mirror of
https://github.com/vimagick/dockerfiles
synced 2024-06-26 00:38:37 +00:00
1064 lines
35 KiB
INI
1064 lines
35 KiB
INI
# DO NOT EDIT THIS FILE!
|
|
# Changes to default files will be lost on update and are difficult to
|
|
# manage and support.
|
|
#
|
|
# Please make any changes to system defaults by overriding them in
|
|
# cowrie.cfg
|
|
#
|
|
# To override a specific setting, copy the name of the stanza and
|
|
# setting to the file where you wish to override it.
|
|
|
|
# ============================================================================
|
|
# General Cowrie Options
|
|
# ============================================================================
|
|
[honeypot]
|
|
|
|
# Sensor name is used to identify this Cowrie instance. Used by the database
|
|
# logging modules such as mysql.
|
|
#
|
|
# If not specified, the logging modules will instead use the IP address of the
|
|
# server as the sensor name.
|
|
#
|
|
# (default: not specified)
|
|
#sensor_name=myhostname
|
|
|
|
# Hostname for the honeypot. Displayed by the shell prompt of the virtual
|
|
# environment
|
|
#
|
|
# (default: svr04)
|
|
hostname = svr04
|
|
|
|
|
|
# Directory where to save log files in.
|
|
#
|
|
# (default: log)
|
|
log_path = var/log/cowrie
|
|
|
|
|
|
# Directory where to save downloaded artifacts in.
|
|
#
|
|
# (default: downloads)
|
|
download_path = ${honeypot:state_path}/downloads
|
|
|
|
|
|
# Directory for static data files
|
|
#
|
|
# (default: share/cowrie)
|
|
share_path = share/cowrie
|
|
|
|
|
|
# Directory for variable state files
|
|
#
|
|
# (default: var/lib/cowrie)
|
|
state_path = var/lib/cowrie
|
|
|
|
|
|
# Directory for config files
|
|
#
|
|
# (default: etc)
|
|
etc_path = etc
|
|
|
|
|
|
# Directory where virtual file contents are kept in.
|
|
#
|
|
# This is only used by commands like 'cat' to display the contents of files.
|
|
# Adding files here is not enough for them to appear in the honeypot - the
|
|
# actual virtual filesystem is kept in filesystem_file (see below)
|
|
#
|
|
# (default: honeyfs)
|
|
contents_path = honeyfs
|
|
|
|
|
|
# Directory for creating simple commands that only output text.
|
|
#
|
|
# The command must be placed under this directory with the proper path, such
|
|
# as:
|
|
# txtcmds/usr/bin/vi
|
|
# The contents of the file will be the output of the command when run inside
|
|
# the honeypot.
|
|
#
|
|
# In addition to this, the file must exist in the virtual filesystem
|
|
#
|
|
# (default: txtcmds)
|
|
txtcmds_path = txtcmds
|
|
|
|
|
|
# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'.
