Introduction
What is a Honeypot?
A honeypot is a deception security mechanism that mimics real systems to attract and analyze cyber threats. Threat actors interact with the honeypot, allowing security professionals to study their behavior.
This guide will show you how to deploy a Cowrie SSH honeypot for logging attacker activity. You can choose to:
- Run it on a VPS from any cloud provider (AWS, DigitalOcean, Linode, etc.).
- Set up a home server on any machine for centralized control.
In this case, i’ll be using a refurbished HP ProDesk running Ubuntu Server as our dedicated honeypot machine. However, the steps will also work on a VPS.
1️⃣ Hardware Requirements
Option 1: HP ProDesk (or Similar Home Server)
x86_64-based system with at least:
CPU: Dual-core or better
RAM: 4GB+ (8GB recommended)
Storage: 20GB+ SSD/HDD
Ethernet connection for stable logging
Option 2: VPS from Any Cloud Provider
Any VPS running Ubuntu Server 22.04+
- Providers: AWS, Linode, DigitalOcean, Hetzner, etc
Minimum recommended specs: 1 vCPU 2GB RAM 20GB SSDA public IP address to allow remote access
Configurations
- Open port 2222 for honeypot SSH
2️⃣ Software Requirements
Ubuntu Server 22.04 LTS (or newer)
Download from: Ubuntu Server Download
Installed with SSH access enabled
Set up with a non-root user (sudo enabled)
Basic Linux & Networking Knowledge
Familiarity with SSH, systemctl, and firewalls
Installation
Before setting up Cowrie, you need to install Ubuntu Server on your machine. You can install it in two ways:
1️⃣ On a physical machine using a bootable USB (e.g., HP ProDesk).
2️⃣ Inside a virtual machine using VirtualBox (which we’ll use in this guide)
Option 1: Install Ubuntu Server with a Bootable USB
If you’re installing on a physical machine (like HP ProDesk), follow this guide
Steps:
- Download Ubuntu Server LTS from Ubuntu Server Download.
- Create a bootable USB using Rufus (Windows) or balenaEtcher (Mac/Linux).
- Boot from the USB and follow the installation steps.
🎥 Watch this video tutorial for creating a bootable USB & installing Ubuntu Server
Option 2: Install Ubuntu Server on a Virtual Machine (VirtualBox)
In this guide, I’ll be installing Ubuntu Server on a Virtual Machine (VM) using VirtualBox.
**
Step 1: Download & Install VirtualBox
Download VirtualBox from: https://www.virtualbox.org/
Install VirtualBox for your OS.
Step 2: Create a New Virtual Machine
1️⃣ Open VirtualBox and click "New".
2️⃣ Set the name as Ubuntu_Honeypot.
3️⃣ Select Type: Linux, Version: Ubuntu.
4️⃣ Allocate at least 2048MB (2GB) RAM (4GB recommended).
5️⃣ Create a 20GB (or more) virtual hard disk
6️⃣ Click "Create" to finish setting up the VM.
Step 3: Configure VM Settings
Before starting the VM, tweak a few settings for better performance:
1️⃣ Go to "Settings" → "System" → "Processor" → Set at least 2 CPUs.
2️⃣ Enable Network Bridging:
Go to Settings → Network → Change "Attached to" Bridged Adapter (to make the VM accessible on your local network).
Deploying Cowrie Using Docker
Cowrie can be easily deployed using a Docker container, making setup and management much simpler. Below is how you can quickly get Cowrie running inside Docker.
1️⃣ Install Docker (If Not Installed)
First, install Docker on your system:
sudo apt update && sudo apt install -y docker.io
Enable and start the Docker service:
sudo systemctl enable --now docker
Check if Docker is running:
docker --version
2️⃣ Run Cowrie with Docker
To quickly start Cowrie using a pre-built Docker image, run:
sudo docker run -p 2222:2222 cowrie/cowrie:latest
-p 2222:2222 → Exposes port 2222 on the host, forwarding it to the container.
3️⃣ Connect to the Cowrie Honeypot
Once the container is running, you can test SSH access:
nmap -p 2222 -sV <server-ip>
ssh -p 2222 root@localhost
If using another machine on the same network, replace localhost with the server’s IP:
ssh -p 2222 root@<server-ip>
Exposing Cowrie Running in Docker to the Internet
In this section we will be doing the following:
✅ Expose Cowrie (running in Docker) to the internet so real attackers can interact with it.
1️⃣ Expose Cowrie to the Internet
By default, Docker containers run in an isolated network. To make Cowrie publicly accessible, we need to:
- Ensure the correct port is mapped
- Forward the port from your router
- Allow traffic through the firewall (UFW)
Step 1: Run Cowrie with Port Mapping
If your container is already running, stop and remove it first:
docker stop cowrie && docker rm cowrie
Now, restart Cowrie with proper port forwarding:
docker run -d --name cowrie -p 2222:2222 cowrie/cowrie:latest
Now, test SSH access from another computer:
ssh root@your-server-ip -p 2222
If this works, move to the next step.
Step 2: Allow SSH Traffic in UFW (Firewall)
Make sure your firewall allows incoming SSH connections:
sudo ufw allow 2222/tcp
sudo ufw reload
sudo ufw status numbered
Now, your server should allow SSH traffic on port 2222.
Step 3: Set Up Port Forwarding on Your Router (For Public Access)
To make your honeypot publicly accessible, you need to forward port 2222 on your router.
- Log into your router settings (usually at 192.168.1.1).
- Find Port Forwarding / NAT Settings.
- Add a rule:
- External Port: 2222
- Internal Port: 2222
- Protocol: TCP
- Destination IP: Your server’s local IP (e.g., 192.168.1.100).
- Save the changes and restart your router.
Playing around with honeypot
After running the previous Docker command to start Cowrie, our server is now actively accepting SSH connections.
Interacting with the Fake SSH Server
Let’s test the honeypot by logging in from another machine:
Once connected, you’ll notice that Cowrie presents a fully interactive fake filesystem designed to mimic a real Linux server.
Cowrie tricks attackers by allowing them to execute commands, navigate directories, and even try to download malicious tools.
Top comments (0)