Cs

Cowrie SSH/Telnet Honeypot on Ubuntu 24.04

Azure Security

Cowrie, the open source SSH and Telnet honeypot, lures attackers into a fully emulated shell and records every login, command and download they attempt.

Base
Hardened build
minimal ports, security patches applied at build time
Access
Unique credentials
generated on first boot, readable only by root
Verified
Boots working
services pass a health gate before release
Support
24/7, 365 days
by email and live chat, 24 hour response SLA

Overview

Cowrie is a widely deployed open source SSH and Telnet honeypot. It presents an emulated, intentionally inviting shell to attackers, then records everything they do: the usernames and passwords they try, every command they run, and every file they attempt to fetch, writing it all to a structured event log and a full session replay. Because the environment is a sandbox with no access to the real system, it delivers rich, safe visibility into who is probing your infrastructure and how, for threat intelligence, attacker technique research and early breach detection.

It suits security teams, researchers and operators who want to study real world attack traffic on infrastructure they run and own inside their own cloud account rather than relying on a hosted service.

Why the cloudimg image

cloudimg delivers Cowrie fully installed and running as a managed systemd service under an unprivileged, dedicated user, never as root. Security is designed in and the two planes are kept cleanly separate: the emulated honeypot listens on dedicated high ports while the operating system's own SSH stays key only for real administration, with no image baked password and no shared bootstrap credential. On each instance's first boot the appliance generates fresh, unique honeypot host keys, so no two deployments share a fingerprint and the image gives nothing away about its origin. Every attacker session is written to a structured JSON event log and a full replay capture, ready to forward to your log pipeline, and every deployment carries a paired deployment guide and 24/7 support.

Common uses

  • Capture real world SSH and Telnet attack traffic for threat intelligence
  • Study attacker credentials, commands and malware in a safe sandbox
  • Run a self hosted honeypot inside your own cloud account for early breach detection