diff --git a/cowrie/Dockerfile b/cowrie/Dockerfile deleted file mode 100644 index a66f32e..0000000 --- a/cowrie/Dockerfile +++ /dev/null @@ -1,38 +0,0 @@ -# -# Dockerfile for cowrie -# - -FROM alpine -MAINTAINER kev - -RUN apk add -U bash \ - build-base \ - ca-certificates \ - libffi \ - libffi-dev \ - openssl \ - openssl-dev \ - python \ - python-dev \ - tar \ - && wget -qO- https://bootstrap.pypa.io/get-pip.py | python \ - && adduser -D cowrie \ - && cd /home/cowrie \ - && wget -qO- https://github.com/micheloosterhof/cowrie/archive/master.tar.gz | tar xz --strip 1 \ - && pip install -r requirements.txt \ - && sed '/Enable Telnet/{n;s/\(enabled\).*/\1 = true/}' cowrie.cfg.dist > cowrie.cfg \ - && sed -i 's/^\(VIRTUALENV_ENABLED\).*/\1=no/' bin/cowrie \ - && chown -R cowrie:cowrie . \ - && apk del build-base \ - libffi-dev \ - openssl-dev \ - python-dev \ - tar \ - && rm -rf /var/cache/apk/* - -EXPOSE 2222 2223 - -USER cowrie -WORKDIR /home/cowrie - -CMD ["bin/cowrie", "start", "-n"] diff --git a/cowrie/README.md b/cowrie/README.md index 5ec95c1..4c1ae9d 100644 --- a/cowrie/README.md +++ b/cowrie/README.md @@ -11,31 +11,35 @@ Cowrie is directly based on [Kippo][2] by Upi Tamminen (desaster). ## docker-compose.yml ```yaml -cowrie: - image: vimagick/cowrie - ports: - - "2222:2222" - - "2223:2223" - volumes: - - ./data/dl:/home/cowrie/dl - - ./data/log:/home/cowrie/log - restart: always +version: "3.8" + +services: + cowrie: + image: cowrie/cowrie + ports: + - "2222:2222" + - "2223:2223" + volumes: + - cowrie-etc:/cowrie/cowrie-git/etc + - cowrie-var:/cowrie/cowrie-git/var + restart: unless-stopped + +volumes: + cowrie-etc: + cowrie-var: ``` ## server ```bash -$ cd ~/fig/cowrie -$ mkdir -p data/dl data/log/tty -$ chmod -R 777 data -$ tree -F -. -├── docker-compose.yml -├── dl/ -└── log/ - └── tty/ $ docker-compose up -d -$ tail -f log/cowrie.log +$ docker volume ls +$ docker volume inspect cowrie_cowrie-var +$ cd /var/lib/docker/volumes/cowrie_cowrie-etc/_data +$ cp cowrie.cfg.dist cowrie.cfg +$ cp userdb.example userdb.txt +$ cd /var/lib/docker/volumes/cowrie_cowrie-var/_data +$ tail -f log/cowrie/cowrie.json ``` ## client diff --git a/cowrie/arm/Dockerfile b/cowrie/arm/Dockerfile index 050a608..1b6dcbb 100644 --- a/cowrie/arm/Dockerfile +++ b/cowrie/arm/Dockerfile @@ -2,7 +2,7 @@ # Dockerfile for cowrie-arm # -FROM easypi/alpine-arm +FROM arm32v7/alpine:3 MAINTAINER EasyPi Software Foundation RUN apk add -U bash \ diff --git a/cowrie/arm/docker-compose.yml b/cowrie/arm/docker-compose.yml index 1e376be..d4c3a09 100644 --- a/cowrie/arm/docker-compose.yml +++ b/cowrie/arm/docker-compose.yml @@ -1,9 +1,11 @@ -cowrie: - image: easypi/cowrie-arm - ports: - - "2222:2222" - - "2223:2223" - volumes: - - ./data/dl:/home/cowrie/dl - - ./data/log:/home/cowrie/log - restart: always +version: "3.8" +services: + cowrie: + image: easypi/cowrie-arm + ports: + - "2222:2222" + - "2223:2223" + volumes: + - ./data/dl:/home/cowrie/dl + - ./data/log:/home/cowrie/log + restart: unless-stopped diff --git a/cowrie/data/etc/cowrie.cfg b/cowrie/data/etc/cowrie.cfg new file mode 100644 index 0000000..0026e34 --- /dev/null +++ b/cowrie/data/etc/cowrie.cfg @@ -0,0 +1,1033 @@ +# DO NOT EDIT THIS FILE! +# Changes to default files will be lost on update and are difficult to +# manage and support. +# +# Please make any changes to system defaults by overriding them in +# cowrie.cfg +# +# To override a specific setting, copy the name of the stanza and +# setting to the file where you wish to override it. + +# ============================================================================ +# General Cowrie Options +# ============================================================================ +[honeypot] + +# Sensor name is used to identify this Cowrie instance. Used by the database +# logging modules such as mysql. +# +# If not specified, the logging modules will instead use the IP address of the +# server as the sensor name. +# +# (default: not specified) +#sensor_name=myhostname + +# Hostname for the honeypot. Displayed by the shell prompt of the virtual +# environment +# +# (default: svr04) +hostname = svr04 + + +# Directory where to save log files in. +# +# (default: log) +log_path = var/log/cowrie + + +# Directory where to save downloaded artifacts in. +# +# (default: downloads) +download_path = ${honeypot:state_path}/downloads + + +# Directory for static data files +# +# (default: share/cowrie) +share_path = share/cowrie + + +# Directory for variable state files +# +# (default: var/lib/cowrie) +state_path = var/lib/cowrie + + +# Directory for config files +# +# (default: etc) +etc_path = etc + + +# Directory where virtual file contents are kept in. +# +# This is only used by commands like 'cat' to display the contents of files. +# Adding files here is not enough for them to appear in the honeypot - the +# actual virtual filesystem is kept in filesystem_file (see below) +# +# (default: honeyfs) +contents_path = honeyfs + + +# Directory for creating simple commands that only output text. +# +# The command must be placed under this directory with the proper path, such +# as: +# txtcmds/usr/bin/vi +# The contents of the file will be the output of the command when run inside +# the honeypot. +# +# In addition to this, the file must exist in the virtual filesystem +# +# (default: txtcmds) +txtcmds_path = txtcmds + + +# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'. +# A value of 0 means no limit. If the file size is known to be too big from the start, +# the file will not be stored on disk at all. +# +# (default: 0) +#download_limit_size = 10485760 + +# TTY logging will log a transcript of the complete terminal interaction in UML +# compatible format. +# (default: true) +ttylog = true + +# Default directory for TTY logs. +# (default: ttylog_path = %(state_path)s/tty) +ttylog_path = ${honeypot:state_path}/tty + +# Interactive timeout determines when logged in sessions are +# terminated for being idle. In seconds. +# (default: 180) +interactive_timeout = 180 + +# Authentication Timeout +# The server disconnects after this time if the user has not successfully logged in. If the value is 0, +# there is no time limit. The default is 120 seconds. +authentication_timeout = 120 + +# EXPERIMENTAL: back-end to user for Cowrie, options: proxy or shell +# (default: shell) +backend = shell + +# Timezone Cowrie uses for logging +# This can be any valid timezone for the TZ environment variable +# The special value `system` will let Cowrie use the system time zone +# `system` is not recommended because you will need to deal with daylight +# savings time and other special cases yourself when analysing the logs. +timezone = UTC + +# Custom prompt +# By default, Cowrie creates a shell prompt like: root@svr03:~# +# If you want something totally custom, uncomment the option below and set your prompt +# Beware that the path won't be included in your prompt any longer +# prompt = hello> + + +# ============================================================================ +# Network Specific Options +# ============================================================================ + + +# IP address to bind to when opening outgoing connections. Used by wget and +# curl commands. +# +# (default: not specified) +#out_addr = 0.0.0.0 + + +# Fake address displayed as the address of the incoming connection. +# This doesn't affect logging, and is only used by honeypot commands such as +# 'w' and 'last' +# +# If not specified, the actual IP address is displayed instead (default +# behaviour). +# +# (default: not specified) +#fake_addr = 192.168.66.254 + + +# The IP address on which this machine is reachable on from the internet. +# Useful if you use portforwarding or other mechanisms. If empty, Cowrie +# will determine by itself. Used in 'netstat' output +# +#internet_facing_ip = 9.9.9.9 + + +# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1) +# IP address is obtained by querying http://myip.threatstream.com +#report_public_ip = true + + + +# ============================================================================ +# Authentication Specific Options +# ============================================================================ + + +# Class that implements the checklogin() method. +# +# Class must be defined in cowrie/core/auth.py +# Default is the 'UserDB' class which uses the password database. +# +# Alternatively the 'AuthRandom' class can be used, which will let +# a user login after a random number of attempts. +# It will also cache username/password combinations that allow login. +# +auth_class = UserDB + +# When AuthRandom is used also set the +# auth_class_parameters: , , +# for example: 2, 5, 10 = allows access after randint(2,5) attempts +# and cache 10 combinations. +# +#auth_class = AuthRandom +#auth_class_parameters = 2, 5, 10 + + +# ============================================================================ +# Historical SSH Specific Options +# historical options in [honeypot] that have not yet been moved to [ssh] +# ============================================================================ + +# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie) +#reported_ssh_port = 22 + + +[backend_pool] +# ============================================================================ +# Backend Pool Configurations +# only used on the cowrie instance that runs the pool +# ============================================================================ + +# enable this to solely run the pool, regardless of other configurations (disables SSH and Telnet) +pool_only = false + +# time between full VM recycling (cleans older VMs and boots newer ones) - involves some downtime between cycles +# -1 to disable +recycle_period = 1500 + +# change interface below to allow connections from outside (e.g. remote pool) +listen_endpoints = tcp:6415:interface=127.0.0.1 + +# guest snapshots +save_snapshots = false +snapshot_path = ${honeypot:state_path}/snapshots + +# pool xml configs +config_files_path = ${honeypot:share_path}/pool_configs + +network_config = default_network.xml +nw_filter_config = default_filter.xml + +# ===================================== +# Guest details (for a generic x86-64 guest, like Ubuntu) +# +# Used to provide configuration details to save snapshots, identify +# running guests, and provide other details to Cowrie. +# - SSH and Telnet ports: which ports are listening for these services in the guest OS; +# if you're not using one of them omit the config or set to 0 +# - Guest private key: used by the pool to control the guest's state via SSH; guest must +# have the corresponding pubkey in root's authorized_keys (not implemented) +# ===================================== +guest_config = default_guest.xml +guest_privkey = ${honeypot:state_path}/ubuntu18.04-guest +guest_tag = ubuntu18.04 +guest_ssh_port = 22 +guest_telnet_port = 23 + +# Configs below are used on default XMLs provided. +# If you provide your own XML in guest_config you don't need these configs. +# +# Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM, +# which is more performant than the qemu software-based emulation. Guest arch +# must match your machine's. If it's older or you're unsure, set it to 'qemu'. +# +# Memory size is in MB. +# +# Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM +# If you get a "unsupported machine type" exception when VMs are loading, change +# it to a compatible machine listed by the command: 'qemu-system-x86_64 -machine help' +guest_image_path = /home/cowrie/cowrie-imgs/ubuntu18.04-minimal.qcow2 +guest_hypervisor = kvm +guest_memory = 512 +guest_qemu_machine = pc-q35-bionic + +# ===================================== +# Guest details (for OpenWRT with ARM architecture) +# +# Used to provide configuration details to save snapshots, identify running guests, +# and provide other details to Cowrie. +# ===================================== +#guest_config = wrt_arm_guest.xml +#guest_tag = wrt +#guest_ssh_port = 22 +#guest_telnet_port = 23 + +# Configs below are used on default XMLs provided. +# If you provide your own XML in guest_config you don't need these configs. +# +# Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM, +# which is more performant than the qemu software-based emulation. Guest arch +# must match your machine's. +# +# Memory size is in MB. +# +# Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM +# If you get a "unsupported machine type" exception when VMs are loading, change +# it to a compatible machine listed by the command: 'qemu-system-arm -machine help' +#guest_image_path = /home/cowrie/cowrie-imgs/root.qcow2 +#guest_hypervisor = qemu +#guest_memory = 256 +#guest_kernel_image = /home/cowrie/cowrie-imgs/zImage +#guest_qemu_machine = virt-2.9 + +# ===================================== +# Other configs +# ===================================== +# Use NAT (for remote pool) +# +# Guests exist in a local interface created by libvirt; NAT functionality creates a port in the host, +# exposed to a public interface, and forwards TCP data to and from the libvirt private interface. +# Cowrie's proxy receives the public information instead of the local IP of guests. +use_nat = true +nat_public_ip = 192.168.1.40 + + +# ============================================================================ +# Proxy Options +# ============================================================================ +[proxy] + +# type of backend: +# - simple: backend machine deployed by you (CAREFUL WITH SECURITY ASPECTS!!), specify hosts and ports below +# - pool: cowrie-managed pool of virtual machines, configure below +backend = pool + +# ===================================== +# Simple Backend Configuration +# ===================================== +backend_ssh_host = localhost +backend_ssh_port = 2022 + +backend_telnet_host = localhost +backend_telnet_port = 2023 + +# ===================================== +# Pool Backend Configuration +# ===================================== + +# generic pool configurable settings +pool_max_vms = 5 +pool_vm_unused_timeout = 600 + +# allow sharing guests between different attackers if no new VMs are available +pool_share_guests = true + +# Where to deploy the backend pool (only if backend = pool) +# - "local": same machine as the proxy +# - "remote": set host and port of the pool below +pool = local + +# Remote pool configurations (used with pool=remote) +pool_host = 192.168.1.40 +pool_port = 6415 + +# ===================================== +# Proxy Configurations +# ===================================== + +# real credentials to log into backend +backend_user = root +backend_pass = root + +# Telnet prompt detection +# +# To detect authentication prompts (and spoof auth details to the ones the backend accepts) we need to capture +# login and password prompts, and spoof data to the backend in order to successfully authenticate. If disabled, +# attackers can only use the real user credentials of the backend. +telnet_spoof_authentication = true + +# These regex were made using Ubuntu 18.04; you have to adapt these for the prompts +# from your backend. You can enable raw logging above to analyse data passing through +# and identify the format of the prompts you need. +# You should generally include ".