|
|
# A value of 0 means no limit. If the file size is known to be too big from the start,
|
|
# the file will not be stored on disk at all.
|
|
#
|
|
# (default: 0)
|
|
#download_limit_size = 10485760
|
|
|
|
# TTY logging will log a transcript of the complete terminal interaction in UML
|
|
# compatible format.
|
|
# (default: true)
|
|
ttylog = true
|
|
|
|
# Default directory for TTY logs.
|
|
# (default: ttylog_path = %(state_path)s/tty)
|
|
ttylog_path = ${honeypot:state_path}/tty
|
|
|
|
# Interactive timeout determines when logged in sessions are
|
|
# terminated for being idle. In seconds.
|
|
# (default: 180)
|
|
interactive_timeout = 180
|
|
|
|
# Authentication Timeout
|
|
# The server disconnects after this time if the user has not successfully logged in.
|
|
# The default is 120 seconds.
|
|
authentication_timeout = 120
|
|
|
|
# EXPERIMENTAL: back-end to user for Cowrie, options: proxy or shell
|
|
# (default: shell)
|
|
backend = shell
|
|
|
|
# Timezone Cowrie uses for logging
|
|
# This can be any valid timezone for the TZ environment variable
|
|
# The special value `system` will let Cowrie use the system time zone
|
|
# `system` is not recommended because you will need to deal with daylight
|
|
# savings time and other special cases yourself when analysing the logs.
|
|
timezone = UTC
|
|
|
|
# Custom prompt
|
|
# By default, Cowrie creates a shell prompt like: root@svr03:~#
|
|
# If you want something totally custom, uncomment the option below and set your prompt
|
|
# Beware that the path won't be included in your prompt any longer
|
|
# prompt = hello>
|
|
|
|
|
|
# ============================================================================
|
|
# Network Specific Options
|
|
# ============================================================================
|
|
|
|
|
|
# IP address to bind to when opening outgoing connections. Used by wget and
|
|
# curl commands.
|
|
#
|
|
# (default: not specified)
|
|
#out_addr = 0.0.0.0
|
|
|
|
|
|
# Fake address displayed as the address of the incoming connection.
|
|
# This doesn't affect logging, and is only used by honeypot commands such as
|
|
# 'w' and 'last'
|
|
#
|
|
# If not specified, the actual IP address is displayed instead (default
|
|
# behaviour).
|
|
#
|
|
# (default: not specified)
|
|
#fake_addr = 192.168.66.254
|
|
|
|
|
|
# The IP address on which this machine is reachable on from the internet.
|
|
# Useful if you use portforwarding or other mechanisms. If empty, Cowrie
|
|
# will determine by itself. Used in 'netstat' output
|
|
#
|
|
#internet_facing_ip = 9.9.9.9
|
|
|
|
|
|
|
|
# ============================================================================
|
|
# Authentication Specific Options
|
|
# ============================================================================
|
|
|
|
|
|
# Class that implements the checklogin() method.
|
|
#
|
|
# Class must be defined in cowrie/core/auth.py
|
|
# Default is the 'UserDB' class which uses the password database.
|
|
#
|
|
# Alternatively the 'AuthRandom' class can be used, which will let
|
|
# a user login after a random number of attempts.
|
|
# It will also cache username/password combinations that allow login.
|
|
#
|
|
auth_class = UserDB
|
|
|
|
# When AuthRandom is used also set the
|
|
# auth_class_parameters: <min try>, <max try>, <maxcache>
|
|
# for example: 2, 5, 10 = allows access after randint(2,5) attempts
|
|
# and cache 10 combinations.
|
|
#
|
|
#auth_class = AuthRandom
|
|
#auth_class_parameters = 2, 5, 10
|
|
|
|
|
|
[backend_pool]
