diff --git a/cowrie/arm/Dockerfile b/cowrie/arm/Dockerfile deleted file mode 100644 index 158b06a..0000000 --- a/cowrie/arm/Dockerfile +++ /dev/null @@ -1,94 +0,0 @@ -# This Dockerfile contains two images, `builder` and `runtime`. -# `builder` contains all necessary code to build -# `runtime` is stripped down. - -FROM arm32v7/debian:buster-slim as builder -LABEL maintainer="Michel Oosterhof " - -WORKDIR / - -ENV COWRIE_GROUP=cowrie \ - COWRIE_USER=cowrie \ - COWRIE_HOME=/cowrie - -# Set locale to UTF-8, otherwise upstream libraries have bytes/string conversion issues -ENV LC_ALL=en_US.UTF-8 \ - LANG=en_US.UTF-8 \ - LANGUAGE=en_US.UTF-8 - -RUN groupadd -r -g 1000 ${COWRIE_GROUP} && \ - useradd -r -u 1000 -d ${COWRIE_HOME} -m -g ${COWRIE_GROUP} ${COWRIE_USER} - -# Set up Debian prereqs -RUN export DEBIAN_FRONTEND=noninteractive; \ - apt-get update && \ - apt-get install -y \ - -o APT::Install-Suggests=false \ - -o APT::Install-Recommends=false \ - python3-pip \ - libssl-dev \ - libffi-dev \ - python3-dev \ - python3-venv \ - python3 \ - gcc \ - git \ - build-essential \ - python3-virtualenv \ - libsnappy-dev \ - default-libmysqlclient-dev && \ - rm -rf /var/lib/apt/lists/* - -# Build a cowrie environment from github master HEAD. - -USER ${COWRIE_USER} - -RUN git clone --separate-git-dir=/tmp/cowrie.git https://github.com/cowrie/cowrie ${COWRIE_HOME}/cowrie-git && \ - cd ${COWRIE_HOME} && \ - python3 -m venv cowrie-env && \ - . cowrie-env/bin/activate && \ - pip install --no-cache-dir --upgrade pip && \ - pip install --no-cache-dir --upgrade cffi && \ - pip install --no-cache-dir --upgrade setuptools && \ - pip install --no-cache-dir --upgrade -r ${COWRIE_HOME}/cowrie-git/requirements.txt && \ - pip install --no-cache-dir --upgrade -r ${COWRIE_HOME}/cowrie-git/requirements-output.txt - -FROM arm32v7/debian:buster-slim AS runtime -LABEL maintainer="Michel Oosterhof " - -ENV COWRIE_GROUP=cowrie \ - COWRIE_USER=cowrie \ - COWRIE_HOME=/cowrie - -RUN groupadd -r -g 1000 ${COWRIE_GROUP} && \ - useradd -r -u 1000 -d ${COWRIE_HOME} -m -g ${COWRIE_GROUP} ${COWRIE_USER} - -RUN export DEBIAN_FRONTEND=noninteractive; \ - apt-get update && \ - apt-get install -y \ - -o APT::Install-Suggests=false \ - -o APT::Install-Recommends=false \ - libssl1.1 \ - libffi6 \ - procps \ - python3 && \ - rm -rf /var/lib/apt/lists/* && \ - ln -s /usr/bin/python3 /usr/local/bin/python - -COPY --from=builder ${COWRIE_HOME} ${COWRIE_HOME} -RUN chown -R ${COWRIE_USER}:${COWRIE_GROUP} ${COWRIE_HOME} - -ENV PATH=${COWRIE_HOME}/cowrie-git/bin:${PATH} -ENV STDOUT=yes - -USER ${COWRIE_USER} -WORKDIR ${COWRIE_HOME}/cowrie-git - -# preserve .dist file when etc/ volume is mounted -RUN cp ${COWRIE_HOME}/cowrie-git/etc/cowrie.cfg.dist ${COWRIE_HOME}/cowrie-git -VOLUME [ "/cowrie/cowrie-git/var", "/cowrie/cowrie-git/etc" ] -RUN mv ${COWRIE_HOME}/cowrie-git/cowrie.cfg.dist ${COWRIE_HOME}/cowrie-git/etc - -ENTRYPOINT [ "cowrie" ] -CMD [ "start", "-n" ] -EXPOSE 2222 2223 diff --git a/cowrie/arm/docker-compose.yml b/cowrie/arm/docker-compose.yml deleted file mode 100644 index 454b937..0000000 --- a/cowrie/arm/docker-compose.yml +++ /dev/null @@ -1,16 +0,0 @@ -version: "3.8" - -services: - cowrie: - image: easypi/cowrie-arm - ports: - - "2222:2222" - - "2223:2223" - volumes: - - cowrie-etc:/cowrie/cowrie-git/etc - - cowrie-var:/cowrie/cowrie-git/var - restart: unless-stopped - -volumes: - cowrie-etc: - cowrie-var: diff --git a/cowrie/data/etc/cowrie.cfg b/cowrie/data/etc/cowrie.cfg index 0026e34..c609d19 100644 --- a/cowrie/data/etc/cowrie.cfg +++ b/cowrie/data/etc/cowrie.cfg @@ -105,8 +105,8 @@ ttylog_path = ${honeypot:state_path}/tty interactive_timeout = 180 # Authentication