Skip to content

Instantly share code, notes, and snippets.

@n0xa

n0xa/Deploy-Honeypots.md Secret

Last active November 21, 2025 03:33
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save n0xa/b179848093a4e346f7bd6b8ab61e2909 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save n0xa/b179848093a4e346f7bd6b8ab61e2909 to your computer and use it in GitHub Desktop.
Download ZIP
Deploying cowrie and dionaea honeypots to feed the cyber attack map
Raw
Deploy-Honeypots.md

Cyber Attack map

If you want to run a Cowrie SSH/Telnet honeypot on your own system, this makes it fairly easy to set up. Attacks against your honeypots should show up on the map dashboard if you have it set up right.

Tested only on Debian derivatives like Ubuntu, Kali and RasPi OS. Should work on RPi3, 4 of 5, as well as x86_64.

First install the prereqs:

sudo apt install docker.io docker-compose

Move SSH to another port, like 2200 or 2222 by editing /etc/ssh/sshd_config and restart with "sudo systemctl restart sshd"

This command should auto deploy Cowrie listening on port 23 (telnet) and port 22 (SSH):
mkdir ~/cowrie; cd ~/cowrie; sudo wget "https://mhn.h-i-r.net/api/script/?text=true&script_id=3" -O deploy.sh && sudo bash deploy.sh https://mhn.h-i-r.net AyBab7u && sudo docker-compose up -d

Deploy Dionaea as well, which acts like a server of many frequently-targeted services:
mkdir ~/dionaea; cd ~/dionaea; sudo wget "https://mhn.h-i-r.net/api/script/?text=true&script_id=4" -O deploy.sh && sudo bash deploy.sh https://mhn.h-i-r.net AyBab7u && sudo docker-compose up -d

Once running, you should be able to type "sudo docker-compose logs" in either the cowrie or dionaea directory to see that they are running.

If you're running it at home, you will probably need to use your home router's "NAT Forwarding" or "Port Forwarding" feature to expose the ports to the Internet. If you're deploying to AWS or GCP, you'll need to open the correct ports to the internet, and also allow the real SSH port from your home IP address at a minimum.

Cowrie ports: 22, 23
Dionaea ports: 21, 42, 135, 445, 1433, 1723, 1883, 3306, 5060, 11211, 27017

If you want to watch all of the honeypot attack details, usernames, passwords and commands in real time, you can use my go HPFeeds-Client found in my project https://github.com/n0xa/golang-stuff -- the example command in the README.md will work to show you the running honeypot logs in real time.

Consider adding these IPTables rules to your raspberry pi or VM on your LAN to help insulate your network segment from dipshits abusing your honeypot. It is not perfect and there are risks, but this will keep most of them at bay.

## Drop (Ignore) all outbound traffic by policy
iptables -P OUTPUT DROP

## Allow outbound traffic to any destination 
## if it's related to an inbound connection
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

## Allow outbound to the HoneyNet server
iptables -A OUTPUT -d 168.235.104.227 -j ACCEPT

## Explicitly Block all outbound traffic to RFC1918 NAT networks
iptables -A OUTPUT -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -d 10.0.0.0/8 -j REJECT

## Allow outbound ICMP/Ping and DNS

iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

##HTTP Rate limit outbound (this WILL make your apt updates insanely slow, disable them before updating)
iptables -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 1/min -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 1/min -j ACCEPT
iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 1/min -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j DROP
iptables -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j DROP
iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW -j DROP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment