feat(ssh-honeypot): implement Cowrie SSH honeypot deployment pipeline

[hariram4862]

Implement Cowrie SSH Honeypot Deployment Pipeline

Overview

This PR introduces the first functional honeypot deployment workflow for the Honeynet project and addresses Issue #4.

The implementation establishes an automated pipeline capable of provisioning cloud infrastructure and configuring an operational Cowrie SSH honeypot instance.

This work serves as the initial building block for the distributed Honeynet deployment framework described in the project objectives.

The deployment pipeline integrates:

• Terraform for infrastructure provisioning
• Ansible for automated configuration
• Cowrie for SSH honeypot emulation

The goal is to enable reproducible deployment of honeypot nodes in cloud environments.

---

Scope of This PR

This pull request introduces the initial automated deployment pipeline for a Cowrie SSH honeypot.

The implementation includes:

• Terraform infrastructure configuration for AWS EC2
• Ansible automation for honeypot installation
• Cowrie SSH honeypot deployment
• Automated deployment script to orchestrate the pipeline
• Repository structure for infrastructure and configuration management

Currently, the honeypot is configured to run on port 2222, which is exposed through the EC2 security group for attacker interaction.

The default SSH service on port 22 remains reserved for administrative access, and port redirection or multi-port honeypot deployment will be introduced in future improvements.

This PR establishes the first deployable honeypot node in the Honeynet project.

---

Alignment with Honeynet Project Objectives

This contribution directly supports the core objectives of the Honeynet project:

Automated Deployment

Infrastructure provisioning and configuration are fully automated using Terraform and Ansible.

Distributed Architecture Foundation

The deployment workflow is modular and designed to support future multi-region honeypot deployments.

Data Collection

Cowrie captures attacker interaction data including:

• commands executed
• login attempts
• credential usage
• session activity

Scalability

Terraform configuration allows future expansion to deploy multiple honeypot nodes across geographic regions.

---

System Architecture

The honeypot deployment pipeline integrates infrastructure provisioning with configuration management.

            +-------------------------+
            |        Developer        |
            |  deploy_honeypots.sh   |
            +-----------+-------------+
                        |
                        v
            +-----------+-------------+
            |        Terraform        |
            | Infrastructure Provision|
            +-----------+-------------+
                        |
                        v
            +-----------+-------------+
            |      Cloud Instance     |
            |       AWS EC2 Node      |
            +-----------+-------------+
                        |
                        v
            +-----------+-------------+
            |          Ansible        |
            | Configuration Automation|
            +-----------+-------------+
                        |
                        v
            +-----------+-------------+
            |     Cowrie Honeypot     |
            |   SSH Interaction Layer |
            +-----------+-------------+
                        |
                        v
            +-------------------------+
            |      Attack Logging     |
            | Commands & Credentials  |
            +-------------------------+

---

Network Interaction Model

The deployed instance emulates an SSH service using Cowrie.

                 Attacker
                   |
                   v
             Port 2222 SSH
                   |
                   v
                Cloud VM
                   |
                   v
           Cowrie SSH Honeypot
                   |
                   v
               Attack Logs

Cowrie captures attacker behavior and stores logs locally.

Example logs include:

• login attempts
• executed commands
• uploaded files
• interaction sessions

---

Repository Structure

The repository is organized to separate infrastructure provisioning, configuration automation, and documentation.

honeynet/
│
├── terraform/
│ ├── main.tf
│ ├── provider.tf
│ ├── variables.tf
│ └── terraform.tfvars
│
├── ansible/
│ ├── inventory.ini
│ └── playbooks/
│    └── install_honeypot.yml
│
├── scripts/
│ └── deploy_honeypots.sh
│
├── docs/
│ └── architecture.md
│
│── .gitignore
│
│── LICENSE
│
└── README.md

---

Deployment Methodology

The honeypot deployment process consists of three stages.

---

Stage 1 — Infrastructure Provisioning

Terraform provisions the cloud environment.

Resources created:

• AWS EC2 instance
• security group
• SSH key pair

Terraform configuration files:
terraform/main.tf
terraform/provider.tf
terraform/variables.tf
terraform/terraform.tfvars

Terraform initializes the infrastructure and provisions the honeypot host.

---

Stage 2 — Configuration Automation

After infrastructure provisioning, Ansible configures the honeypot node.

The playbook performs the following tasks:

1. Install system dependencies
2. Clone the Cowrie repository
3. Create a Python virtual environment
4. Install Cowrie dependencies
5. Configure Cowrie
6. Start the honeypot service

Ansible files:
ansible/inventory.ini
ansible/playbooks/install_honeypot.yml

---

Stage 3 — Honeypot Initialization

Once deployed, Cowrie runs as an SSH honeypot service.

Cowrie emulates a vulnerable SSH server and records attacker activity.

Captured information includes:

• attacker IP address
• login attempts
• executed commands
• file downloads/uploads
• session activity

This data provides insight into attacker behavior.

