self-hosted/dockerfiles
1
0
Fork 0
mirror of https://github.com/vimagick/dockerfiles.git synced 2025-01-12 04:23:04 +02:00
Code Issues Releases Activity

update cowrie

Browse Source
This commit is contained in:
kevin 2023-07-18 17:33:21 +08:00
parent 5c34d1d9c2
commit 0f6c26aed7
4 changed files with 191 additions and 269 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
cowrie/arm/Dockerfile
View File

@ -1,94 +0,0 @@
# This Dockerfile contains two images, `builder` and `runtime`.
# `builder` contains all necessary code to build
# `runtime` is stripped down.
FROM arm32v7/debian:buster-slim as builder
LABEL maintainer="Michel Oosterhof <michel@oosterhof.net>"
WORKDIR /
ENV COWRIE_GROUP=cowrie \
COWRIE_USER=cowrie \
COWRIE_HOME=/cowrie
# Set locale to UTF-8, otherwise upstream libraries have bytes/string conversion issues
ENV LC_ALL=en_US.UTF-8 \
LANG=en_US.UTF-8 \
LANGUAGE=en_US.UTF-8
RUN groupadd -r -g 1000 ${COWRIE_GROUP} && \
useradd -r -u 1000 -d ${COWRIE_HOME} -m -g ${COWRIE_GROUP} ${COWRIE_USER}
# Set up Debian prereqs
RUN export DEBIAN_FRONTEND=noninteractive; \
apt-get update && \
apt-get install -y \
-o APT::Install-Suggests=false \
-o APT::Install-Recommends=false \
python3-pip \
libssl-dev \
libffi-dev \
python3-dev \
python3-venv \
python3 \
gcc \
git \
build-essential \
python3-virtualenv \
libsnappy-dev \
default-libmysqlclient-dev && \
rm -rf /var/lib/apt/lists/*
# Build a cowrie environment from github master HEAD.
USER ${COWRIE_USER}
RUN git clone --separate-git-dir=/tmp/cowrie.git https://github.com/cowrie/cowrie ${COWRIE_HOME}/cowrie-git && \
cd ${COWRIE_HOME} && \
python3 -m venv cowrie-env && \
. cowrie-env/bin/activate && \
pip install --no-cache-dir --upgrade pip && \
pip install --no-cache-dir --upgrade cffi && \
pip install --no-cache-dir --upgrade setuptools && \
pip install --no-cache-dir --upgrade -r ${COWRIE_HOME}/cowrie-git/requirements.txt && \
pip install --no-cache-dir --upgrade -r ${COWRIE_HOME}/cowrie-git/requirements-output.txt
FROM arm32v7/debian:buster-slim AS runtime
LABEL maintainer="Michel Oosterhof <michel@oosterhof.net>"
ENV COWRIE_GROUP=cowrie \
COWRIE_USER=cowrie \
COWRIE_HOME=/cowrie
RUN groupadd -r -g 1000 ${COWRIE_GROUP} && \
useradd -r -u 1000 -d ${COWRIE_HOME} -m -g ${COWRIE_GROUP} ${COWRIE_USER}
RUN export DEBIAN_FRONTEND=noninteractive; \
apt-get update && \
apt-get install -y \
-o APT::Install-Suggests=false \
-o APT::Install-Recommends=false \
libssl1.1 \
libffi6 \
procps \
python3 && \
rm -rf /var/lib/apt/lists/* && \
ln -s /usr/bin/python3 /usr/local/bin/python
COPY --from=builder ${COWRIE_HOME} ${COWRIE_HOME}
RUN chown -R ${COWRIE_USER}:${COWRIE_GROUP} ${COWRIE_HOME}
ENV PATH=${COWRIE_HOME}/cowrie-git/bin:${PATH}
ENV STDOUT=yes
USER ${COWRIE_USER}
WORKDIR ${COWRIE_HOME}/cowrie-git
# preserve .dist file when etc/ volume is mounted
RUN cp ${COWRIE_HOME}/cowrie-git/etc/cowrie.cfg.dist ${COWRIE_HOME}/cowrie-git
VOLUME [ "/cowrie/cowrie-git/var", "/cowrie/cowrie-git/etc" ]
RUN mv ${COWRIE_HOME}/cowrie-git/cowrie.cfg.dist ${COWRIE_HOME}/cowrie-git/etc
ENTRYPOINT [ "cowrie" ]
CMD [ "start", "-n" ]
EXPOSE 2222 2223

16
cowrie/arm/docker-compose.yml
View File

@ -1,16 +0,0 @@
version: "3.8"
services:
cowrie:
image: easypi/cowrie-arm
ports:
- "2222:2222"
- "2223:2223"
volumes:
- cowrie-etc:/cowrie/cowrie-git/etc
- cowrie-var:/cowrie/cowrie-git/var
restart: unless-stopped
volumes:
cowrie-etc:
cowrie-var:

346
cowrie/data/etc/cowrie.cfg
View File

@ -105,8 +105,8 @@ ttylog_path = ${honeypot:state_path}/tty
interactive_timeout = 180
# Authentication Timeout
# The server disconnects after this time if the user has not successfully logged in. If the value is 0,
# there is no time limit. The default is 120 seconds.
# The server disconnects after this time if the user has not successfully logged in.
# The default is 120 seconds.
authentication_timeout = 120
# EXPERIMENTAL: back-end to user for Cowrie, options: proxy or shell
@ -157,11 +157,6 @@ timezone = UTC
#internet_facing_ip = 9.9.9.9
# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1)
# IP address is obtained by querying http://myip.threatstream.com
#report_public_ip = true
# ============================================================================
# Authentication Specific Options
@ -188,15 +183,6 @@ auth_class = UserDB
#auth_class_parameters = 2, 5, 10
# ============================================================================
# Historical SSH Specific Options
# historical options in [honeypot] that have not yet been moved to [ssh]
# ============================================================================
# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie)
#reported_ssh_port = 22
[backend_pool]
# ============================================================================
# Backend Pool Configurations
@ -500,7 +486,13 @@ rsa_public_key = ${honeypot:state_path}/ssh_host_rsa_key.pub
rsa_private_key = ${honeypot:state_path}/ssh_host_rsa_key
dsa_public_key = ${honeypot:state_path}/ssh_host_dsa_key.pub
dsa_private_key = ${honeypot:state_path}/ssh_host_dsa_key
ecdsa_public_key = ${honeypot:state_path}/ssh_host_ecdsa_key.pub
ecdsa_private_key = ${honeypot:state_path}/ssh_host_ecdsa_key
ed25519_public_key = ${honeypot:state_path}/ssh_host_ed25519_key.pub
ed25519_private_key = ${honeypot:state_path}/ssh_host_ed25519_key
# Public keys supported are: ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, ssh-ed25519
public_key_auth = ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
# SSH version string as present to the client.
#
@ -566,7 +558,7 @@ ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des
# hmac-sha2-256
# hmac-sha1
# hmac-md5
macs = hmac-sha2-512,hmac-sha2-384,hmac-sha2-56,hmac-sha1,hmac-md5
macs = hmac-sha2-512,hmac-sha2-384,hmac-sha2-256,hmac-sha1,hmac-md5
# Compression Method to be used.
@ -705,12 +697,12 @@ listen_endpoints = tcp:2223:interface=0.0.0.0
# Output entries need to start with 'output_' and have the 'enabled' entry.
# ============================================================================
#[output_xmpp]
#enabled=true
#server = conference.cowrie.local
#user = cowrie@cowrie.local
#password = cowrie
#muc = hacker_room
[output_xmpp]
enabled=false
server = conference.cowrie.local
user = cowrie@cowrie.local
password = cowrie
muc = hacker_room
# JSON based logging module
#
@ -722,11 +714,11 @@ epoch_timestamp = false
# Supports logging to Elasticsearch
# This is a simple early release
#
#[output_elasticsearch]
#enabled = false
#host = localhost
#port = 9200
#index = cowrie
[output_elasticsearch]
enabled = false
host = localhost
port = 9200
index = cowrie
# type has been deprecated since ES 6.0.0
# use _doc which is the default type. See
# https://stackoverflow.com/a/53688626 for
@ -744,11 +736,11 @@ epoch_timestamp = false
#
# Credentials
#username = elastic
#password =
#password =
#
# TLS encryption. Communications between the client (cowrie)
# TLS encryption. Communications between the client (cowrie)
# and the ES server should naturally be protected by encryption
# if requests are authenticated (to prevent from man-in-the-middle
# if requests are authenticated (to prevent from man-in-the-middle
# attacks). The following options are then paramount
# if username and password are provided.
#
@ -764,13 +756,17 @@ epoch_timestamp = false
# You must signup for an api key.
# Once registered, find your details at: https://isc.sans.edu/myaccount.html
#
#[output_dshield]
#userid = userid_here
#auth_key = auth_key_here
#batch_size = 100
#enabled = false
[output_dshield]
enabled = false
userid = userid_here
auth_key = auth_key_here
batch_size = 100
#
# Graylog logging module for GELF http input
[output_graylog]
enabled = false
url = http://graylog.example.com:122011/gelf
