If You Have Something Online, You Will Be Targeted: Building an SSH Honeypot with Cowrie

It’s a simple truth of the internet in 2025: if you expose a service online, someone will try to break into it — probably within minutes. Whether you're running a professional server or just playing around with a Raspberry Pi at home, the scans and intrusion attempts will come.

Rather than remain in the dark about who is knocking on my digital door, I decided to set a trap. I installed a honeypot on my Raspberry Pi using Cowrie — a powerful tool that emulates an SSH environment and logs every move of the intruder. What I discovered was as fascinating as it was alarming.

What Is Cowrie?

Cowrie is a medium-interaction honeypot primarily designed to emulate SSH and Telnet services. Unlike simple low-interaction honeypots that merely log connection attempts, Cowrie goes several steps further: it simulates a full shell environment that is convincing enough to lure attackers into interacting with it — executing commands, attempting privilege escalation, or downloading malicious payloads.

Technically, Cowrie acts as a proxy layer between the attacker and a fake file system. When an unauthorized SSH connection is made to the Cowrie port (usually port 22), the attacker is presented with a standard-looking login prompt. Any combination of usernames and passwords can be accepted (or selectively rejected) based on configuration.

Once "logged in", the attacker is dropped into a simulated shell that mimics a typical Linux distribution (usually something like Debian or Ubuntu). This shell is not real — it does not execute actual system commands. Instead, it interprets the inputs and returns predefined outputs that appear real, pulled from templates or static outputs.

Key Features of Cowrie

• SSH & Telnet emulation: Supports both protocols for broader visibility into different attack vectors.
• Filesystem virtualization: Emulates a directory structure, complete with fake /etc/passwd, /bin/ls, /home, and more. The attacker can navigate, read files, and even attempt to write or modify files within the virtual environment.
• Command emulation: Implements a wide range of shell commands (ls, cat, cd, echo, wget, etc.) with realistic behavior and output.
• Session recording: Every command, every keystroke, and every file transfer is logged — including timestamps, source IPs, and terminal interaction.
• File upload/download traps: Cowrie can capture files uploaded via scp, wget, or curl. It stores these for later analysis, including potentially malicious payloads.
• User behavior logging: Tracks session metadata like login attempts, commands issued, timing between keystrokes, and more.
• Customizability: You can modify command responses, file structures, and banners to tailor the honeypot to simulate a particular type of device — such as a Raspberry Pi, router, or generic cloud VM.
• Integration with security tools: Logs can be forwarded to ELK stacks, Splunk, MQTT brokers, or integrated into threat intelligence workflows.

What Makes Cowrie Effective?

Attackers — especially bots — often rely on fingerprinting systems to determine whether they’re worth targeting. Cowrie defeats these attempts by:

• Mimicking real SSH banners and version strings.
• Including realistic-looking user accounts (like pi, admin, or www-data).
• Delaying responses to mimic human-typed latency.
• Offering limited but believable command success/failure behavior.

For advanced adversaries, Cowrie’s limitations eventually become visible — for example, compiled binaries won’t run, and system-level commands like uname -r return canned responses. But by then, you’ve already gathered valuable telemetry on the intrusion attempt.

In essence, Cowrie creates a sandboxed illusion of a vulnerable system — not to fight attackers directly, but to monitor, analyze, and learn from the evolving landscape of internet-based threats.

Why Run a Honeypot?

Before diving into the technical setup, it’s worth asking: why even bother setting up a honeypot?

After all, a honeypot won’t block intrusions or patch your system — its power lies elsewhere: in visibility, learning, and strategic deception.

1. Awareness: The Internet Is Not a Quiet Place

If you've ever assumed your device is safe just because it's small or obscure — think again. The moment you expose port 22 (or almost any common service) to the internet, automated scans will find it. Within minutes of forwarding SSH to my Raspberry Pi, I saw login attempts streaming in — hundreds per hour.

Running a honeypot is a visceral reminder that being online means being targeted. Whether it’s botnets trawling IP ranges or opportunistic attackers trying default credentials, the noise never stops. A honeypot makes this invisible activity visible.

2. Education: Learn by Watching the Enemy

Reading about security in theory is one thing. Watching an attacker go through the motions — trying wget, poking for sudo access, trying to drop a cryptominer — that’s a different level of insight.

Honeypots like Cowrie allow you to: - Observe real-world intrusion attempts without endangering your system. - Understand attacker psychology, from scanning to escalation. - See how credential stuffing, privilege probing, and malware deployment actually play out.

This kind of learning is invaluable for students, sysadmins, or security researchers.

3. Research: Track Threat Trends Over Time

Cowrie logs everything — usernames, passwords, IPs, commands, file uploads — and stores them in structured formats. Over time, you build a local intelligence database: - What credentials are most commonly tried? - Which IPs are repeat offenders? - What malware is being distributed right now?

This data helps inform not only your own defenses, but can also be shared with community threat feeds or used to build detection rules.

4. Deception: Waste Their Time, Not Yours

A honeypot can be seen as a form of active deception. Instead of slamming the door shut, you open a decoy one — and let the attacker explore a fake world that’s safely isolated. While they “probe” your fake filesystem and “run” fake commands, you: - Log their behavior - Analyze their intent - Gain the upper hand

Every minute they waste in your trap is a minute they’re not exploiting a real system. That’s a net win for defenders.

In short: A honeypot is not a firewall. It’s not antivirus software. It won’t stop ransomware or close known vulnerabilities. What it will do is give you something far rarer: clarity.

It adds a powerful layer of intelligence to your security posture — letting you see what attackers try when they think no one is watching. It offers insight into the tools, commands, and behavior patterns that would otherwise stay hidden in the background noise of failed logins and dropped connections. And it introduces a form of tactical depth: by giving intruders a playground, you learn their tricks without exposing your real assets.

If you care about security — not just compliance, but actual, real-world adversary behavior — then a honeypot is an invaluable lens. There’s no better way to understand your enemies than by inviting them into a fake system, letting them act freely, and quietly recording every move they make.

It’s not about revenge. It’s about knowledge. And in cybersecurity, knowledge is leverage.

My Setup: Raspberry Pi as the Decoy

For this experiment, I repurposed a spare Raspberry Pi — small, silent, low-power, and perfect for running 24/7 in the background. The system runs a minimal Debian-based OS (Raspberry Pi OS Lite) with only the essentials installed. Here’s how I built the trap:

1. Real SSH was disabled on port 22. I didn’t want attackers hitting my actual SSH daemon by accident, so I moved it entirely.
2. A secure SSH server was reconfigured to another port, accessible only with ed25519 key-based authentication. Password login was completely disabled to eliminate brute-force risk.
3. Cowrie was installed and configured to bind to port 22, the default SSH port. It emulates a standard Linux SSH login prompt, complete with fake shell access, command responses, and even the illusion of a full filesystem.
4. The Pi was placed on an isolated VLAN, firewalled and monitored, with no outbound internet access except for Cowrie’s logging mechanisms. This ensures attackers can't pivot or access sensitive systems even if the honeypot is compromised.

From the outside, it looked like an undermaintained, exposed Linux box — a juicy, misconfigured SSH endpoint just waiting to be compromised.

But in reality, it was a tightly controlled sandbox designed to observe, log, and analyze every move.

What Did I Learn?

What surprised me most wasn’t that attacks came — it was how quickly they arrived. Within minutes of forwarding port 22 to the Raspberry Pi, Cowrie’s logs began to fill with intrusion attempts. The honeypot was effectively invisible in my home network — but wide open to the internet. And that was all it took.

Over just a few days, the data revealed some striking patterns:

Brute-Force Login Attempts

• Usernames: Attackers used every generic and default login imaginable — root, admin, user, test, guest, pi, oracle, ftp, and postgres were among the most common. But the list quickly exploded into the thousands, including random first names, system roles (support, monitor, backup), and nonsense strings. Clearly, automated dictionaries are behind most of it.
• Passwords: Unsurprisingly, the most frequently tried were 123456, admin, password, 1234, and variants like admin1234, rootroot, or qwerty. Many bots appended years (2023, 2024), or guessed based on the username (oracle/oracle, pi/raspberry).
• Volume: On average, hundreds of login attempts per day — often in bursts from specific IP ranges.