*" at the beginning and end of prompts, since Telnet messages can contain +# more data than the prompt. + +# For login it is usually login: +telnet_username_prompt_regex = (\n|^)ubuntu login: .* + +# Password prompt is usually only the word Password +telnet_password_prompt_regex = .*Password: .* + +# This data is sent by clients at the beginning of negotiation (before the password prompt), and contains the username +# that is trying to log in. We replace that username with the one in "backend_user" to allow the chance of a successful +# login after the first password prompt. We are only able to check if credentials are allowed after the password is +# inserted. If they are, then a correct username was already sent and authentication succeeds; if not, we send a fake +# password to force authentication to fail. +telnet_username_in_negotiation_regex = (.*\xff\xfa.*USER\x01)(.*?)(\xff.*) + +# Other configs # +# log raw TCP packets in SSh and Telnet +log_raw = false + + +# ============================================================================ +# Shell Options +# Options around Cowrie's Shell Emulation +# ============================================================================ + +[shell] + +# File in the Python pickle format containing the virtual filesystem. +# +# This includes the filenames, paths, permissions for the Cowrie filesystem, +# but not the file contents. This is created by the bin/createfs utility from +# a real template linux installation. +# +# (default: fs.pickle) +filesystem = ${honeypot:share_path}/fs.pickle + + +# File that contains output for the `ps` command. +# +# (default: share/cowrie/cmdoutput.json) +processes = share/cowrie/cmdoutput.json + + +# Fake architectures/OS +# When Cowrie receive a command like /bin/cat XXXX (where XXXX is an executable) +# it replies with the content of a dummy executable (located in data_path/arch) +# compiled for an architecture/OS/endian_mode +# arch can be a comma separated list. When there are multiple elements, a random +# is chosen at login time. +# (default: linux-x64-lsb) + +arch = linux-x64-lsb + +# Here the list of supported OS-ARCH-ENDIANESS executables +# bsd-aarch64-lsb: 64-bit LSB ARM aarch64 version 1 (SYSV) +# bsd-aarch64-msb: 64-bit MSB ARM aarch64 version 1 (SYSV) +# bsd-bfin-msb: 32-bit MSB Analog Devices Blackfin version 1 (SYSV) +# bsd-mips64-lsb: 64-bit LSB MIPS MIPS-III version 1 (SYSV) +# bsd-mips64-msb: 64-bit MSB MIPS MIPS-III version 1 (SYSV) +# bsd-mips-lsb: 32-bit LSB MIPS MIPS-I version 1 (FreeBSD) +# bsd-mips-msb: 32-bit MSB MIPS MIPS-I version 1 (FreeBSD) +# bsd-powepc64-lsb: 64-bit MSB 64-bit PowerPC or cisco 7500 version 1 (FreeBSD) +# bsd-powepc-msb: 32-bit MSB PowerPC or cisco 4500 version 1 (FreeBSD) +# bsd-riscv64-lsb: 64-bit LSB UCB RISC-V version 1 (SYSV) +# bsd-sparc64-msb: 64-bit MSB SPARC V9 relaxed memory ordering version 1 (FreeBSD) +# bsd-sparc-msb: 32-bit MSB SPARC version 1 (SYSV) statically +# bsd-x32-lsb: 32-bit LSB Intel 80386 version 1 (FreeBSD) +# bsd-x64-lsb: 64-bit LSB x86-64 version 1 (FreeBSD) +# linux-aarch64-lsb: 64-bit LSB ARM aarch64 version 1 (SYSV) +# linux-aarch64-msb: 64-bit MSB ARM aarch64 version 1 (SYSV) +# linux-alpha-lsb: 64-bit LSB Alpha (unofficial) version 1 (SYSV) +# linux-am33-lsb: 32-bit LSB Matsushita MN10300 version 1 (SYSV) +# linux-arc-lsb: 32-bit LSB ARC Cores Tangent-A5 version 1 (SYSV) +# linux-arc-msb: 32-bit MSB ARC Cores Tangent-A5 version 1 (SYSV) +# linux-arm-lsb: 32-bit LSB ARM EABI5 version 1 (SYSV) +# linux-arm-msb: 32-bit MSB ARM EABI5 version 1 (SYSV) +# linux-avr32-lsb: 32-bit LSB Atmel AVR 8-bit version 1 (SYSV) +# linux-bfin-lsb: 32-bit LSB Analog Devices Blackfin version 1 (SYSV) +# linux-c6x-lsb: 32-bit LSB TI TMS320C6000 DSP family version 1 +# linux-c6x-msb: 32-bit MSB TI TMS320C6000 DSP family version 1 +# linux-cris-lsb: 32-bit LSB Axis cris version 1 (SYSV) +# linux-frv-msb: 32-bit MSB Cygnus FRV (unofficial) version 1 (SYSV) +# linux-h8300-msb: 32-bit MSB Renesas H8/300 version 1 (SYSV) +# linux-hppa64-msb: 64-bit MSB PA-RISC 02.00.00 (LP64) version 1 +# linux-hppa-msb: 32-bit MSB PA-RISC *unknown arch 0xf* version 1 (GNU/Linux) +# linux-ia64-lsb: 64-bit LSB IA-64 version 1 (SYSV) +# linux-m32r-msb: 32-bit MSB Renesas M32R version 1 (SYSV) +# linux-m68k-msb: 32-bit MSB Motorola m68k 68020 version 1 (SYSV) +# linux-microblaze-msb: 32-bit MSB Xilinx MicroBlaze 32-bit RISC version 1 (SYSV) +# linux-mips64-lsb: 64-bit LSB MIPS MIPS-III version 1 (SYSV) +# linux-mips64-msb: 64-bit MSB MIPS MIPS-III version 1 (SYSV) +# linux-mips-lsb: 32-bit LSB MIPS MIPS-I