Cowrie - listen on 22

[mackwage]

In order to get Cowrie to listen on 22, I had to update the last line of the start.sh file to include "authbind --deep" at the beginning.

[brianwarehime]

What OS are you having issues with?

[mackwage]

Ubuntu 14.04.3 x64

[brianwarehime]

Hmm, not sure what the issue is. I pulled down a fresh copy of Ubuntu 14.04 x64 last night and tested everything to made sure it worked as it should. I didn't modify Cowrie at all, and it installed/started fine and was able to listen on 22, with no modifications. Did you use sensor.sh or uf_only.sh to get these deployed?

[mackwage]

Sensor.sh. It returned permission denied when trying to listen on 22 until I added that tidbit.

Found this post which recommended adding authbind to the cfg. https://sehque.wordpress.com/2015/07/23/how-to-configure-and-deploy-a-cowrie-ssh-honeypot-for-beginners/

[brianwarehime]

Interesting, I was actually talking with @sehque the other day when he was having issues, but, never mentioned this issue. I'm going to refer him to this issue and get his thoughts.

[brianwarehime]

Also, just to confirm, you pulled down the latest version which was updated about a day ago?

[mackwage]

Yes sir. Just installed from here a couple hours ago.

[brianwarehime]

Interesting. Alright, I'll see if @sehque has anything to add to this.

[brianwarehime]

I talked with @sehque and he said "Yeah, that tweak was for Cowrie straight out of the box. Nothing to do with Tango. This change is not needed when using the "Tango version" of Cowrie." and "My tests over the last few days did not include altering this line in that file...worked fine.". Based on this, and my personal testing on Ubuntu 14.04 x64 images, I'm not sure what the issue and it might be something on your end?

The only thing I can recommend at this time is to re-download a new copy of Ubuntu 14.04 x64, and follow the instruction steps in the README.md for Tango and see what happens? I'm going to record a video of the install process for future users setting this up, so, maybe I can try to do that this week and we can see if something went wrong on your end. Sorry for the issues!

[mackwage]

No worries. I actually just fired up a fresh Ubuntu 14.04 vps, fully patched it and ran the sensor.sh script. After, same issue. Permission denied when trying to start on port 22.

[brianwarehime]

Oh, wow. So, I misread this the whole time. It took me spinning it all up to figure out what you meant.

So....we aren't listening on 22 like we previously did with the Kippo version Tango. When I did, we set up authbind to listen on 22. With Cowrie, I was having issues with Authbind, so I switched over to using iptables.

Currently, we set Cowrie to listen on port 2222 and forward any traffic to port 22 to port 2222 where Cowrie is listening. Is there any reason why you need it to listen on 22 and not just use iptables to have it forward from 2222?

[mackwage]

MY BAD. :)

I didn't review the installation script in as much detail as I should had. I didn't realize you were re-routing the traffic as such. I was using 2222 as my "real" ssh port on the VPS so changed the cowrie.cfg to listen on 22.

It all makes sense now. Thank you sir!

FYI I get an HTTP 500 error when the script tries to download the Splunk UF. I just manually did a wget to grab it. Unless I overlooked something there as well.

[brianwarehime]

Ah, glad we got that issue figured out though. :)

Re: the 500, hmm....not sure what the issue with that is either, I'll spin up the VM again and see what happens, but, when I tested it 30 minutes ago, it seemed like it successfully downloaded. Stand by...

[mackwage]

Update. Looks like it worked on my x64 VPS. It fails on my two x32 ones.

[brianwarehime]

Alrighty, I'll verify the link for the x32 version. Thanks for the update.