|
|
# ============================================================================
|
|
# Backend Pool Configurations
|
|
# only used on the cowrie instance that runs the pool
|
|
# ============================================================================
|
|
|
|
# enable this to solely run the pool, regardless of other configurations (disables SSH and Telnet)
|
|
pool_only = false
|
|
|
|
# time between full VM recycling (cleans older VMs and boots newer ones) - involves some downtime between cycles
|
|
# -1 to disable
|
|
recycle_period = 1500
|
|
|
|
# change interface below to allow connections from outside (e.g. remote pool)
|
|
listen_endpoints = tcp:6415:interface=127.0.0.1
|
|
|
|
# guest snapshots
|
|
save_snapshots = false
|
|
snapshot_path = ${honeypot:state_path}/snapshots
|
|
|
|
# pool xml configs
|
|
config_files_path = ${honeypot:share_path}/pool_configs
|
|
|
|
network_config = default_network.xml
|
|
nw_filter_config = default_filter.xml
|
|
|
|
# =====================================
|
|
# Guest details (for a generic x86-64 guest, like Ubuntu)
|
|
#
|
|
# Used to provide configuration details to save snapshots, identify
|
|
# running guests, and provide other details to Cowrie.
|
|
# - SSH and Telnet ports: which ports are listening for these services in the guest OS;
|
|
# if you're not using one of them omit the config or set to 0
|
|
# - Guest private key: used by the pool to control the guest's state via SSH; guest must
|
|
# have the corresponding pubkey in root's authorized_keys (not implemented)
|
|
# =====================================
|
|
guest_config = default_guest.xml
|
|
guest_privkey = ${honeypot:state_path}/ubuntu18.04-guest
|
|
guest_tag = ubuntu18.04
|
|
guest_ssh_port = 22
|
|
guest_telnet_port = 23
|
|
|
|
# Configs below are used on default XMLs provided.
|
|
# If you provide your own XML in guest_config you don't need these configs.
|
|
#
|
|
# Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM,
|
|
# which is more performant than the qemu software-based emulation. Guest arch
|
|
# must match your machine's. If it's older or you're unsure, set it to 'qemu'.
|
|
#
|
|
# Memory size is in MB.
|
|
#
|
|
# Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM
|
|
# If you get a "unsupported machine type" exception when VMs are loading, change
|
|
# it to a compatible machine listed by the command: 'qemu-system-x86_64 -machine help'
|
|
guest_image_path = /home/cowrie/cowrie-imgs/ubuntu18.04-minimal.qcow2
|
|
guest_hypervisor = kvm
|
|
guest_memory = 512
|
|
guest_qemu_machine = pc-q35-bionic
|
|
|
|
# =====================================
|
|
# Guest details (for OpenWRT with ARM architecture)
|
|
#
|
|
# Used to provide configuration details to save snapshots, identify running guests,
|
|
# and provide other details to Cowrie.
|
|
# =====================================
|
|
#guest_config = wrt_arm_guest.xml
|
|
#guest_tag = wrt
|
|
#guest_ssh_port = 22
|
|
#guest_telnet_port = 23
|
|
|
|
# Configs below are used on default XMLs provided.
|
|
# If you provide your own XML in guest_config you don't need these configs.
|
|
#
|
|
# Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM,
|
|
# which is more performant than the qemu software-based emulation. Guest arch
|
|
# must match your machine's.
|
|
#
|
|
# Memory size is in MB.
|
|
#
|
|
# Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM
|
|
# If you get a "unsupported machine type" exception when VMs are loading, change
|
|
# it to a compatible machine listed by the command: 'qemu-system-arm -machine help'
|
|
#guest_image_path = /home/cowrie/cowrie-imgs/root.qcow2
|
|
#guest_hypervisor = qemu
|
|
#guest_memory = 256
|
|
#guest_kernel_image = /home/cowrie/cowrie-imgs/zImage
|
|
#guest_qemu_machine = virt-2.9
|
|
|
|
# =====================================
|
|
# Other configs
|
|
# =====================================
|
|
# Use NAT (for remote pool)
|
|
#
|
|
# Guests exist in a local interface created by libvirt; NAT functionality creates a port in the host,
|
|
# exposed to a public interface, and forwards TCP data to and from the libvirt private interface.
|
|
# Cowrie's proxy receives the public information instead of the local IP of guests.
|
|
use_nat = true
|
|
nat_public_ip = 192.168.1.40
|
|
|
|
|
|
# ============================================================================
|
|
# Proxy Options
|
|
# ============================================================================
|
|
[proxy]
|
|
|
|
# type of backend:
|
|
# - simple: backend machine deployed by you (CAREFUL WITH SECURITY ASPECTS!!), specify hosts and ports below
|
|
# - pool: cowrie-managed pool of virtual machines, configure below
|
|
backend = pool
|
|
|
|
# =====================================
|
|
# Simple Backend Configuration
|
|
# =====================================
|
|
backend_ssh_host = localhost
|
|
backend_ssh_port = 2022
|
|
|
|
backend_telnet_host = localhost
|
|
backend_telnet_port = 2023
|
|
|
|
# =====================================
|
|
# Pool Backend Configuration
|
|
# =====================================
|
|
|
|
# generic pool configurable settings
|
|
pool_max_vms = 5
|
|
pool_vm_unused_timeout = 600
|
|
|
|
# allow sharing guests between different attackers if no new VMs are available
|
|
pool_share_guests = true
|
|
|
|
# Where to deploy the backend pool (only if backend = pool)
|
|
# - "local": same machine as the proxy
|
|
# - "remote": set host and port of the pool below
|
|
pool = local
|
|
|
|
# Remote pool configurations (used with pool=remote)
|
|
pool_host = 192.168.1.40
|
|
pool_port = 6415
|
|
|
|
# =====================================
|
|
# Proxy Configurations
|
|
# =====================================
|
|
|
|
# real credentials to log into backend
|
|
backend_user = root
|
|
backend_pass = root
|
|
|
|
# Telnet prompt detection
|
|
#
|
|
# To detect authentication prompts (and spoof auth details to the ones the backend accepts) we need to capture
|
|
# login and password prompts, and spoof data to the backend in order to successfully authenticate. If disabled,
|
|
# attackers can only use the real user credentials of the backend.
|
|
telnet_spoof_authentication = true
|
|
|
|
# These regex were made using Ubuntu 18.04; you have to adapt these for the prompts
|
|
# from your backend. You can enable raw logging above to analyse data passing through
|
|
# and identify the format of the prompts you need.
|
|
# You should generally include ".*" at the beginning and end of prompts, since Telnet messages can contain
|
|
# more data than the prompt.
|
|
|
|
# For login it is usually <hostname> login:
|
|
telnet_username_prompt_regex = (\n|^)ubuntu login: .*
|
|
|
|
# Password prompt is usually only the word Password
|
|
telnet_password_prompt_regex = .*Password: .*
|
|
|
|
# This data is sent by clients at the beginning of negotiation (before the password prompt), and contains the username
|
|
# that is trying to log in. We replace that username with the one in "backend_user" to allow the chance of a successful
|
|
# login after the first password prompt. We are only able to check if credentials are allowed after the password is
|
|
# inserted. If they are, then a correct username was already sent and authentication succeeds; if not, we send a fake
|
|
# password to force authentication to fail.
|
|
telnet_username_in_negotiation_regex = (.*\xff\xfa.*USER\x01)(.*?)(\xff.*)
|
|
|
|
# Other configs #
|
|
# log raw TCP packets in SSh and Telnet
|
|
log_raw = false
|
|
|
|
|
|
# ============================================================================
|
|
# Shell Options
|
|
# Options around Cowrie's Shell Emulation
|
|
# ============================================================================
|
|
|
|
[shell]
|
|
|
|
# File in the Python pickle format containing the virtual filesystem.
|
|
#
|
|
# This includes the filenames, paths, permissions for the Cowrie filesystem,
|
|
# but not the file contents. This is created by the bin/createfs utility from
|
|
# a real template linux installation.
|
|
#
|
|
# (default: fs.pickle)
|
|
filesystem = ${honeypot:share_path}/fs.pickle
|
|
|
|
|
|
# File that contains output for the `ps` command.
|
|
#
|
|
# (default: share/cowrie/cmdoutput.json)
|
|
processes = share/cowrie/cmdoutput.json
|
|
|
|
|
|
# Fake architectures/OS
|
|
# When Cowrie receive a command like /bin/cat XXXX (where XXXX is an executable)
|
|
# it replies with the content of a dummy executable (located in data_path/arch)
|
|
# compiled for an architecture/OS/endian_mode
|
|
# arch can be a comma separated list. When there are multiple elements, a random
|
|
# is chosen at login time.
|
|
# (default: linux-x64-lsb)
|
|
|
|
arch = linux-x64-lsb
|
|
|
|
# Here the list of supported OS-ARCH-ENDIANESS executables
|
|
# bsd-aarch64-lsb: 64-bit LSB ARM aarch64 version 1 (SYSV)
|
|
# bsd-aarch64-msb: 64-bit MSB ARM aarch64 version 1 (SYSV)
|
|
# bsd-bfin-msb: 32-bit MSB Analog Devices Blackfin version 1 (SYSV)
|
|
# bsd-mips64-lsb: 64-bit LSB MIPS MIPS-III version 1 (SYSV)
|
|
# bsd-mips64-msb: 64-bit MSB MIPS MIPS-III version 1 (SYSV)
|
|
# bsd-mips-lsb: 32-bit LSB MIPS MIPS-I version 1 (FreeBSD)
|
|
# bsd-mips-msb: 32-bit MSB MIPS MIPS-I version 1 (FreeBSD)
|
|
# bsd-powepc64-lsb: 64-bit MSB 64-bit PowerPC or cisco 7500 version 1 (FreeBSD)
|
|
# bsd-powepc-msb: 32-bit MSB PowerPC or cisco 4500 version 1 (FreeBSD)
|
|
# bsd-riscv64-lsb: 64-bit LSB UCB RISC-V version 1 (SYSV)
|
|
# bsd-sparc64-msb: 64-bit MSB SPARC V9 relaxed memory ordering version 1 (FreeBSD)
|
|
# bsd-sparc-msb: 32-bit MSB SPARC version 1 (SYSV) statically
|
|
# bsd-x32-lsb: 32-bit LSB Intel 80386 version 1 (FreeBSD)
|
|
# bsd-x64-lsb: 64-bit LSB x86-64 version 1 (FreeBSD)
|
|
# linux-aarch64-lsb: 64-bit LSB ARM aarch64 version 1 (SYSV)
|
|
# linux-aarch64-msb: 64-bit MSB ARM aarch64 version 1 (SYSV)
|
|
# linux-alpha-lsb: 64-bit LSB Alpha (unofficial) version 1 (SYSV)
|
|
# linux-am33-lsb: 32-bit LSB Matsushita MN10300 version 1 (SYSV)
|
|
# linux-arc-lsb: 32-bit LSB ARC Cores Tangent-A5 version 1 (SYSV)
|
|
# linux-arc-msb: 32-bit MSB ARC Cores Tangent-A5 version 1 (SYSV)
|
|
# linux-arm-lsb: 32-bit LSB ARM EABI5 version 1 (SYSV)
|
|
# linux-arm-msb: 32-bit MSB ARM EABI5 version 1 (SYSV)
|
|
# linux-avr32-lsb: 32-bit LSB Atmel AVR 8-bit version 1 (SYSV)
|
|
# linux-bfin-lsb: 32-bit LSB Analog Devices Blackfin version 1 (SYSV)
|
|
# linux-c6x-lsb: 32-bit LSB TI TMS320C6000 DSP family version 1
|
|
# linux-c6x-msb: 32-bit MSB TI TMS320C6000 DSP family version 1
|
|
# linux-cris-lsb: 32-bit LSB Axis cris version 1 (SYSV)
|
|
# linux-frv-msb: 32-bit MSB Cygnus FRV (unofficial) version 1 (SYSV)
|
|
# linux-h8300-msb: 32-bit MSB Renesas H8/300 version 1 (SYSV)
|
|
# linux-hppa64-msb: 64-bit MSB PA-RISC 02.00.00 (LP64) version 1
|
|
# linux-hppa-msb: 32-bit MSB PA-RISC *unknown arch 0xf* version 1 (GNU/Linux)
|
|
# linux-ia64-lsb: 64-bit LSB IA-64 version 1 (SYSV)
|
|
# linux-m32r-msb: 32-bit MSB Renesas M32R version 1 (SYSV)
|
|
# linux-m68k-msb: 32-bit MSB Motorola m68k 68020 version 1 (SYSV)
|
|
# linux-microblaze-msb: 32-bit MSB Xilinx MicroBlaze 32-bit RISC version 1 (SYSV)
|
|
# linux-mips64-lsb: 64-bit LSB MIPS MIPS-III version 1 (SYSV)
|
|
# linux-mips64-msb: 64-bit MSB MIPS MIPS-III version 1 (SYSV)
|
|
# linux-mips-lsb: 32-bit LSB MIPS MIPS-I version 1 (SYSV)
|
|
# linux-mips-msb: 32-bit MSB MIPS MIPS-I version 1 (SYSV)
|
|
# linux-mn10300-lsb: 32-bit LSB Matsushita MN10300 version 1 (SYSV)
|
|
# linux-nios-lsb: 32-bit LSB Altera Nios II version 1 (SYSV)
|
|
# linux-nios-msb: 32-bit MSB Altera Nios II version 1 (SYSV)
|
|
# linux-powerpc64-lsb: 64-bit LSB 64-bit PowerPC or cisco 7500 version 1 (SYSV)
|
|
# linux-powerpc64-msb: 64-bit MSB 64-bit PowerPC or cisco 7500 version 1 (SYSV)
|
|
# linux-powerpc-lsb: 32-bit LSB PowerPC or cisco 4500 version 1 (SYSV)
|
|
# linux-powerpc-msb: 32-bit MSB PowerPC or cisco 4500 version 1 (SYSV)
|
|
# linux-riscv64-lsb: 64-bit LSB UCB RISC-V version 1 (SYSV)
|
|
# linux-s390x-msb: 64-bit MSB IBM S/390 version 1 (SYSV)
|
|
# linux-sh-lsb: 32-bit LSB Renesas SH version 1 (SYSV)
|
|
# linux-sh-msb: 32-bit MSB Renesas SH version 1 (SYSV)
|
|
# linux-sparc64-msb: 64-bit MSB SPARC V9 relaxed memory ordering version 1 (SYSV)
|
|
# linux-sparc-msb: 32-bit MSB SPARC version 1 (SYSV)
|
|
# linux-tilegx64-lsb: 64-bit LSB Tilera TILE-Gx version 1 (SYSV)
|
|
# linux-tilegx64-msb: 64-bit MSB Tilera TILE-Gx version 1 (SYSV)
|
|
# linux-tilegx-lsb: 32-bit LSB Tilera TILE-Gx version 1 (SYSV)
|
|
# linux-tilegx-msb: 32-bit MSB Tilera TILE-Gx version 1 (SYSV)
|
|
# linux-x64-lsb: 64-bit LSB x86-64 version 1 (SYSV)
|
|
# linux-x86-lsb: 32-bit LSB Intel 80386 version 1 (SYSV)
|
|
# linux-xtensa-msb: 32-bit MSB Tensilica Xtensa version 1 (SYSV)
|
|
# osx-x32-lsb: 32-bit LSB Intel 80386
|
|
# osx-x64-lsb: 64-bit LSB x86-64
|
|
|
|
# arch = bsd-aarch64-lsb, bsd-aarch64-msb, bsd-bfin-msb, bsd-mips-lsb, bsd-mips-msb, bsd-mips64-lsb, bsd-mips64-msb, bsd-powepc-msb, bsd-powepc64-lsb, bsd-riscv64-lsb, bsd-sparc-msb, bsd-sparc64-msb, bsd-x32-lsb, bsd-x64-lsb, linux-aarch64-lsb, linux-aarch64-msb, linux-alpha-lsb, linux-am33-lsb, linux-arc-lsb, linux-arc-msb, linux-arm-lsb, linux-arm-msb, linux-avr32-lsb, linux-bfin-lsb, linux-c6x-lsb, linux-c6x-msb, linux-cris-lsb, linux-frv-msb, linux-h8300-msb, linux-hppa-msb, linux-hppa64-msb, linux-ia64-lsb, linux-m32r-msb, linux-m68k-msb, linux-microblaze-msb, linux-mips-lsb, linux-mips-msb, linux-mips64-lsb, linux-mips64-msb, linux-mn10300-lsb, linux-nios-lsb, linux-nios-msb, linux-powerpc-lsb, linux-powerpc-msb, linux-powerpc64-lsb, linux-powerpc64-msb, linux-riscv64-lsb, linux-s390x-msb, linux-sh-lsb, linux-sh-msb, linux-sparc-msb, linux-sparc64-msb, linux-tilegx-lsb, linux-tilegx-msb, linux-tilegx64-lsb, linux-tilegx64-msb, linux-x64-lsb, linux-x86-lsb, linux-xtensa-msb, osx-x32-lsb, osx-x64-lsb
|
|
|
|
# Modify the response of '/bin/uname'
|
|
# Default (uname -a): Linux <hostname> <kernel_version> <kernel_build_string> <hardware_platform> <operating system>
|
|
kernel_version = 3.2.0-4-amd64
|
|
kernel_build_string = #1 SMP Debian 3.2.68-1+deb7u1
|
|
hardware_platform = x86_64
|
|
operating_system = GNU/Linux
|
|
|
|
# SSH Version as printed by "ssh -V" in shell emulation
|
|
ssh_version = OpenSSH_7.9p1, OpenSSL 1.1.1a 20 Nov 2018
|
|
|
|
|
|
# ============================================================================
|
|
# SSH Specific Options
|
|
# ============================================================================
|
|
[ssh]
|
|
|
|
# Enable SSH support
|
|
# (default: true)
|
|
enabled = true
|
|
|
|
|
|
# Public and private SSH key files. If these don't exist, they are created
|
|
# automatically.
|
|
rsa_public_key = ${honeypot:state_path}/ssh_host_rsa_key.pub
|
|
rsa_private_key = ${honeypot:state_path}/ssh_host_rsa_key
|
|
dsa_public_key = ${honeypot:state_path}/ssh_host_dsa_key.pub
|
|
dsa_private_key = ${honeypot:state_path}/ssh_host_dsa_key
|
|
ecdsa_public_key = ${honeypot:state_path}/ssh_host_ecdsa_key.pub
|
|
ecdsa_private_key = ${honeypot:state_path}/ssh_host_ecdsa_key
|
|
ed25519_public_key = ${honeypot:state_path}/ssh_host_ed25519_key.pub
|
|
ed25519_private_key = ${honeypot:state_path}/ssh_host_ed25519_key
|
|
|
|
# Public keys supported are: ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, ssh-ed25519
|
|
public_key_auth = ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
|
|
|
|
# SSH version string as present to the client.
|
|
#
|
|
# Version string MUST start with SSH-2.0- or SSH-1.99-
|
|
#
|
|
# Use these to disguise your honeypot from a simple SSH version scan
|
|
# Examples:
|
|
# SSH-2.0-OpenSSH_5.1p1 Debian-5
|
|
# SSH-1.99-OpenSSH_4.3
|
|
# SSH-1.99-OpenSSH_4.7
|
|
# SSH-1.99-Sun_SSH_1.1
|
|
# SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1
|
|
# SSH-2.0-OpenSSH_4.3
|
|
# SSH-2.0-OpenSSH_4.6
|
|
# SSH-2.0-OpenSSH_5.1p1 Debian-5
|
|
# SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
|
|
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
|
|
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
|
|
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
|
|
# SSH-2.0-OpenSSH_5.5p1 Debian-6
|
|
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1
|
|
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
|
|
# SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
|
|
# SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
|
|
# SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
|
|
# SSH-2.0-OpenSSH_5.9
|
|
#
|
|
# (default: "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2")
|
|
version = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
|
|
|
|
# Cipher encryption algorithms to be used.
|
|
#
|
|
# MUST be supplied as a comma-separated string without
|
|
# any spaces or newlines.
|
|
#
|
|
# Use ciphers to limit to more secure algorithms only
|
|
# any spaces.
|
|
# Supported ciphers:
|
|
#
|
|
# aes128-ctr
|
|
# aes192-ctr
|
|
# aes256-ctr
|
|
# aes256-cbc
|
|
# aes192-cbc
|
|
# aes128-cbc
|
|
# 3des-cbc
|
|
# blowfish-cbc
|
|
# cast128-cbc
|
|
ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc
|
|
|
|
|
|
# MAC Algorithm to be used.
|
|
#
|
|
# MUST be supplied as a comma-separated string without
|
|
# any spaces or newlines.
|
|
#
|
|
# hmac-sha1 and hmac-md5 are considered insecure now, and
|
|
# instead MACs with higher number of bits should be used.
|
|
#
|
|
# Supported HMACs:
|
|
# hmac-sha2-512
|
|
# hmac-sha2-384
|
|
# hmac-sha2-256
|
|
# hmac-sha1
|
|
# hmac-md5
|
|
macs = hmac-sha2-512,hmac-sha2-384,hmac-sha2-256,hmac-sha1,hmac-md5
|
|
|
|
|
|
# Compression Method to be used.
|
|
#
|
|
# MUST be supplied as a comma-separated string without
|
|
# any spaces or newlines.
|
|
#
|
|
# Supported Compression Methods:
|
|
# zlib@openssh.com
|
|
# zlib
|
|
# none
|
|
compression = zlib@openssh.com,zlib,none
|
|
|
|
# Endpoint to listen on for incoming SSH connections.
|
|
# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers
|
|
# (default: listen_endpoints = tcp:2222:interface=0.0.0.0)
|
|
# (use systemd: endpoint for systemd activation)
|
|
# listen_endpoints = systemd:domain=INET:index=0
|
|
# For both IPv4 and IPv6: listen_endpoints = tcp6:2222:interface=\:\:
|
|
# Listening on multiple endpoints is supported with a single space seperator
|
|
# e.g listen_endpoints = "tcp:2222:interface=0.0.0.0 tcp:1022:interface=0.0.0.0" will result listening both on ports 2222 and 1022
|
|
# use authbind for port numbers under 1024
|
|
|
|
listen_endpoints = tcp:2222:interface=0.0.0.0
|
|
|
|
# Enable the SFTP subsystem
|
|
# (default: true)
|
|
sftp_enabled = true
|
|
|
|
|
|
# Enable SSH direct-tcpip forwarding
|
|
# (default: true)
|
|
forwarding = true
|
|
|
|
|
|
# This enables redirecting forwarding requests to another address
|
|
# Useful for forwarding protocols to other honeypots
|
|
# (default: false)
|
|
forward_redirect = false
|
|
|
|
|
|
# Configure where to forward the data to.
|
|
# forward_redirect_<portnumber> = <redirect ip>:<redirect port>
|
|
|
|
# Redirect http/https
|
|
# forward_redirect_80 = 127.0.0.1:8000
|
|
# forward_redirect_443 = 127.0.0.1:8443
|
|
|
|
# To record SMTP traffic, install an SMTP honeypoint.
|
|
# (e.g https://github.com/awhitehatter/mailoney), run
|
|
# python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525
|
|
# forward_redirect_25 = 127.0.0.1:12525
|
|
# forward_redirect_587 = 127.0.0.1:12525
|
|
|
|
|
|
# This enables tunneling forwarding requests to another address
|
|
# Useful for forwarding protocols to a proxy like Squid
|
|
# (default: false)
|
|
forward_tunnel = false
|
|
|
|
|
|
# Configure where to tunnel the data to.
|
|
# forward_tunnel_<portnumber> = <tunnel ip>:<tunnel port>
|
|
|
|
# Tunnel http/https
|
|
# forward_tunnel_80 = 127.0.0.1:3128
|
|
# forward_tunnel_443 = 127.0.0.1:3128
|
|
|
|
|
|
# No authentication checking at all
|
|
# enabling 'auth_none' will enable the ssh2 'auth_none' authentication method
|
|
# this allows the requested user in without any verification at all
|
|
#
|
|
# (default: false)
|
|
#auth_none_enabled = false
|
|
|
|
|
|
# Configure keyboard-interactive login
|
|
auth_keyboard_interactive_enabled = false
|
|
|
|
# ============================================================================
|
|
# Telnet Specific Options
|
|
# ============================================================================
|
|
[telnet]
|
|
|
|
# Enable Telnet support, disabled by default
|
|
enabled = true
|
|
|
|
# Endpoint to listen on for incoming Telnet connections.
|
|
# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers
|
|
# (default: listen_endpoints = tcp:2223:interface=0.0.0.0)
|
|
# (use systemd: endpoint for systemd activation)
|
|
# listen_endpoints = systemd:domain=INET:index=0
|
|
# For IPv4 and IPv6: listen_endpoints = tcp6:2223:interface=\:\: tcp:2223:interface=0.0.0.0
|
|
# Listening on multiple endpoints is supported with a single space seperator
|
|
# e.g "listen_endpoints = tcp:2223:interface=0.0.0.0 tcp:2323:interface=0.0.0.0" will result listening both on ports 2223 and 2323
|
|
# use authbind for port numbers under 1024
|
|
|
|
listen_endpoints = tcp:2223:interface=0.0.0.0
|
|
|
|
|
|
# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie)
|
|
#reported_port = 23
|
|
|
|
|
|
|
|
# ============================================================================
|
|
# Database logging Specific Options
|
|
# ============================================================================
|
|
|
|
# XMPP Logging
|
|
# Log to an xmpp server.
|
|
#
|
|
#[database_xmpp]
|
|
#server = sensors.carnivore.it
|
|
#user = anonymous@sensors.carnivore.it
|
|
#password = anonymous
|
|
#muc = dionaea.sensors.carnivore.it
|
|
#signal_createsession = cowrie-events
|
|
#signal_connectionlost = cowrie-events
|
|
#signal_loginfailed = cowrie-events
|
|
#signal_loginsucceeded = cowrie-events
|
|
#signal_command = cowrie-events
|
|
#signal_clientversion = cowrie-events
|
|
#debug=true
|
|
|
|
|
|
|
|
|
|
# ============================================================================
|
|
# Output Plugins
|
|
# These provide an extensible mechanism to send audit log entries to third
|
|
# parties. The audit entries contain information on clients connecting to
|
|
# the honeypot.
|
|
#
|
|
# Output entries need to start with 'output_' and have the 'enabled' entry.
|
|
# ============================================================================
|
|
|
|
[output_xmpp]
|
|
enabled=false
|
|
server = conference.cowrie.local
|
|
user = cowrie@cowrie.local
|
|
password = cowrie
|
|
muc = hacker_room
|
|
|
|
# JSON based logging module
|
|
#
|
|
[output_jsonlog]
|
|
enabled = true
|
|
logfile = ${honeypot:log_path}/cowrie.json
|
|
epoch_timestamp = false
|
|
|
|
# Supports logging to Elasticsearch
|
|
# This is a simple early release
|
|
#
|
|
[output_elasticsearch]
|
|
enabled = false
|
|
host = localhost
|
|
port = 9200
|
|
index = cowrie
|
|
# type has been deprecated since ES 6.0.0
|
|
# use _doc which is the default type. See
|
|
# https://stackoverflow.com/a/53688626 for
|
|
# more information
|
|
#type = _doc
|
|
# set pipeline = geoip to map src_ip to
|
|
# geo location data. You can use a custom
|
|
# pipeline but you must ensure it exists
|
|
# in elasticsearch.
|
|
#pipeline = geoip
|
|
#
|
|
# Authentication. When x-pack.security is enabled
|
|
# in ES, default users have been created and requests
|
|
# must be authenticated.
|
|
#
|
|
# Credentials
|
|
#username = elastic
|
|
#password =
|
|
#
|
|
# TLS encryption. Communications between the client (cowrie)
|
|
# and the ES server should naturally be protected by encryption
|
|
# if requests are authenticated (to prevent from man-in-the-middle
|
|
# attacks). The following options are then paramount
|
|
# if username and password are provided.
|
|
#
|
|
# use ssl/tls
|
|
#ssl = true
|
|
# Path to trusted CA certs on disk
|
|
#ca_certs = /cowrie/cowrie-git/etc/elastic_ca.crt
|
|
# verify SSL certificates
|
|
#verify_certs = true
|
|
|
|
# Send login attemp information to SANS DShield
|
|
# See https://isc.sans.edu/ssh.html
|
|
# You must signup for an api key.
|
|
# Once registered, find your details at: https://isc.sans.edu/myaccount.html
|
|
#
|
|
[output_dshield]
|
|
enabled = false
|
|
userid = userid_here
|
|
auth_key = auth_key_here
|
|
batch_size = 100
|
|
#
|
|
# Graylog logging module for GELF http input
|
|
[output_graylog]
|
|
enabled = false
|
|
url = http://graylog.example.com:122011/gelf
|
|
#
|
|
# Local Syslog output module
|
|
#
|
|
# This sends log messages to the local syslog daemon.
|
|
# Facility can be:
|
|
# KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7.
|
|
#
|
|
# Format can be:
|
|
# text, cef
|
|
#
|
|
[output_localsyslog]
|
|
enabled = false
|
|
facility = USER
|
|
format = text
|
|
|
|
|
|
# Text output
|
|
# This writes audit log entries to a text file
|
|
#
|
|
# Format can be:
|
|
# text, cef
|
|
#
|
|
[output_textlog]
|
|
enabled = false
|
|
logfile = ${honeypot:log_path}/audit.log
|
|
format = text
|
|
|
|
|
|
# MySQL logging module
|
|
# Database structure for this module is supplied in docs/sql/mysql.sql
|
|
#
|
|
# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev
|
|
# MySQL logging requires an extra Python module: pip install mysql-python
|
|
#
|
|
[output_mysql]
|
|
enabled = false
|
|
host = localhost
|
|
database = cowrie
|
|
username = cowrie
|
|
password = secret
|
|
port = 3306
|
|
debug = false
|
|
|
|
# Rethinkdb output module
|
|
# Rethinkdb output module requires extra Python module: pip install rethinkdb
|
|
|
|
[output_rethinkdblog]
|
|
enabled = false
|
|
host = 127.0.0.1
|
|
port = 28015
|
|
table = output
|
|
password =
|
|
db = cowrie
|
|
|
|
# SQLite3 logging module
|
|
#
|
|
# Logging to SQLite3 database. To init the database, use the script
|
|
# docs/sql/sqlite3.sql:
|
|
# sqlite3 <db_file> < docs/sql/sqlite3.sql
|
|
#
|
|
[output_sqlite]
|
|
enabled = false
|
|
db_file = cowrie.db
|
|
|
|
# MongoDB logging module
|
|
#
|
|
# MongoDB logging requires an extra Python module: pip install pymongo
|
|
#
|
|
[output_mongodb]
|
|
enabled = false
|
|
connection_string = mongodb://username:password@host:port/database
|
|
database = dbname
|
|
|
|
|
|
# Splunk HTTP Event Collector (HEC) output module
|
|
# sends JSON directly to Splunk over HTTP or HTTPS
|
|
# Use 'https' if your HEC is encrypted, else 'http'
|
|
# mandatory fields: url, token
|
|
# optional fields: index, source, sourcetype, host
|
|
#
|
|
[output_splunk]
|
|
enabled = false
|
|
url = https://localhost:8088/services/collector/event
|
|
token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8
|
|
index = cowrie
|
|
sourcetype = cowrie
|
|
source = cowrie
|
|
|
|
|
|
# HPFeeds3
|
|
# Python3 implementation of HPFeeds
|
|
[output_hpfeeds3]
|
|
enabled = false
|
|
server = hpfeeds.mysite.org
|
|
port = 10000
|
|
identifier = abc123
|
|
secret = secret
|
|
debug=false
|
|
|
|
|
|
# VirusTotal output module
|
|
# You must signup for an api key.
|
|
#
|
|
[output_virustotal]
|
|
enabled = false
|
|
api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
|
|
upload = True
|
|
debug = False
|
|
scan_file = True
|
|
scan_url = False
|
|
|
|
|
|
# Cuckoo output module
|
|
[output_cuckoo]
|
|
enabled = false
|
|
# no slash at the end
|
|
url_base = http://127.0.0.1:8090
|
|
user = user
|
|
passwd = passwd
|
|
# force will upload duplicated files to cuckoo
|
|
force = 0
|
|
|
|
# upload to MalShare
|
|
# Register at https://malshare.com/register.php to get your API key
|
|
[output_malshare]
|
|
api_key = 130928309823098
|
|
enabled = false
|
|
|
|
# This will produce a _lot_ of messages - you have been warned....
|
|
[output_slack]
|
|
enabled = false
|
|
channel = channel_that_events_should_be_posted_in
|
|
token = slack_token_for_your_bot
|
|
debug = false
|
|
|
|
|
|
# https://csirtg.io
|
|
# You must signup for an api key.
|
|
#
|
|
[output_csirtg]
|
|
enabled = false
|
|
username = wes
|
|
feed = scanners
|
|
description = random scanning activity
|
|
token = a1b2c3d4
|
|
debug = false
|
|
|
|
|
|
[output_socketlog]
|
|
enabled = false
|
|
address = 127.0.0.1:9000
|
|
timeout = 5
|
|
|
|
# Upload files that cowrie has captured to an S3 (or compatible bucket)
|
|
# Files are stored with a name that is the SHA of their contents
|
|
#
|
|
[output_s3]
