Your First Honeypot!
kat9
June 1, 2025
cybersecurity

Your First Honeypot with Cowrie and Wazuh – A Beginner-Friendly Setup Guide

Thinking of setting up your first honeypot? Whether you're experimenting in a homelab or building something more elaborate, this quick-start guide will walk you through a basic yet powerful setup using Cowrie and Wazuh.

Step 1: Wazuh All-in-One Install (VM Setup)

Before running a honeypot, you need something watching over it. Enter Wazuh, the open-source SIEM. We'll start with a standalone Wazuh Manager.
VM Requirements:

  • 2–3 vCPUs
  • 8 GB RAM minimum
  • 250+ GB storage (logs grow fast!)
  • Ubuntu 24.04 LTS (recommended)
  • Install Wazuh All-in-One:

curl -sO https://packages.wazuh.com/4.12/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

This will install the Wazuh manager, dashboard, and filebeat—all ready to start ingesting logs!

Step 2: Network Isolation with OPNsense

To keep your honeypot separate from your actual network, place it on a dedicated VLAN using OPNsense. (For more detailed OPNsense configurations, please check the DOCS site. If you are NOT using OPNsense, please consult your firewall for correct steps to create an isolated VLAN)
Basic VLAN Setup on OPNsense:

  • Navigate to Interfaces > Assignments and add a new VLAN (e.g., VLAN 99 for honeypots)
  • Set up an interface for it (e.g., OPT2) and enable it
  • Assign a static IP range (e.g., 10.99.99.1/24)
  • Configure Firewall Rules to allow traffic from VLAN 99 to the Wazuh VM only
  • Block all other outbound traffic to make the honeypot as isolated as possible (except where needed)

Now you’ve got a walled garden to safely run your trap!

Don’t forget to allow Wazuh agent traffic!
Add a firewall rule in OPNsense to allow traffic from VLAN 99 (honeypot network) to the Wazuh Manager’s IP on TCP port 1514 (for agent communication) and 1515 (for agent registration).

Step 3: Deploy Cowrie Honeypot (2 Options)

Option A: Raspberry Pi - Ideal for low-cost, dedicated honeypot hardware
- Install Raspberry Pi OS Lite
- Follow Cowrie install steps from: https://github.com/cowrie/cowrie

Option B: Virtual Machine
- Install Debian or Ubuntu server minimal ISO
- Follow same install instructions as above

Either option gives you a solid SSH honeypot that logs brute-force and attacker behavior.

Step 4: Install Wazuh Agent on Cowrie Host

On your Cowrie machine, follow the agent install instructions here:

Wazuh-Agent Install - select the APT option.

Share on Facebook
Share on Twitter

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by