← work

Cowrie Honeypot

A deception environment that lures attackers and logs everything they do.

Build · 2025 · Cowrie / ELK

overview

A high-interaction honeypot built on Cowrie — a system deliberately set up to look like an easy, vulnerable target. It exposes fake SSH and Telnet services, and when an attacker takes the bait, every login attempt, command, and file interaction is recorded for analysis.

I hardened the real administration channel onto a non-standard port, stood Cowrie up in an isolated environment, and piped its logs into the ELK stack so attacker behaviour could be explored visually rather than grepped out of raw log files.

what it does
  • SSH & Telnet simulation

    Mimics real services to capture brute-force login attempts.

  • Full command logging

    Every command an attacker runs is recorded for later analysis.

  • Filesystem interaction

    Attackers can browse, download, and attempt exploits in a sandbox.

  • Real-time monitoring

    Sessions stream to the logs live as they happen.

  • ELK visualization

    Cowrie logs ingested into Elasticsearch and explored in Kibana dashboards.

  • Isolated by design

    Runs off the production network so the bait can never become a foothold.

in action
An attacker session captured in real time.
An attacker session captured in real time.
Attack trends visualised in a Kibana dashboard.
Attack trends visualised in a Kibana dashboard.
details
Built with
Cowrie · Python · Linux
Integrates
Elasticsearch · Logstash · Kibana
Platforms
Debian / Ubuntu Linux

Built for research and education. A honeypot should never be exposed on a production network.