How to send Cowrie output to kippo-graph

Kippo-Graph Prerequisites

  • Working Cowrie installation

  • LAMP stack (Linux, Apache, MySQL, PHP)

Kippo-Graph Installation

This covers a simple installation, with kippo-graph and Cowrie on the same server. Please see here for installation: https://github.com/ikoniaris/kippo-graph

MySQL configuration for Kippo-Graph

Configuring Cowrie requires setting up the SQL tables and then telling Cowrie to use them.

To install the tables and create the Cowrie user account enter the following commands:

$ mysql -u root -p
CREATE DATABASE cowrie;
GRANT ALL ON cowrie.* TO 'cowrie'@'localhost' IDENTIFIED BY 'PASSWORD HERE';
FLUSH PRIVILEGES;
exit

Next create the database schema:

$ cd /opt/cowrie/
$ mysql -u cowrie -p
USE cowrie;
source ./docs/sql/mysql.sql;
exit

disable MySQL strict mode:

$ vi /etc/mysql/conf.d/disable_strict_mode.cnf

[mysqld]
sql_mode=IGNORE_SPACE,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

Cowrie Configuration for Kippo-Graph

Edit cowrie.cfg:

$ vi etc/cowrie.cfg

Activate output to mysql:

[output_mysql]
host = localhost
database = cowrie
username = cowrie
password = PASSWORD HERE
port = 3306
debug = false

Set read access to tty-files for group www-data (group maybe differ on other distributions):

$ sudo apt-get install acl
$ sudo setfacl -Rm g:www-data:rx /opt/cowrie/var/lib/cowrie/tty/

Kippo-Graph Configuration

Edit config file:

$ vi /var/www/html/kippo-graph/config.php

Change db settings:

define('DB_HOST', 'localhost');
define('DB_USER', 'cowrie');
define('DB_PASS', 'PASSWORD HERE');
define('DB_NAME', 'cowrie');
define('DB_PORT', '3306');

Apache2 configuration (optional)

To secure the installation

Create password database:

$ cd /etc/apache2/
$ htpasswd -c /etc/apache2/cowrie.passwd <username>
$ htpasswd /etc/apache2/cowrie.passwd <username> (second user)


$ vi /etc/apache2/sites-enabled/000-default.conf

Between the <VirtualHost> </VirtualHost> tags, add:

<Location />
    AuthBasicAuthoritative On
    AllowOverride AuthConfig

    AuthType Basic
    AuthName "cowrie honeypot"
    AuthUserFile /etc/apache2/cowrie.passwd
    Require valid-user
</Location>