version 1 (SYSV) +# linux-mips-msb: 32-bit MSB MIPS MIPS-I version 1 (SYSV) +# linux-mn10300-lsb: 32-bit LSB Matsushita MN10300 version 1 (SYSV) +# linux-nios-lsb: 32-bit LSB Altera Nios II version 1 (SYSV) +# linux-nios-msb: 32-bit MSB Altera Nios II version 1 (SYSV) +# linux-powerpc64-lsb: 64-bit LSB 64-bit PowerPC or cisco 7500 version 1 (SYSV) +# linux-powerpc64-msb: 64-bit MSB 64-bit PowerPC or cisco 7500 version 1 (SYSV) +# linux-powerpc-lsb: 32-bit LSB PowerPC or cisco 4500 version 1 (SYSV) +# linux-powerpc-msb: 32-bit MSB PowerPC or cisco 4500 version 1 (SYSV) +# linux-riscv64-lsb: 64-bit LSB UCB RISC-V version 1 (SYSV) +# linux-s390x-msb: 64-bit MSB IBM S/390 version 1 (SYSV) +# linux-sh-lsb: 32-bit LSB Renesas SH version 1 (SYSV) +# linux-sh-msb: 32-bit MSB Renesas SH version 1 (SYSV) +# linux-sparc64-msb: 64-bit MSB SPARC V9 relaxed memory ordering version 1 (SYSV) +# linux-sparc-msb: 32-bit MSB SPARC version 1 (SYSV) +# linux-tilegx64-lsb: 64-bit LSB Tilera TILE-Gx version 1 (SYSV) +# linux-tilegx64-msb: 64-bit MSB Tilera TILE-Gx version 1 (SYSV) +# linux-tilegx-lsb: 32-bit LSB Tilera TILE-Gx version 1 (SYSV) +# linux-tilegx-msb: 32-bit MSB Tilera TILE-Gx version 1 (SYSV) +# linux-x64-lsb: 64-bit LSB x86-64 version 1 (SYSV) +# linux-x86-lsb: 32-bit LSB Intel 80386 version 1 (SYSV) +# linux-xtensa-msb: 32-bit MSB Tensilica Xtensa version 1 (SYSV) +# osx-x32-lsb: 32-bit LSB Intel 80386 +# osx-x64-lsb: 64-bit LSB x86-64 + +# arch = bsd-aarch64-lsb, bsd-aarch64-msb, bsd-bfin-msb, bsd-mips-lsb, bsd-mips-msb, bsd-mips64-lsb, bsd-mips64-msb, bsd-powepc-msb, bsd-powepc64-lsb, bsd-riscv64-lsb, bsd-sparc-msb, bsd-sparc64-msb, bsd-x32-lsb, bsd-x64-lsb, linux-aarch64-lsb, linux-aarch64-msb, linux-alpha-lsb, linux-am33-lsb, linux-arc-lsb, linux-arc-msb, linux-arm-lsb, linux-arm-msb, linux-avr32-lsb, linux-bfin-lsb, linux-c6x-lsb, linux-c6x-msb, linux-cris-lsb, linux-frv-msb, linux-h8300-msb, linux-hppa-msb, linux-hppa64-msb, linux-ia64-lsb, linux-m32r-msb, linux-m68k-msb, linux-microblaze-msb, linux-mips-lsb, linux-mips-msb, linux-mips64-lsb, linux-mips64-msb, linux-mn10300-lsb, linux-nios-lsb, linux-nios-msb, linux-powerpc-lsb, linux-powerpc-msb, linux-powerpc64-lsb, linux-powerpc64-msb, linux-riscv64-lsb, linux-s390x-msb, linux-sh-lsb, linux-sh-msb, linux-sparc-msb, linux-sparc64-msb, linux-tilegx-lsb, linux-tilegx-msb, linux-tilegx64-lsb, linux-tilegx64-msb, linux-x64-lsb, linux-x86-lsb, linux-xtensa-msb, osx-x32-lsb, osx-x64-lsb + +# Modify the response of '/bin/uname' +# Default (uname -a): Linux +kernel_version = 3.2.0-4-amd64 +kernel_build_string = #1 SMP Debian 3.2.68-1+deb7u1 +hardware_platform = x86_64 +operating_system = GNU/Linux + +# SSH Version as printed by "ssh -V" in shell emulation +ssh_version = OpenSSH_7.9p1, OpenSSL 1.1.1a 20 Nov 2018 + + +# ============================================================================ +# SSH Specific Options +# ============================================================================ +[ssh] + +# Enable SSH support +# (default: true) +enabled = true + + +# Public and private SSH key files. If these don't exist, they are created +# automatically. +rsa_public_key = ${honeypot:state_path}/ssh_host_rsa_key.pub +rsa_private_key = ${honeypot:state_path}/ssh_host_rsa_key +dsa_public_key = ${honeypot:state_path}/ssh_host_dsa_key.pub +dsa_private_key = ${honeypot:state_path}/ssh_host_dsa_key + + +# SSH version string as present to the client. +# +# Version string MUST start with SSH-2.0- or SSH-1.99- +# +# Use these to disguise your honeypot from a simple SSH version scan +# Examples: +# SSH-2.0-OpenSSH_5.1p1 Debian-5 +# SSH-1.99-OpenSSH_4.3 +# SSH-1.99-OpenSSH_4.7 +# SSH-1.99-Sun_SSH_1.1 +# SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1 +# SSH-2.0-OpenSSH_4.3 +# SSH-2.0-OpenSSH_4.6 +# SSH-2.0-OpenSSH_5.1p1 Debian-5 +# SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901 +# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5 +# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6 +# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 +# SSH-2.0-OpenSSH_5.5p1 Debian-6 +# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1 +# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2 +# SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503 +# SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 +# SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 +# SSH-2.0-OpenSSH_5.9 +# +# (default: "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2") +version = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 + +# Cipher encryption algorithms to be used. +# +# MUST be supplied as a comma-separated string without +# any spaces or newlines. +# +# Use ciphers to limit to more secure algorithms only +# any spaces. +# Supported ciphers: +# +# aes128-ctr +# aes192-ctr +# aes256-ctr +# aes256-cbc +# aes192-cbc +# aes128-cbc +# 3des-cbc +# blowfish-cbc +# cast128-cbc +ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc + + +# MAC Algorithm to be used. +# +# MUST be supplied as a comma-separated string without +# any spaces or newlines. +# +# hmac-sha1 and hmac-md5 are considered insecure now, and +# instead MACs with higher number of bits should be used. +# +# Supported HMACs: +# hmac-sha2-512 +# hmac-sha2-384 +# hmac-sha2-256 +# hmac-sha1 +# hmac-md5 +macs = hmac-sha2-512,hmac-sha2-384,hmac-sha2-56,hmac-sha1,hmac-md5 + + +# Compression Method to be used. +# +# MUST be supplied as a comma-separated string without +# any spaces or newlines. +# +# Supported Compression Methods: +# zlib@openssh.com +# zlib +# none +compression = zlib@openssh.com,zlib,none + +# Endpoint to listen on for incoming SSH connections. +# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers +# (default: listen_endpoints = tcp:2222:interface=0.0.0.0) +# (use systemd: endpoint for systemd activation) +# listen_endpoints = systemd:domain=INET:index=0 +# For both IPv4 and IPv6: listen_endpoints = tcp6:2222:interface=\:\: +# Listening on multiple endpoints is supported with a single space seperator +# e.g listen_endpoints = "tcp:2222:interface=0.0.0.0 tcp:1022:interface=0.0.0.0" will result listening both on ports 2222 and 1022 +# use authbind for port numbers under 1024 + +listen_endpoints = tcp:2222:interface=0.0.0.0 + +# Enable the SFTP subsystem +# (default: true) +sftp_enabled = true + + +# Enable SSH direct-tcpip forwarding +# (default: true) +forwarding = true + + +# This enables redirecting forwarding requests to another address +# Useful for forwarding protocols to other honeypots +# (default: false) +forward_redirect = false + + +# Configure where to forward the data to. +# forward_redirect_ = : + +# Redirect http/https +# forward_redirect_80 = 127.0.0.1:8000 +# forward_redirect_443 = 127.0.0.1:8443 + +# To record SMTP traffic, install an SMTP honeypoint. +# (e.g https://github.com/awhitehatter/mailoney), run +# python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525 +# forward_redirect_25 = 127.0.0.1:12525 +# forward_redirect_587 = 127.0.0.1:12525 + + +# This enables tunneling forwarding requests to another address +# Useful for forwarding protocols to a proxy like Squid +# (default: false) +forward_tunnel = false + + +# Configure where to tunnel the data to. +# forward_tunnel_ = : + +# Tunnel http/https +# forward_tunnel_80 = 127.0.0.1:3128 +# forward_tunnel_443 = 127.0.0.1:3128 + + +# No authentication checking at all +# enabling 'auth_none' will enable the ssh2 'auth_none' authentication method +# this allows the requested user in without any verification at all +# +# (default: false) +#auth_none_enabled = false + + +# Configure keyboard-interactive login +auth_keyboard_interactive_enabled = false + +# ============================================================================ +# Telnet Specific Options +# ============================================================================ +[telnet] + +# Enable Telnet support, disabled by default +enabled = false + +# Endpoint to listen on for incoming Telnet connections. +# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers +# (default: listen_endpoints = tcp:2223:interface=0.0.0.0) +# (use systemd: endpoint for systemd activation) +# listen_endpoints = systemd:domain=INET:index=0 +# For IPv4 and IPv6: listen_endpoints = tcp6:2223:interface=\:\: tcp:2223:interface=0.0.0.0 +# Listening on multiple endpoints is supported with a single space seperator +# e.g "listen_endpoints = tcp:2223:interface=0.0.0.0 tcp:2323:interface=0.0.0.0" will result listening both on ports 2223 and 2323 +# use authbind for port numbers under 1024 + +listen_endpoints = tcp:2223:interface=0.0.0.0 + + +# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie) +#reported_port = 23 + + + +# ============================================================================ +# Database logging Specific Options +# ============================================================================ + +# XMPP Logging +# Log to an xmpp server. +# +#[database_xmpp] +#server = sensors.carnivore.it +#user = anonymous@sensors.carnivore.it +#password = anonymous +#muc = dionaea.sensors.carnivore.it +#signal_createsession = cowrie-events +#signal_connectionlost = cowrie-events +#signal_loginfailed = cowrie-events +#signal_loginsucceeded = cowrie-events +#signal_command = cowrie-events +#signal_clientversion = cowrie-events +#debug=true + + + + +# ============================================================================ +# Output Plugins +# These provide an extensible mechanism to send audit log entries to third +# parties. The audit entries contain information on clients connecting to +# the honeypot. +# +# Output entries need to start with 'output_' and have the 'enabled' entry. +# ============================================================================ + +#[output_xmpp] +#enabled=true +#server = conference.cowrie.local +#user = cowrie@cowrie.local +#password = cowrie +#muc = hacker_room + +# JSON based logging module +# +[output_jsonlog] +enabled = true +logfile = ${honeypot:log_path}/cowrie.json +epoch_timestamp = false + +# Supports logging to Elasticsearch +# This is a simple early release +# +#[output_elasticsearch] +#enabled = false +#host = localhost +#port = 9200 +#index = cowrie +# type has been deprecated since ES 6.0.0 +# use _doc which is the default type. See +# https://stackoverflow.com/a/53688626 for +# more information +#type = _doc +# set pipeline = geoip to map src_ip to +# geo location data. You can use a custom +# pipeline but you must ensure it exists +# in elasticsearch. +#pipeline = geoip +# +# Authentication. When x-pack.security is enabled +# in ES, default users have been created and requests +# must be authenticated. +# +# Credentials +#username = elastic +#password = +# +# TLS encryption. Communications between the client (cowrie) +# and the ES server should naturally be protected by encryption +# if requests are authenticated (to prevent from man-in-the-middle +# attacks). The following options are then paramount +# if username and password are provided. +# +# use ssl/tls +#ssl = true +# Path to trusted CA certs on disk +#ca_certs = /cowrie/cowrie-git/etc/elastic_ca.crt +# verify SSL certificates +#verify_certs = true + +# Send login attemp information to SANS DShield +# See https://isc.sans.edu/ssh.html +# You must signup for an api key. +# Once registered, find your details at: https://isc.sans.edu/myaccount.html +# +#[output_dshield] +#userid = userid_here +#auth_key = auth_key_here +#batch_size = 100 +#enabled = false + + +# Local Syslog output module +# +# This sends log messages to the local syslog daemon. +# Facility can be: +# KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7. +# +# Format can be: +# text, cef +# +#[output_localsyslog] +#enabled = false +#facility = USER +#format = text + + +# Text output +# This writes audit log entries to a text file +# +# Format can be: +# text, cef +# +#[output_textlog] +#enabled = false +#logfile = ${honeypot:log_path}/audit.log +#format = text + + +# MySQL logging module +# Database structure for this module is supplied in docs/sql/mysql.sql +# +# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev +# MySQL logging requires an extra Python module: pip install mysql-python +# +#[output_mysql] +#enabled = false +#host = localhost +#database = cowrie +#username = cowrie +#password = secret +#port = 3306 +#debug = false + +# Rethinkdb output module +# Rethinkdb output module requires extra Python module: pip install rethinkdb + +#[output_rethinkdblog] +#enabled = false +#host = 127.0.0.1 +#port = 28015 +#table = output +#password = +#db = cowrie + +# SQLite3 logging module +# +# Logging to SQLite3 database. To init the database, use the script +# docs/sql/sqlite3.sql: +# sqlite3 < docs/sql/sqlite3.sql +# +#[output_sqlite] +#enabled = false +#db_file = cowrie.db + +# MongoDB logging module +# +# MongoDB logging requires an extra Python module: pip install pymongo +# +#[output_mongodb] +#enabled = false +#connection_string = mongodb://username:password@host:port/database +#database = dbname + + +# Splunk HTTP Event Collector (HEC) output module +# sends JSON directly to Splunk over HTTP or HTTPS +# Use 'https' if your HEC is encrypted, else 'http' +# mandatory fields: url, token +# optional fields: index, source, sourcetype, host +# +#[output_splunk] +#enabled = false +#url = https://localhost:8088/services/collector/event +#token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8 +#index = cowrie +#sourcetype = cowrie +#source = cowrie + + +# HPFeeds +# +#[output_hpfeeds3] +#enabled = false +#server = hpfeeds.mysite.org +#port = 10000 +#identifier = abc123 +#secret = secret +#debug = false + + +# HPFeeds3 +# Python3 implementation of HPFeeds +#[output_hpfeeds3] +#enabled = false +#server = hpfeeds.mysite.org +#port = 10000 +#identifier = abc123 +#secret = secret +#debug=false + + +# VirusTotal output module +# You must signup for an api key. +# +#[output_virustotal] +#enabled = false +#api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef +#upload = True +#debug = False +#scan_file = True +#scan_url = False + + +# Cuckoo output module +#[output_cuckoo] +#enabled = false +# no slash at the end +#url_base = http://127.0.0.1:8090 +#user = user +#passwd = passwd +# force will upload duplicated files to cuckoo +#force = 0 + +# upload to MalShare +#[output_malshare] +#enabled = false + +# This will produce a _lot_ of messages - you have been warned.... +#[output_slack] +#enabled = false +#channel = channel_that_events_should_be_posted_in +#token = slack_token_for_your_bot +#debug = false + + +# https://csirtg.io +# You must signup for an api key. +# +#[output_csirtg] +#enabled = false +#username = wes +#feed = scanners +#description = random scanning activity +#token = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + + +#[output_socketlog] +#enabled = false +#address = 