A cloud-deployed, medium-interaction SSH/Telnet honeypot that attracts, detects, logs, and blocks real-world cyberattacks in real time.
Deployed on Microsoft Azure with automated intrusion prevention via Fail2ban โ capturing attacker IPs, credentials, and commands for threat intelligence analysis.
Deploy a functional honeypot system that can:
| Capability | Description |
|---|---|
| Deploy | Run on a cloud VM accessible from the public internet |
| Attract | Emulate SSH/Telnet services to lure automated attacks and manual intrusions |
| Log | Capture source IPs, credentials attempted, and commands executed per session |
| Analyze | Identify trends, repeated patterns, and common attack vectors from log data |
| Block | Automatically ban persistent attackers via Intrusion Prevention System (IPS) |
| Visualize | Map attacker geolocations using IP intelligence services |
โโโโโโโโโโโโโโโโโโโโ
โ INTERNET โ
โ (Attackers) โ
โโโโโโโโโโฌโโโโโโโโโโ
โ
โโโโโโโโโโผโโโโโโโโโโ
โ Azure NSG โ
โ Firewall Rules โ
โ Port 2222/2223 โ
โโโโโโโโโโฌโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโ
โ Azure VM (B1s) โ
โ Ubuntu 22.04 LTS โ
โ โ
โ โโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Cowrie Honeypot โ โ
โ โ SSH โ Port 2222 โ โ
โ โ Telnet โ Port 2223โ โ
โ โ โ โ
โ โ cowrie.log โโโโโโโโ โ
โ โโโโโโโโโโโโโโโโโโ โโ โ
โ โโ โ
โ โโโโโโโโโโโโโโโโโโ โโ โ
โ โ Fail2ban โโโโโ โ
โ โ IPS Engine โ โ โ
โ โ 3 strikes โ โ โ โ
โ โ 1hr ban โ โ โ
โ โโโโโโโโโโโโโโโโโโ โ โ
โ โ โ
โ Port 22 โ Admin SSH โ โ
โ (RSA key auth only) โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโ โ
| Component | Technology | Version | Purpose |
|---|---|---|---|
| Cloud Platform | Microsoft Azure | โ | VM hosting, public IP, Network Security Groups |
| Operating System | Ubuntu Server | 22.04 LTS | Stable, secure Linux distribution |
| Honeypot | Cowrie | Latest | Medium-interaction SSH/Telnet honeypot |
| IPS | Fail2ban | Latest | Log monitoring, automatic IP banning |
| Auth | RSA Key Pair | โ | Secure admin access (password auth disabled) |
| Isolation | Python venv | โ | Dependency isolation for Cowrie |
| Visualization | IP Geolocation | โ | Attack origin mapping via ipinfo.io |
- Created Ubuntu 22.04 LTS VM (
B1ssize) on Microsoft Azure - Configured secure admin access via RSA private key (password authentication disabled)
- Assigned public IP for internet-facing honeypot services
| Port | Protocol | Service | Purpose |
|---|---|---|---|
22/TCP |
SSH | Admin Access | Secure management (RSA key only) |
2222/TCP |
SSH | Cowrie Honeypot | SSH trap for attackers |
2223/TCP |
Telnet | Cowrie Honeypot | Telnet trap for attackers |
# Create dedicated low-privilege user (principle of least privilege)
sudo adduser --disabled-password cowrie
# Clone and configure Cowrie
git clone https://github.com/cowrie/cowrie.git /home/cowrie/cowrie
cd /home/cowrie/cowrie
# Isolate dependencies in virtual environment
python3 -m venv cowrie-env
source cowrie-env/bin/activate
pip install -r requirements.txt
# Launch honeypot on ports 2222 (SSH) and 2223 (Telnet)
bin/cowrie startCustom filter โ /etc/fail2ban/filter.d/cowrie.conf:
[Definition]
failregex = ^.*\[HoneyPotSSHTransport,.*,<HOST>\].*login attempt.*failed$
ignoreregex =Custom jail โ /etc/fail2ban/jail.local:
[cowrie]
enabled = true
port = 2222
filter = cowrie
logpath = /home/cowrie/cowrie/var/log/cowrie/cowrie.log
maxretry = 3
bantime = 3600Policy: After 3 failed login attempts โ IP is banned for 1 hour via iptables.
The honeypot captured hundreds of automated attack attempts within hours of deployment. Analysis commands for the cowrie.log file:
grep "login attempt" cowrie.log | awk -F'[, ]' '{print $4}' | sort | uniq -c | sort -nr | head -n 10grep "login attempt" cowrie.log | sed 's/.*\[b//;s/\/.*//' | tr -d "'" | sort | uniq -c | sort -nr | head -n 10grep "login attempt" cowrie.log | sed 's/.*\///;s/\].*//' | tr -d "'" | sort | uniq -c | sort -nr | head -n 10| Pattern | Details |
|---|---|
| Credential Stuffing | Automated bots attempting root/admin/test with common passwords |
| Default Credentials | Attempts with factory defaults (admin:admin, root:123456) |
| Dictionary Attacks | Systematic wordlist-based password spraying |
| Persistence Attempts | Repeated connections from the same IP ranges |
Attack origin mapping workflow:
- Extract unique attacker IPs from Cowrie logs
- Geolocate via ipinfo.io API โ latitude/longitude coordinates
- Plot on a world map using Google My Maps or Tableau Public
# Extract unique IPs for geolocation
grep "login attempt" cowrie.log | awk -F'[, ]' '{print $4}' | sort -u > attacker_ips.txt
# Geolocate via API
while read ip; do
curl -s "https://ipinfo.io/$ip/json" >> geo_data.json
done < attacker_ips.txt| Metric | Observation |
|---|---|
| Attack Speed | Automated scans detected within minutes of deployment |
| Top Usernames | root, admin, test, user, ubuntu |
| Top Passwords | 123456, admin, password, root, 1234 |
| Attack Origins | China, Russia, Vietnam, India, Brazil (typical botnet sources) |
| Fail2ban Blocks | Effectively reduced repeated attacks from persistent IPs |
| Enhancement | Description |
|---|---|
| Splunk/Wazuh | Centralized SIEM for real-time log analysis and dashboarding |
| ELK Stack | Elasticsearch + Logstash + Kibana for advanced visualization |
| Threat Intel Feeds | Correlate attacker IPs with known threat intelligence databases |
| High-Interaction | Upgrade to full OS emulation for deeper attacker behavior analysis |
| Automated Reporting | Python scripts for daily attack summary reports |
The full project report is available as a PDF in this repository:
ELEVATE_LABS_FINAL INTERNSHIP _PROJECT.pdfโ Complete internship report with detailed analysis
Harsh Gupta โ @cazy8 ยท LinkedIn
If you found this useful, consider giving it a โญ