Source IPs and Origin Patterns

• The IPs came from all over the world, but particularly from:
• Public cloud providers (AWS, DigitalOcean, Alibaba, OVH)
• Residential broadband IPs (likely compromised systems)
• Obscured via VPN or Tor exit nodes
• Some attackers used one IP per attempt, while others hit the server repeatedly until blocked.
• A few IPs showed signs of manual probing, suggesting a human behind the keyboard (e.g., trying ls, then ifconfig, then uploading a binary manually).

Behavior After “Login”

Once “logged in,” attackers dropped into Cowrie’s fake shell — and this is where it got fascinating.

• Reconnaissance: Commands like uname -a, whoami, id, ls /, cat /etc/passwd, and top were common.
• Persistence & Payloads:
• Attempts to fetch remote scripts with wget, curl, or tftp
• Usage of chmod +x followed by execution
• Obfuscated one-liners (e.g., sh -c "$(curl -fsSL <URL>)")
• Base64-encoded or hex-encoded payloads, often malware
• Failure Loops: Since Cowrie fakes the filesystem and blocks actual execution, many attackers got stuck in loops, trying to install or run things that didn’t work. Some even complained (“permission denied??”) — unironically.

Malware and Indicators of Compromise

Cowrie’s logging includes downloaded files, which revealed:

• DDoS botnets (Mirai variants)
• Crypto miners (for Monero/XMR, often hardcoded into bash scripts)
• Shell backdoors (.elf binaries for ARM/x86)
• Polymorphic scripts changing with each request (often hosted on compromised WordPress sites)

Every file was saved for offline analysis — safely quarantined in a directory full of digital nastiness, just waiting to be dissected. In theory, I’d reverse-engineer the payloads and trace their infrastructure. In practice? I barely have time to breathe — my day job grinds me to pieces in a way that would make even ransomware beg for mercy.

In short: even a simple SSH honeypot collects astonishing amounts of intelligence in very little time. It gives you a front-row seat to real-world attacks — and a dataset worth exploring for patterns, trends, and even malware taxonomy.

Ethical and Legal Considerations

Running a honeypot isn’t just a technical project — it has ethical dimensions:

• Observe, don’t retaliate: Honeypots are for study, not revenge.
• Don’t redirect traffic or trick attackers into harming others.
• Clearly isolate the honeypot from your real infrastructure.
• Use the data responsibly — for learning, teaching, and improving cybersecurity awareness.

As long as you follow these principles, Cowrie is an excellent tool for understanding the real risks that face internet-connected systems — and for getting a front-row seat to the never-ending parade of shady characters knocking on your digital door. You won’t stop them all — but at least you’ll see them coming.

Final Thoughts: Ignorance Is Not Security

If there’s one key takeaway from this project, it’s this: Security through obscurity is a myth.

It doesn’t matter if your system is small, remote, or seemingly uninteresting. Automated scanners don't discriminate — they sweep entire IP ranges, probing anything that responds. Whether it's a Raspberry Pi in a garden shed or a corporate server farm, if it’s connected to the internet, it will be found.

That’s not paranoia. That’s reality.

Running Cowrie was like flipping on a light in a dark room. Suddenly, I could see the constant probing, the brute-force attempts, the malware drops. What had seemed quiet was actually under persistent siege — just silently.

Tools like Cowrie don’t prevent attacks. They expose them. And in doing so, they offer something far more powerful than a false sense of safety: insight.

They remind us that the internet isn’t a peaceful cul-de-sac. It’s more like a 24/7 global bazaar — crowded, noisy, and occasionally dangerous. And while you can’t stop people from rattling your digital doorknob, you can install a peephole, take notes, and prepare.

Want to try it yourself? Visit Cowrie on GitHub and explore what attackers are really up to — from a safe distance.