Timeout -# The server disconnects after this time if the user has not successfully logged in. If the value is 0, -# there is no time limit. The default is 120 seconds. +# The server disconnects after this time if the user has not successfully logged in. +# The default is 120 seconds. authentication_timeout = 120 # EXPERIMENTAL: back-end to user for Cowrie, options: proxy or shell @@ -157,11 +157,6 @@ timezone = UTC #internet_facing_ip = 9.9.9.9 -# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1) -# IP address is obtained by querying http://myip.threatstream.com -#report_public_ip = true - - # ============================================================================ # Authentication Specific Options @@ -188,15 +183,6 @@ auth_class = UserDB #auth_class_parameters = 2, 5, 10 -# ============================================================================ -# Historical SSH Specific Options -# historical options in [honeypot] that have not yet been moved to [ssh] -# ============================================================================ - -# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie) -#reported_ssh_port = 22 - - [backend_pool] # ============================================================================ # Backend Pool Configurations @@ -500,7 +486,13 @@ rsa_public_key = ${honeypot:state_path}/ssh_host_rsa_key.pub rsa_private_key = ${honeypot:state_path}/ssh_host_rsa_key dsa_public_key = ${honeypot:state_path}/ssh_host_dsa_key.pub dsa_private_key = ${honeypot:state_path}/ssh_host_dsa_key +ecdsa_public_key = ${honeypot:state_path}/ssh_host_ecdsa_key.pub +ecdsa_private_key = ${honeypot:state_path}/ssh_host_ecdsa_key +ed25519_public_key = ${honeypot:state_path}/ssh_host_ed25519_key.pub +ed25519_private_key = ${honeypot:state_path}/ssh_host_ed25519_key +# Public keys supported are: ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, ssh-ed25519 +public_key_auth = ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 # SSH version string as present to the client. # @@ -566,7 +558,7 @@ ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des # hmac-sha2-256 # hmac-sha1 # hmac-md5 -macs = hmac-sha2-512,hmac-sha2-384,hmac-sha2-56,hmac-sha1,hmac-md5 +macs = hmac-sha2-512,hmac-sha2-384,hmac-sha2-256,hmac-sha1,hmac-md5 # Compression Method to be used. @@ -705,12 +697,12 @@ listen_endpoints = tcp:2223:interface=0.0.0.0 # Output entries need to start with 'output_' and have the 'enabled' entry. # ============================================================================ -#[output_xmpp] -#enabled=true -#server = conference.cowrie.local -#user = cowrie@cowrie.local -#password = cowrie -#muc = hacker_room +[output_xmpp] +enabled=false +server = conference.cowrie.local +user = cowrie@cowrie.local +password = cowrie +muc = hacker_room # JSON based logging module # @@ -722,11 +714,11 @@ epoch_timestamp = false # Supports logging to Elasticsearch # This is a simple early release # -#[output_elasticsearch] -#enabled = false -#host = localhost -#port = 9200 -#index = cowrie +[output_elasticsearch] +enabled = false +host = localhost +port = 9200 +index = cowrie # type has been deprecated since ES 6.0.0 # use _doc which is the default type. See # https://stackoverflow.com/a/53688626 for @@ -744,11 +736,11 @@ epoch_timestamp = false # # Credentials #username = elastic -#password = +#password = # -# TLS encryption. Communications between the client (cowrie) +# TLS encryption. Communications between the client (cowrie) # and the ES server should naturally be protected by encryption -# if requests are authenticated (to prevent from man-in-the-middle +# if requests are authenticated (to prevent from man-in-the-middle # attacks). The