HoneyTrap Lab: Deploying a Production-Grade SSH Honeypot to Catch Real Attackers

Category: Threat Intelligence / Blue Team

Tools: Cowrie, Ubuntu 24.04, iptables, Python 3.12, MITRE ATT&CK

GitHub: github.com/anveeksh/honeytrap-lab

Date: March 2026

Why I Built This

I've spent four years on the offensive side of cybersecurity — penetration testing, vulnerability assessments, red team exercises. I know how attackers think because I've had to think like them professionally.

But I realized I had a blind spot: I had never watched an attack unfold from the defender's perspective in real time. I'd read incident reports, analyzed log samples in coursework, and studied threat intelligence frameworks — but I'd never actually deployed a system designed to be attacked and watched what happened.

Honeypots solve exactly that problem. A honeypot is a decoy system deliberately designed to attract attackers. It has no legitimate traffic, no real users, no business purpose — so every single connection it receives is hostile. Zero false positives. Pure signal.

I built HoneyTrap Lab to close that gap in my understanding, generate real attacker data I could analyze, and produce a threat intelligence report I could be proud of.

What is Cowrie?

Cowrie is a medium-interaction SSH and Telnet honeypot used by security researchers worldwide. When an attacker connects, they are dropped into a convincing fake Linux shell — they can run commands, browse a simulated filesystem, and attempt to download malware — while Cowrie silently logs everything: credentials used, every command typed, SSH client fingerprints, and any files they attempt to retrieve.

All of this is written to structured JSON telemetry, making it trivially easy to ingest into a SIEM or analyze programmatically.

Architecture

Internet / Local Network
        │
        ▼
   Port 22 (visible to attackers)
        │
   iptables NAT PREROUTING
        │
        ▼
   Port 2222 — Cowrie Honeypot
        │
   ┌────┴──────────────────────┐
   │  Fake SSH Shell (Cowrie)  │
   │  Credential Logger        │
   │  TTY Session Recorder     │
   │  JSON Telemetry Engine    │
   └───────────────────────────┘
        │
        ▼
   var/log/cowrie/
   ├── cowrie.log    (human-readable)
   └── cowrie.json   (structured telemetry)

The key design decision is the iptables NAT rule that silently redirects all traffic arriving on port 22 (the standard SSH port attackers scan for) to port 2222 where Cowrie is listening. From the attacker's perspective, they are connecting to a normal SSH server. In reality, they are walking into a trap.

Deployment: Step by Step

Environment

• Ubuntu 24.04 LTS (ARM64)

• Python 3.12.3

• Cowrie v2.9.13

  
  

1. System Preparation

Created a dedicated unprivileged user for Cowrie as a security best practice — isolating the honeypot process from the rest of the system:

bash

sudo adduser --disabled-password --gecos "" cowrie
sudo apt install -y python3.12-venv git libssl-dev libffi-dev build-essential

2. Cowrie Installation

bash

sudo su - cowrie
git clone https://github.com/cowrie/cowrie
cd cowrie
python3 -m venv cowrie-env
source cowrie-env/bin/activate
pip install -r requirements.txt
pip install -e .
cp etc/cowrie.cfg.dist etc/cowrie.cfg

3. SSH Key Generation

bash

ssh-keygen -t rsa -b 2048 -f var/lib/cowrie/ssh_host_rsa_key -N ""
ssh-keygen -t dsa -b 1024 -f var/lib/cowrie/ssh_host_dsa_key -N ""

4. Launch

bash

twistd --umask=0022 --pidfile=var/run/cowrie.pid \
       --logfile=var/log/cowrie/cowrie.log cowrie

5. Port Redirection

bash

sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
sudo iptables -t nat -A OUTPUT -p tcp --dport 22 -o lo -j REDIRECT --to-port 2222
sudo apt install iptables-persistent -y && sudo netfilter-persistent save

What the Honeypot Captured

Within minutes of deployment, the honeypot recorded its first session. Here is the complete attack timeline:

A full TTY recording of the session was captured and is replayable using Cowrie's playlog utility — every keystroke, every output, exactly as the attacker saw it.

MITRE ATT&CK Analysis

Mapping the observed behavior to the MITRE ATT&CK framework reveals a textbook post-exploitation pattern consistent with automated botnet deployment:

The double wget attempt is particularly telling — automated scripts often retry downloads when no response is received, which is consistent with Mirai-variant botnet droppers that attempt to pull and execute a shell script for cryptocurrency mining or DDoS infrastructure enrollment.

Key Technical Findings

HASSH Fingerprinting: The attacker's SSH client was fingerprinted as aae6b9604f6f3356543709a376d7f657. HASSH is a network fingerprinting technique developed by Salesforce that hashes the SSH handshake parameters to produce a unique identifier for a given SSH client implementation. This fingerprint can be cross-referenced across multiple sessions and threat intel platforms to identify whether the same tooling has been used in attacks elsewhere.

Credential Intelligence: The use of root/password123 is consistent with the credential dictionaries used by Mirai and its derivatives, which scan the internet for SSH services and attempt thousands of default and weak credential pairs per minute.

Fake Filesystem: Cowrie presented a convincing fake Linux environment to the attacker — including a realistic /etc/passwd with fictional users, a home directory containing a fake user named phil, and simulated command outputs. The attacker had no indication they were inside a honeypot.

Defensive Recommendations

Based on the observed attack pattern, the following hardening measures would have prevented this intrusion on a real system:

1. Disable root SSH login — PermitRootLogin no in /etc/ssh/sshd_config

2. Enforce SSH key authentication — disable password auth entirely

3. Deploy fail2ban — auto-ban IPs after repeated failed attempts

4. Relocate SSH to non-standard port — reduces automated scanner noise significantly

5. Monitor HASSH fingerprints — enables attacker attribution across sessions

6. Integrate with threat intel feeds — cross-reference IPs against AbuseIPDB and Shodan in real time

What I Took Away From This

Building and running a honeypot is a fundamentally different experience from any other security exercise. There are no simulated scenarios, no lab instructions, no known answers. The attacker doesn't know you're watching, and you don't know what they'll do next.

What struck me most was how methodical and fast the reconnaissance phase was. Within 20 seconds of gaining access, the attacker had checked their privilege level, enumerated all local users, mapped the home directories, and fingerprinted the OS — all before attempting any payload delivery. This is not improvised behavior. It is a practiced, automated sequence optimized for speed.

That insight — watching the pattern rather than just reading about it — is what honeypots give you that no textbook can.

Project Repository

All logs, configuration files, and the full threat intelligence report are available on GitHub:

github.com/anveeksh/honeytrap-lab

Anveeksh Mahesh Rao is an MS Cybersecurity student at Northeastern University's Khoury College of Computer Sciences and co-founder of Cyber Tech Associates. He specializes in penetration testing, threat intelligence, and security automation.