|
|
enabled = false
|
|
#
|
|
# The AWS credentials to use.
|
|
# Leave these blank to use botocore's credential discovery e.g .aws/config or ENV variables.
|
|
# As per https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L50-L65
|
|
access_key_id = AKIDEXAMPLE
|
|
secret_access_key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY
|
|
#
|
|
# The bucket to store the files in. The bucket must already exist.
|
|
bucket = my-cowrie-bucket
|
|
#
|
|
# The region the bucket is in
|
|
region = eu-west-1
|
|
#
|
|
# An alternate endpoint URL. If you self host a pithos instance you can set
|
|
# this to its URL (e.g. https://s3.mydomain.com) - can otherwise be blank
|
|
#endpoint =
|
|
#
|
|
# Whether or not to validate the S3 certificate. Set this to 'no' to turn this
|
|
# off. Do not do this for real AWS. It's only needed for self-hosted S3 clone
|
|
# where you don't yet have real certificates.
|
|
#verify = no
|
|
|
|
[output_influx]
|
|
enabled = false
|
|
host = 127.0.0.1
|
|
port = 8086
|
|
database_name = cowrie
|
|
retention_policy_duration = 12w
|
|
|
|
[output_kafka]
|
|
enabled = false
|
|
host = 127.0.0.1
|
|
port = 9092
|
|
topic = cowrie
|
|
|
|
|
|
[output_redis]
|
|
enabled = false
|
|
host = 127.0.0.1
|
|
port = 6379
|
|
# DB of the redis server. Defaults to 0
|
|
db = 0
|
|
# Password of the redis server. Defaults to None
|
|
# password = secret
|
|
# Name of the list to push to or the channel to publish to. Required
|
|
keyname = cowrie
|
|
# Method to use when sending data to redis.
|
|
# Can be one of [lpush, rpush, publish]. Defaults to lpush
|
|
send_method = lpush
|
|
|
|
|
|
# Perform Reverse DNS lookup
|
|
[output_reversedns]
|
|
enabled = false
|
|
# Timeout in seconds
|
|
timeout = 3
|
|
|
|
[output_greynoise]
|
|
enabled = false
|
|
debug = false
|
|
# Name of the tags separated by comma, for which the IP has to be scanned for.
|
|
# Example "SHODAN,JBOSS_WORM,CPANEL_SCANNER_LOW"
|
|
# If there isn't any specific tag then just leave it "all"
|
|
tags = all
|
|
# It's optional to have API key, so if you don't want to but
|
|
# API key then leave this option commented
|
|
#api_key = 1234567890
|
|
|
|
# Upload all files to a MISP instance of your liking.
|
|
# The API key can be found under Event Actions -> Automation
|
|
[output_misp]
|
|
enabled = false
|
|
base_url = https://misp.somedomain.com
|
|
api_key = secret_key
|
|
verify_cert = true
|
|
publish_event = true
|
|
debug = false
|
|
|
|
# Send message using Telegram bot
|
|
# 1. Create a bot following https://core.telegram.org/bots#6-botfather to get token.
|
|
# 2. Send message to your bot, then use https://api.telegram.org/bot{bot_token}/getUpdates to find chat_id.
|
|
# N.b. bot will only send messages on cowrie.login.success, cowrie.command.input/.failed, and
|
|
# cowrie.session.file_download, to prevent spam.
|
|
[output_telegram]
|
|
enabled = false
|
|
bot_token = 123456789:AbCDEfGhiJkLmnOpQRstUVWxYZ
|
|
chat_id = 987654321
|
|
|
|
# The crashreporter sends data on Python exceptions to api.cowrie.org
|
|
# To disable set `enabled = false` in cowrie.cfg
|
|
[output_crashreporter]
|
|
enabled = false
|
|
debug = false
|
|
|
|
# Reports login attempts to AbuseIPDB. A short guide is in the original
|
|
# pull request on GitHub: https://github.com/cowrie/cowrie/pull/1346
|
|
[output_abuseipdb]
|
|
enabled = false
|
|
#api_key =
|
|
#rereport_after = 24
|
|
#tolerance_window is in minutes
|
|
#tolerance_window = 120
|
|
#tolerance_attempts = 10
|
|
# WARNING: A binary file is read from this directory on start-up. Do not
|
|
# change unless you understand the security implications!
|
|
#dump_path = ${honeypot:state_path}/abuseipdb
|
|
|
|
# Report login and session tracking attempts via the ThreatJammer.com Report API.
|
|
# ThreatJammer.com is a risk assessment tool <https://threatjammer.com>
|
|
# Read the docs for more information: https://cowrie.readthedocs.io/en/latest/threatjammer/README.html
|
|
[output_threatjammer]
|
|
enabled = false
|
|
bearer_token = THREATJAMMER_API_TOKEN
|
|
#api_url=https://dublin.report.threatjammer.com/v1/ip
|
|
#track_login = true
|
|
#track_session = false
|
|
#ttl = 86400
|
|
#category = ABUSE
|
|
#tags = COWRIE,LOGIN,SESSION
|
|
|
|
# Send output to a Discord webhook
|
|
[output_discord]
|
|
enabled = false
|
|
url = https://discord.com/api/webhooks/id/token
|
|
|
|
# Datadog output module
|
|
# sends JSON directly to Datadog
|
|
# mandatory field: api_key
|
|
# optional fields (fallback configured in module): ddsource, ddtags, service
|
|
# For more information on fields https://docs.datadoghq.com/api/latest/logs/#send-logs
|
|
[output_datadog]
|
|
enabled = false
|
|
url = https://http-intake.logs.datadoghq.com/api/v2/logs
|
|
api_key = abcdef1234567890fedcba0987654321
|
|
ddsource = cowrie
|
|
ddtags = env:dev
|
|
service = honeypot
|