---

Deployment Workflow

The honeypot deployment is orchestrated using the deployment script:

scripts/deploy_honeypots.sh

This script is executed from the developer's local machine and automates the full infrastructure provisioning and configuration workflow.

---

Deployment Pipeline

                 +----------------------+
                 |  deploy_honeypots   |
                 |       script        |
                 +----------+----------+
                            |
                            v
                 +----------+----------+
                 |      Terraform      |
                 |  Infrastructure IaC |
                 +----------+----------+
                            |
                            v
                 +----------+----------+
                 |     EC2 Instance    |
                 |    Ubuntu Server    |
                 +----------+----------+
                            |
                            v
                 +----------+----------+
                 |       Ansible       |
                 |  Configuration Mgmt |
                 +----------+----------+
                            |
                            v
                 +----------+----------+
                 |      Cowrie SSH     |
                 |       Honeypot      |
                 +----------------------+

---

Environment

Development and testing environment used for this implementation:

Component	Version
Operating System	Windows 11
WSL	Ubuntu
Terraform	v1.x
Ansible	v2.x
Python	3.x
Cloud Provider	AWS
EC2 Image	Ubuntu 22.04

---

Prerequisites

Before running the deployment, ensure the following tools are installed on the local development machine:

• Terraform
• Ansible
• AWS CLI
• SSH
• Git

---

AWS Configuration

Terraform uses AWS credentials configured locally.

Configure AWS CLI:

aws configure

Provide the following details:

AWS Access Key ID
AWS Secret Access Key
Default region name (example: us-east-1)
Default output format (json)

Terraform will automatically use these credentials during infrastructure provisioning.

---

Deployment Script (Local Machine)

From the root directory of the repository, run the deployment script.

Linux / macOS

chmod +x scripts/deploy_honeypots.sh
./scripts/deploy_honeypots.sh

Windows (WSL or Git Bash)

bash scripts/deploy_honeypots.sh

This script performs the following operations:

1. Initializes Terraform
2. Provisions AWS infrastructure
3. Creates EC2 instance
4. Creates security groups
5. Configures SSH access
6. Retrieves the instance public IP
7. Updates the Ansible inventory
8. Executes the Ansible playbook
9. Installs Cowrie honeypot
10. Starts the honeypot service

After completion, the EC2 instance will contain a fully configured Cowrie honeypot.

---

Verification

Once deployment is complete, the honeypot functionality can be verified using the following steps.

---

Step 1 — Test SSH Interaction (Local Machine)

Attempt to connect to the honeypot from your local machine:

ssh root@<instance-ip> -p 2222

The Cowrie honeypot presents a simulated SSH server environment designed to mimic a vulnerable system.

When prompted for credentials, you may enter any password.
Cowrie records the authentication attempt and simulates a shell session in order to capture attacker behavior.

All login attempts, commands, and session interactions are logged for analysis.

---

Step 2 — Verify Honeypot Service and Logs (EC2 Instance)

Connect to the EC2 instance:

ssh -i ~/.ssh/<key_pair_name> ubuntu@<instance-ip>  

Check Cowrie service status

sudo systemctl status cowrie

Verify Cowrie is listening on port 2222

ss -tulnp | grep 2222

Monitor Cowrie logs

tail -f ~/cowrie/var/log/cowrie/cowrie.log

These logs will display captured attacker interactions including:

• login attempts
• password guessing activity
• executed commands
• interactive sessions

---

Example Honeypot Activity

Typical captured events include:

• unauthorized SSH login attempts
• brute-force password attempts
• command execution by attackers
• simulated filesystem interaction

This confirms that the Cowrie honeypot is functioning correctly and capturing attacker behavior.

---

Resource Cleanup

To avoid leaving cloud resources running after testing, destroy the infrastructure using Terraform.

Navigate to the Terraform directory:

cd terraform

Then run:

terraform destroy -auto-approve

This will remove the EC2 instance and all associated infrastructure created during deployment.

---

Future Improvements

The current implementation establishes the first operational honeypot node and automated deployment pipeline.

Future enhancements will extend this work to support the broader Honeynet project objectives:

• SSH Port Redirection: Redirect port 22 traffic to the Cowrie honeypot to capture real-world SSH attacks.
• Distributed Deployment: Deploy honeypot nodes across multiple geographic regions using Terraform.
• Centralized Logging: Aggregate logs from multiple honeypots for analysis.
• Attack Visualization: Build dashboards to analyze attacker activity and patterns.
• Threat Intelligence Integration: Correlate captured data with external threat intelligence sources.

These improvements will move the system toward a scalable, distributed honeynet platform.

---

Summary

This PR introduces the first operational deployment pipeline for the Honeynet project, enabling automated provisioning and configuration of a Cowrie SSH honeypot node.

The implementation demonstrates how infrastructure provisioning and configuration management can be combined to build a scalable honeynet deployment framework.

This work establishes the foundation required to expand the system into a distributed honeynet architecture.

Closes #4