├── README.md ├── Dockerfile ├── start-docker.sh ├── LICENSE └── cowrie.cfg /README.md: -------------------------------------------------------------------------------- 1 | # k0st/cowrie 2 | A Docker container for Cowrie - SSH honeypot based on kippo. Minimal image (102.2 MB). 3 | 4 | Image is based on the [gliderlabs/alpine](https://registry.hub.docker.com/u/gliderlabs/alpine/) base image. 5 | 6 | ## Docker usage 7 | 8 | ``` 9 | docker run k0st/cowrie 10 | ``` 11 | 12 | ## Examples 13 | 14 | ``` 15 | docker run --restart=on-failure:10 -p 2222:2222 k0st/cowrie 16 | ``` 17 | 18 | ``` 19 | docker run --restart=always -p 22:2222 k0st/cowrie 20 | ``` 21 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM gliderlabs/alpine 2 | MAINTAINER Vlatko Kosturjak kost@kost.im 3 | 4 | RUN apk --update add git python py-twisted py-zope-interface py-pip && rm -f /var/cache/apk/* 5 | RUN pip install pyasn1 6 | RUN adduser -D -s /bin/sh cowrie cowrie 7 | USER cowrie 8 | RUN git clone https://github.com/micheloosterhof/cowrie.git /home/cowrie/cowrie 9 | COPY cowrie.cfg /home/cowrie/cowrie/ 10 | COPY start-docker.sh /home/cowrie/cowrie/ 11 | USER root 12 | RUN chmod 755 /home/cowrie/cowrie/start-docker.sh 13 | USER cowrie 14 | EXPOSE 2222 15 | ENTRYPOINT ["/home/cowrie/cowrie/start-docker.sh"] 16 | -------------------------------------------------------------------------------- /start-docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | cd $(dirname $0) 6 | 7 | if [ "$1" != "" ] 8 | then 9 | VENV="$1" 10 | 11 | if [ ! -d "$VENV" ] 12 | then 13 | echo "The specified virtualenv \"$VENV\" was not found!" 14 | exit 1 15 | fi 16 | 17 | if [ ! -f "$VENV/bin/activate" ] 18 | then 19 | echo "The specified virtualenv \"$VENV\" was not found!" 20 | exit 2 21 | fi 22 | 23 | echo "Activating virtualenv \"$VENV\"" 24 | . $VENV/bin/activate 25 | fi 26 | 27 | echo "Starting cowrie..." 28 | twistd -n -y cowrie.tac -l log/cowrie.log --pidfile cowrie.pid 29 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 kost 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /cowrie.cfg: -------------------------------------------------------------------------------- 1 | # 2 | # Cowrie configuration file (cowrie.cfg) 3 | # 4 | 5 | [honeypot] 6 | 7 | # Sensor name use to identify this cowrie instance. Used by the database 8 | # logging modules such as mysql. 9 | # 10 | # If not specified, the logging modules will instead use the IP address of the 11 | # connection as the sensor name. 12 | # 13 | # (default: not specified) 14 | #sensor_name=myhostname 15 | 16 | # IP addresses to listen for incoming SSH connections. 17 | # 18 | # (default: 0.0.0.0) = any address 19 | #listen_addr = 0.0.0.0 20 | 21 | # Port to listen for incoming SSH connections. 22 | # 23 | # (default: 2222) 24 | #listen_port = 2222 25 | 26 | # Hostname for the honeypot. Displayed by the shell prompt of the virtual 27 | # environment. 28 | # 29 | # (default: svr04) 30 | hostname = svr02 31 | 32 | # Directory where to save log files in. 33 | # 34 | # (default: log) 35 | log_path = log 36 | 37 | # Directory where to save downloaded (malware) files in. 38 | # 39 | # (default: dl) 40 | download_path = dl 41 | 42 | # Maximum file size (in bytes) for downloaded files to be stored in 'download_path'. 43 | # A value of 0 means no limit. If the file size is known to be too big from the start, 44 | # the file will not be stored on disk at all. 45 | # 46 | # (default: 0) 47 | #download_limit_size = 10485760 48 | 49 | # Directory where virtual file contents are kept in. 50 | # 51 | # This is only used by commands like 'cat' to display the contents of files. 52 | # Adding files here is not enough for them to appear in the honeypot - the 53 | # actual virtual filesystem is kept in filesystem_file (see below) 54 | # 55 | # (default: honeyfs) 56 | contents_path = honeyfs 57 | 58 | # File in the python pickle format containing the virtual filesystem. 59 | # 60 | # This includes the filenames, paths, permissions for the whole filesystem, 61 | # but not the file contents. This is created by the createfs.py utility from 62 | # a real template linux installation. 63 | # 64 | # (default: fs.pickle) 65 | filesystem_file = data/fs.pickle 66 | 67 | # Directory for miscellaneous data files, such as the password database. 68 | # 69 | # (default: data_path) 70 | data_path = data 71 | 72 | # Class that implements the checklogin() method. 73 | # 74 | # Class must be defined in cowrie/core/auth.py 75 | # Default is the 'UserDB' class which uses the password database. 76 | # 77 | # Alternatively the 'AuthRandom' class can be used, which will let 78 | # a user login after a random number of attempts. 79 | # It will also cache username/password combinations that allow login. 80 | # 81 | auth_class = UserDB 82 | # When AuthRandom is used also set the 83 | # auth_class_parameters: , , 84 | # for example: 2, 5, 10 = allows access after randint(2,5) attempts 85 | # and cache 10 combinations. 86 | # 87 | #auth_class = AuthRandom 88 | #auth_class_parameters = 2, 5, 10 89 | 90 | # Directory for creating simple commands that only output text. 91 | # 92 | # The command must be placed under this directory with the proper path, such 93 | # as: 94 | # txtcmds/usr/bin/vi 95 | # The contents of the file will be the output of the command when run inside 96 | # the honeypot. 97 | # 98 | # In addition to this, the file must exist in the virtual 99 | # filesystem {filesystem_file} 100 | # 101 | # (default: txtcmds) 102 | txtcmds_path = txtcmds 103 | 104 | # Public and private SSH key files. If these don't exist, they are created 105 | # automatically. 106 | rsa_public_key = data/ssh_host_rsa_key.pub 107 | rsa_private_key = data/ssh_host_rsa_key 108 | dsa_public_key = data/ssh_host_dsa_key.pub 109 | dsa_private_key = data/ssh_host_dsa_key 110 | 111 | # Enables passing commands using ssh execCommand 112 | # e.g. ssh root@localhost 113 | # 114 | # (default: false) 115 | exec_enabled = true 116 | 117 | # sftp_enabled enables the sftp subsystem 118 | sftp_enabled = true 119 | 120 | # IP address to bind to when opening outgoing connections. Used by 121 | # the wget and curl commands. 122 | # 123 | # (default: not specified) 124 | #out_addr = 0.0.0.0 125 | 126 | # Fake address displayed as the address of the incoming connection. 127 | # This doesn't affect logging, and is only used by honeypot commands such as 128 | # 'w' and 'last' 129 | # 130 | # If not specified, the actual IP address is displayed instead (default 131 | # behaviour). 132 | # 133 | # (default: not specified) 134 | #fake_addr = 192.168.66.254 135 | 136 | # The IP address on which this machine reachable on from the internet. 137 | # Useful if you use portforwarding or other mechanisms. If empty, cowrie 138 | # will determine by itself. Used in 'netstat' output 139 | # 140 | #internet_facing_ip = 9.9.9.9 141 | 142 | # SSH Version String 143 | # 144 | # Use this to disguise your honeypot from a simple SSH version scan 145 | # frequent Examples: (found experimentally by scanning ISPs) 146 | # SSH-2.0-OpenSSH_5.1p1 Debian-5 147 | # SSH-1.99-OpenSSH_4.3 148 | # SSH-1.99-OpenSSH_4.7 149 | # SSH-1.99-Sun_SSH_1.1 150 | # SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1 151 | # SSH-2.0-OpenSSH_4.3 152 | # SSH-2.0-OpenSSH_4.6 153 | # SSH-2.0-OpenSSH_5.1p1 Debian-5 154 | # SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901 155 | # SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5 156 | # SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6 157 | # SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 158 | # SSH-2.0-OpenSSH_5.5p1 Debian-6 159 | # SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1 160 | # SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2 161 | # SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503 162 | # SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 163 | # SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 164 | # SSH-2.0-OpenSSH_5.9 165 | # 166 | # (default: "SSH-2.0-SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2") 167 | ssh_version_string = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 168 | 169 | # Banner file to be displayed before the first login attempt. 170 | # 171 | #banner_file = DEPRECATED; always '/etc/issue.net' in honeyfs 172 | 173 | # exit_jail tries to 'trick' the attacker with another shell. Set to true to create 174 | # another fake prompt after logout 175 | # 176 | # putty/sshlib/libssh clients will not get the exit jail 177 | # 178 | # (default: false) 179 | exit_jail = false 180 | 181 | # Session management interface. 182 | # 183 | # This is a telnet based service that can be used to interact with active 184 | # sessions. Disabled by default. 185 | # 186 | # (default: false) 187 | interact_enabled = false 188 | # (default: 5123) 189 | interact_port = 5123 190 | 191 | # MySQL logging module 192 | # 193 | # Database structure for this module is supplied in doc/sql/mysql.sql 194 | # 195 | # To enable this module, remove the comments below, including the 196 | # [database_mysql] line. 197 | 198 | #[database_mysql] 199 | #host = localhost 200 | #database = cowrie 201 | #username = cowrie 202 | #password = secret 203 | #port = 3306 204 | 205 | # XMPP Logging 206 | # 207 | # Log to an xmpp server. 208 | # For a detailed explanation on how this works, see: 209 | # 210 | # To enable this module, remove the comments below, including the 211 | # [database_xmpp] line. 212 | 213 | #[database_xmpp] 214 | #server = sensors.carnivore.it 215 | #user = anonymous@sensors.carnivore.it 216 | #password = anonymous 217 | #muc = dionaea.sensors.carnivore.it 218 | #signal_createsession = cowrie-events 219 | #signal_connectionlost = cowrie-events 220 | #signal_loginfailed = cowrie-events 221 | #signal_loginsucceeded = cowrie-events 222 | #signal_command = cowrie-events 223 | #signal_clientversion = cowrie-events 224 | #debug=true 225 | 226 | # Text based logging module 227 | # 228 | # While this is a database logging module, it actually just creates a simple 229 | # text based log. This may not have much purpose, if you're fine with the 230 | # default text based logs generated by cowrie in log/ 231 | # 232 | # To enable this module, remove the comments below, including the 233 | # [database_textlog] line. 234 | 235 | #[database_textlog] 236 | #logfile = log/cowrie-textlog.log 237 | 238 | # JSON output module 239 | [output_jsonlog] 240 | logfile = log/cowrie.json 241 | 242 | #[database_hpfeeds] 243 | #server = hpfeeds.mysite.org 244 | #port = 10000 245 | #identifier = abc123 246 | #secret = secret 247 | #debug=false 248 | --------------------------------------------------------------------------------