following options are then paramount # if username and password are provided. # @@ -764,13 +756,17 @@ epoch_timestamp = false # You must signup for an api key. # Once registered, find your details at: https://isc.sans.edu/myaccount.html # -#[output_dshield] -#userid = userid_here -#auth_key = auth_key_here -#batch_size = 100 -#enabled = false - - +[output_dshield] +enabled = false +userid = userid_here +auth_key = auth_key_here +batch_size = 100 +# +# Graylog logging module for GELF http input +[output_graylog] +enabled = false +url = http://graylog.example.com:122011/gelf +# # Local Syslog output module # # This sends log messages to the local syslog daemon. @@ -780,10 +776,10 @@ epoch_timestamp = false # Format can be: # text, cef # -#[output_localsyslog] -#enabled = false -#facility = USER -#format = text +[output_localsyslog] +enabled = false +facility = USER +format = text # Text output @@ -792,10 +788,10 @@ epoch_timestamp = false # Format can be: # text, cef # -#[output_textlog] -#enabled = false -#logfile = ${honeypot:log_path}/audit.log -#format = text +[output_textlog] +enabled = false +logfile = ${honeypot:log_path}/audit.log +format = text # MySQL logging module @@ -804,25 +800,25 @@ epoch_timestamp = false # MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev # MySQL logging requires an extra Python module: pip install mysql-python # -#[output_mysql] -#enabled = false -#host = localhost -#database = cowrie -#username = cowrie -#password = secret -#port = 3306 -#debug = false +[output_mysql] +enabled = false +host = localhost +database = cowrie +username = cowrie +password = secret +port = 3306 +debug = false # Rethinkdb output module # Rethinkdb output module requires extra Python module: pip install rethinkdb -#[output_rethinkdblog] -#enabled = false -#host = 127.0.0.1 -#port = 28015 -#table = output -#password = -#db = cowrie +[output_rethinkdblog] +enabled = false +host = 127.0.0.1 +port = 28015 +table = output +password = +db = cowrie # SQLite3 logging module # @@ -830,18 +826,18 @@ epoch_timestamp = false # docs/sql/sqlite3.sql: # sqlite3 < docs/sql/sqlite3.sql # -#[output_sqlite] -#enabled = false -#db_file = cowrie.db +[output_sqlite] +enabled = false +db_file = cowrie.db # MongoDB logging module # # MongoDB logging requires an extra Python module: pip install pymongo # -#[output_mongodb] -#enabled = false -#connection_string = mongodb://username:password@host:port/database -#database = dbname +[output_mongodb] +enabled = false +connection_string = mongodb://username:password@host:port/database +database = dbname # Splunk HTTP Event Collector (HEC) output module @@ -850,103 +846,96 @@ epoch_timestamp = false # mandatory fields: url, token # optional fields: index, source, sourcetype, host # -#[output_splunk] -#enabled = false -#url = https://localhost:8088/services/collector/event -#token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8 -#index = cowrie -#sourcetype = cowrie -#source = cowrie - - -# HPFeeds -# -#[output_hpfeeds3] -#enabled = false -#server = hpfeeds.mysite.org -#port = 10000 -#identifier = abc123 -#secret = secret -#debug = false +[output_splunk] +enabled = false +url = https://localhost:8088/services/collector/event +token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8 +index = cowrie +sourcetype = cowrie +source = cowrie # HPFeeds3 # Python3 implementation of HPFeeds -#[output_hpfeeds3] -#enabled = false -#server = hpfeeds.mysite.org -#port = 10000 -#identifier = abc123 -#secret = secret -#debug=false +[output_hpfeeds3] +enabled = false +server = hpfeeds.mysite.org +port = 10000 +identifier = abc123 +secret = secret +debug=false # VirusTotal output module # You must signup