login and logging every command an attacker runs. It even captures uploaded malware samples. The single most fun and educational honeypot you can run.
What you get
- Full SSH and Telnet emulation
- Per-session command logs and file uploads
- Replay sessions like a movie
- Configurable fake filesystem
- JSON output for SIEM ingestion
System requirements
| Cpu | 1 core |
|---|---|
| Ram | 512 MB |
| Disk | 5 GB |
| Os | Linux |
| Docker | Yes |
Installation
Docker is fastest: docker run -p 2222:2222 cowrie/cowrie. For real attack data, NAT external port 22 to container port 2222 — and move your real SSH off port 22. Logs land in /cowrie/cowrie-git/var/log/cowrie/.
Suggested configuration
Don't bind Cowrie to port 22 of your real management host — use NAT to keep them isolated. Set auth_class = AuthRandom for realistic accept-some-deny-some behaviour. Forward JSON logs to your SIEM and watch attackers try the same 50 default passwords nightly.
Integration ideas
- Forward sessions to Wazuh / Elastic
- Submit captured malware to MalwareBazaar
- Push attacker IPs to a blocklist via CrowdSec
Alternatives
- T-Pot — Cowrie + 20 other honeypots in one stack.
- OpenCanary — Lighter, multi-protocol, no session replay.
Cyentrix verdict
Run it for a week and you will know exactly what credential-stuffing botnets do all night. Brilliant first honeypot.