127.0.0.1:9000 +#timeout = 5 + +# Upload files that cowrie has captured to an S3 (or compatible bucket) +# Files are stored with a name that is the SHA of their contents +# +#[output_s3] +# +# The AWS credentials to use. +# Leave these blank to use botocore's credential discovery e.g .aws/config or ENV variables. +# As per https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L50-L65 +#access_key_id = AKIDEXAMPLE +#secret_access_key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY +# +# The bucket to store the files in. The bucket must already exist. +#bucket = my-cowrie-bucket +# +# The region the bucket is in +#region = eu-west-1 +# +# An alternate endpoint URL. If you self host a pithos instance you can set +# this to its URL (e.g. https://s3.mydomain.com) - can otherwise be blank +#endpoint = +# +# Whether or not to validate the S3 certificate. Set this to 'no' to turn this +# off. Do not do this for real AWS. It's only needed for self-hosted S3 clone +# where you don't yet have real certificates. +#verify = no + +#[output_influx] +#enabled = false +#host = 127.0.0.1 +#port = 8086 +#database_name = cowrie +#retention_policy_duration = 12w + +[output_kafka] +enabled = false +host = 127.0.0.1 +port = 9092 +topic = cowrie + + +#[output_redis] +#enabled = false +#host = 127.0.0.1 +#port = 6379 +# DB of the redis server. Defaults to 0 +#db = 0 +# Password of the redis server. Defaults to None +#password = secret +# Name of the list to push to or the channel to publish to. Required +#keyname = cowrie +# Method to use when sending data to redis. +# Can be one of [lpush, rpush, publish]. Defaults to lpush +#send_method = lpush + + +# Perform Reverse DNS lookup +#[output_reversedns] +#enabled = true +# Timeout in seconds +#timeout = 3 + +#[output_greynoise] +#enabled = true +#debug=False +# Name of the tags separated by comma, for which the IP has to be scanned for. +# Example "SHODAN,JBOSS_WORM,CPANEL_SCANNER_LOW" +# If there isn't any specific tag then just leave it "all" +#tags = all +# It's optional to have API key, so if you don't want to but +# API key then leave this option commented +#api_key = 1234567890 + +# Upload all files to a MISP instance of your liking. +# The API key can be found under Event Actions -> Automation +#[output_misp] +#enabled = true +#base_url = https://misp.somedomain.com +#api_key = secret_key +#verify_cert = true +#publish_event = true +#debug = false + +# The crashreporter sends data on Python exceptions to api.cowrie.org +# To disable set `enabled = false` in cowrie.cfg +[output_crashreporter] +enabled = false +debug = false + +# Reports login attempts to AbuseIPDB. A short guide is in the original +# pull request on GitHub: https://github.com/cowrie/cowrie/pull/1346 +#[output_abuseipdb] +#enabled = true +#api_key = +#rereport_after = 24 +#tolerance_window is in minutes +#tolerance_window = 120 +#tolerance_attempts = 10 +# WARNING: A binary file is read from this directory on start-up. Do not +# change unless you understand the security implications! +#dump_path = ${honeypot:state_path}/abuseipdb diff --git a/cowrie/data/etc/userdb.txt b/cowrie/data/etc/userdb.txt new file mode 100644 index 0000000..6586d48 --- /dev/null +++ b/cowrie/data/etc/userdb.txt @@ -0,0 +1,20 @@ +# Example userdb.txt +# This file may be copied to etc/userdb.txt. +# If etc/userdb.txt is not present, built-in defaults will be used. +# +# ':' separated fields, file is processed line for line +# processing will stop on first match +# +# Field #1 contains the username +# Field #2 is currently unused +# Field #3 contains the password +# '*' for password allows any password +# '!' at the start of a password will not grant this password access +# '/' can be used to write a regular expression +# +root:x:!root +root:x:!123456 +root:x:!/honeypot/i +root:x:* +tomcat:x:* +oracle:x:* diff --git a/cowrie/docker-compose.yml b/cowrie/docker-compose.yml index c33519d..4ec6602 100644 --- a/cowrie/docker-compose.yml +++ b/cowrie/docker-compose.yml @@ -1,9 +1,16 @@ -cowrie: - image: vimagick/cowrie - ports: - - "2222:2222" - - "2223:2223" - volumes: - - ./data/dl:/home/cowrie/dl - - ./data/log:/home/cowrie/log - restart: always +version: "3.8" + +services: + cowrie: + image: cowrie/cowrie + ports: + - "2222:2222" + - "2223:2223" + volumes: + - cowrie-etc:/cowrie/cowrie-git/etc + - cowrie-var:/cowrie/cowrie-git/var + restart: unless-stopped + +volumes: + cowrie-etc: + cowrie-var: diff --git a/prestosql/presto-server.service b/prestosql/presto-server.service new file mode 100644 index 0000000..11b6912 --- /dev/null +++ b/prestosql/presto-server.service @@ -0,0 +1,16 @@ +[Unit] +Description=Presto Standalone Server +After=network.target + +[Service] +Type=forking +User=presto +Group=presto +ExecStart=/opt/presto-server/bin/launcher start +PIDFile=/opt/presto-server/data/var/run/launcher.pid +LimitNOFILE=65536 +Restart=on-failure +RestartSec=5s + +[Install] +WantedBy=multi-user.target