for an api key. # -#[output_virustotal] -#enabled = false -#api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -#upload = True -#debug = False -#scan_file = True -#scan_url = False +[output_virustotal] +enabled = false +api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef +upload = True +debug = False +scan_file = True +scan_url = False # Cuckoo output module -#[output_cuckoo] -#enabled = false +[output_cuckoo] +enabled = false # no slash at the end -#url_base = http://127.0.0.1:8090 -#user = user -#passwd = passwd +url_base = http://127.0.0.1:8090 +user = user +passwd = passwd # force will upload duplicated files to cuckoo -#force = 0 +force = 0 # upload to MalShare -#[output_malshare] -#enabled = false +# Register at https://malshare.com/register.php to get your API key +[output_malshare] +api_key = 130928309823098 +enabled = false # This will produce a _lot_ of messages - you have been warned.... -#[output_slack] -#enabled = false -#channel = channel_that_events_should_be_posted_in -#token = slack_token_for_your_bot -#debug = false +[output_slack] +enabled = false +channel = channel_that_events_should_be_posted_in +token = slack_token_for_your_bot +debug = false # https://csirtg.io # You must signup for an api key. # -#[output_csirtg] -#enabled = false -#username = wes -#feed = scanners -#description = random scanning activity -#token = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef +[output_csirtg] +enabled = false +username = wes +feed = scanners +description = random scanning activity +token = a1b2c3d4 +debug = false -#[output_socketlog] -#enabled = false -#address = 127.0.0.1:9000 -#timeout = 5 +[output_socketlog] +enabled = false +address = 127.0.0.1:9000 +timeout = 5 # Upload files that cowrie has captured to an S3 (or compatible bucket) # Files are stored with a name that is the SHA of their contents # -#[output_s3] +[output_s3] +enabled = false # # The AWS credentials to use. # Leave these blank to use botocore's credential discovery e.g .aws/config or ENV variables. # As per https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L50-L65 -#access_key_id = AKIDEXAMPLE -#secret_access_key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY +access_key_id = AKIDEXAMPLE +secret_access_key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY # # The bucket to store the files in. The bucket must already exist. -#bucket = my-cowrie-bucket +bucket = my-cowrie-bucket # # The region the bucket is in -#region = eu-west-1 +region = eu-west-1 # # An alternate endpoint URL. If you self host a pithos instance you can set # this to its URL (e.g. https://s3.mydomain.com) - can otherwise be blank @@ -957,12 +946,12 @@ epoch_timestamp = false # where you don't yet have real certificates. #verify = no -#[output_influx] -#enabled = false -#host = 127.0.0.1 -#port = 8086 -#database_name = cowrie -#retention_policy_duration = 12w +[output_influx] +enabled = false +host = 127.0.0.1 +port = 8086 +database_name = cowrie +retention_policy_duration = 12w [output_kafka] enabled = false @@ -971,47 +960,57 @@ port = 9092 topic = cowrie -#[output_redis] -#enabled = false -#host = 127.0.0.1 -#port = 6379 +[output_redis] +enabled = false +host = 127.0.0.1 +port = 6379 # DB of the redis server. Defaults to 0 -#db = 0 +db = 0 # Password of the redis server. Defaults to None -#password = secret +# password = secret # Name of the list to push to or the channel to publish to. Required -#keyname = cowrie +keyname = cowrie # Method to use when sending data to redis. # Can be one of [lpush, rpush, publish]. Defaults to lpush -#send_method = lpush +send_method = lpush # Perform Reverse DNS lookup -#[output_reversedns] -#enabled = true +[output_reversedns] +enabled = false # Timeout in seconds -#timeout = 3 +timeout = 3 -#[output_greynoise] -#enabled = true -#debug=False +[output_greynoise] +enabled = false +debug = false # Name of the tags separated by comma, for which the IP has to be scanned for. # Example "SHODAN,JBOSS_WORM,CPANEL_SCANNER_LOW" # If there isn't any specific tag then just leave it "all" -#tags = all +tags = all # It's optional to have API key, so if you don't want to but # API key then leave this option commented #api_key = 1234567890 # Upload all files to a MISP instance of your liking. # The API key can be found under Event Actions -> Automation -#[output_misp] -#enabled = true -#base_url = https://misp.somedomain.com -#api_key = secret_key -#verify_cert = true -#publish_event = true -#debug = false +[output_misp] +enabled = false +base_url = https://misp.somedomain.com +api_key = secret_key +verify_cert = true +publish_event = true +debug = false + +# Send message using Telegram bot +# 1. Create a bot following https://core.telegram.org/bots#6-botfather to get token. +# 2. Send message to your bot, then use https://api.telegram.org/bot{bot_token}/getUpdates to find chat_id. +# N.b. bot will only send messages on cowrie.login.success, cowrie.command.input/.failed, and +# cowrie.session.file_download, to prevent spam. +[output_telegram] +enabled = false +bot_token = 123456789:AbCDEfGhiJkLmnOpQRstUVWxYZ +chat_id = 987654321 # The crashreporter sends data on Python exceptions to api.cowrie.org # To disable set `enabled = false` in cowrie.cfg @@ -1021,8 +1020,8 @@ debug = false # Reports login attempts to AbuseIPDB. A short guide is in the original # pull request on GitHub: https://github.com/cowrie/cowrie/pull/1346 -#[output_abuseipdb] -#enabled = true +[output_abuseipdb] +enabled = false #api_key = #rereport_after = 24 #tolerance_window is in minutes @@ -1031,3 +1030,34 @@ debug = false # WARNING: A binary file is read from this directory on start-up. Do not # change unless you understand the security implications! #dump_path = ${honeypot:state_path}/abuseipdb + +# Report login and session tracking attempts via the ThreatJammer.com Report API. +# ThreatJammer.com is a risk assessment tool +# Read the docs for more information: https://cowrie.readthedocs.io/en/latest/threatjammer/README.html +[output_threatjammer] +enabled = false +bearer_token = THREATJAMMER_API_TOKEN +#api_url=https://dublin.report.threatjammer.com/v1/ip +#track_login = true +#track_session = false +#ttl = 86400 +#category = ABUSE +#tags = COWRIE,LOGIN,SESSION + +# Send output to a Discord webhook +[output_discord] +enabled = false +url = https://discord.com/api/webhooks/id/token + +# Datadog output module +# sends JSON directly to Datadog +# mandatory field: api_key +# optional fields (fallback configured in module): ddsource, ddtags, service +# For more information on fields https://docs.datadoghq.com/api/latest/logs/#send-logs +[output_datadog] +enabled = false +url = https://http-intake.logs.datadoghq.com/api/v2/logs +api_key = abcdef1234567890fedcba0987654321 +ddsource = cowrie +ddtags = env:dev +service = honeypot diff --git a/cowrie/data/etc/userdb.txt b/cowrie/data/etc/userdb.txt index 6586d48..6eb0499 100644 --- a/cowrie/data/etc/userdb.txt +++ b/cowrie/data/etc/userdb.txt @@ -8,7 +8,7 @@ # Field #1 contains the username # Field #2 is currently unused # Field #3 contains the password -# '*' for password allows any password +# '*' for any username or password # '!' at the start of a password will not grant this password access # '/' can be used to write a regular expression # @@ -18,3 +18,5 @@ root:x:!/honeypot/i root:x:* tomcat:x:* oracle:x:* +*:x:somepassword +*:x:*