#
# Local Syslog output module
#
# This sends log messages to the local syslog daemon.
@ -780,10 +776,10 @@ epoch_timestamp = false
# Format can be:
# text, cef
#
#[output_localsyslog]
#enabled = false
#facility = USER
#format = text
[output_localsyslog]
enabled = false
facility = USER
format = text
# Text output
@ -792,10 +788,10 @@ epoch_timestamp = false
# Format can be:
# text, cef
#
#[output_textlog]
#enabled = false
#logfile = ${honeypot:log_path}/audit.log
#format = text
[output_textlog]
enabled = false
logfile = ${honeypot:log_path}/audit.log
format = text
# MySQL logging module
@ -804,25 +800,25 @@ epoch_timestamp = false
# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev
# MySQL logging requires an extra Python module: pip install mysql-python
#
#[output_mysql]
#enabled = false
#host = localhost
#database = cowrie
#username = cowrie
#password = secret
#port = 3306
#debug = false
[output_mysql]
enabled = false
host = localhost
database = cowrie
username = cowrie
password = secret
port = 3306
debug = false
# Rethinkdb output module
# Rethinkdb output module requires extra Python module: pip install rethinkdb
#[output_rethinkdblog]
#enabled = false
#host = 127.0.0.1
#port = 28015
#table = output
#password =
#db = cowrie
[output_rethinkdblog]
enabled = false
host = 127.0.0.1
port = 28015
table = output
password =
db = cowrie
# SQLite3 logging module
#
@ -830,18 +826,18 @@ epoch_timestamp = false
# docs/sql/sqlite3.sql:
# sqlite3 <db_file> < docs/sql/sqlite3.sql
#
#[output_sqlite]
#enabled = false
#db_file = cowrie.db
[output_sqlite]
enabled = false
db_file = cowrie.db
# MongoDB logging module
#
# MongoDB logging requires an extra Python module: pip install pymongo
#
#[output_mongodb]
#enabled = false
#connection_string = mongodb://username:password@host:port/database
#database = dbname
[output_mongodb]
enabled = false
connection_string = mongodb://username:password@host:port/database
database = dbname
# Splunk HTTP Event Collector (HEC) output module
@ -850,103 +846,96 @@ epoch_timestamp = false
# mandatory fields: url, token
# optional fields: index, source, sourcetype, host
#
#[output_splunk]
#enabled = false
#url = https://localhost:8088/services/collector/event
#token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8
#index = cowrie
#sourcetype = cowrie
#source = cowrie
# HPFeeds
#
#[output_hpfeeds3]
#enabled = false
#server = hpfeeds.mysite.org
#port = 10000
#identifier = abc123
#secret = secret
#debug = false
[output_splunk]
enabled = false
url = https://localhost:8088/services/collector/event
token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8
index = cowrie
sourcetype = cowrie
source = cowrie
# HPFeeds3
# Python3 implementation of HPFeeds
#[output_hpfeeds3]
#enabled = false
#server = hpfeeds.mysite.org
#port = 10000
#identifier = abc123
#secret = secret
#debug=false
[output_hpfeeds3]
enabled = false
server = hpfeeds.mysite.org
port = 10000
identifier = abc123
secret = secret
debug=false
# VirusTotal output module
# You must signup for an api key.
#
#[output_virustotal]
#enabled = false
#api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
#upload = True
#debug = False
#scan_file = True
#scan_url = False
[output_virustotal]
enabled = false
api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
upload = True
debug = False
scan_file = True
scan_url = False
# Cuckoo output module
#[output_cuckoo]
#enabled = false
[output_cuckoo]
enabled = false
# no slash at the end
#url_base = http://127.0.0.1:8090
#user = user
#passwd = passwd
url_base = http://127.0.0.1:8090
user = user
passwd = passwd
# force will upload duplicated files to cuckoo
#force = 0
force = 0
# upload to MalShare
#[output_malshare]
#enabled = false
# Register at https://malshare.com/register.php to get your API key
[output_malshare]
api_key = 130928309823098
enabled = false
# This will produce a _lot_ of messages - you have been warned....
#[output_slack]
#enabled = false
#channel = channel_that_events_should_be_posted_in
#token = slack_token_for_your_bot
#debug = false
[output_slack]
enabled = false
channel = channel_that_events_should_be_posted_in
token = slack_token_for_your_bot
debug = false
# https://csirtg.io
# You must signup for an api key.
#
#[output_csirtg]
#enabled = false
#username = wes
#feed = scanners
#description = random scanning activity
#token = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
[output_csirtg]
enabled = false
username = wes
feed = scanners
description = random scanning activity
token = a1b2c3d4
debug = false
#[output_socketlog]
#enabled = false
#address = 127.0.0.1:9000
#timeout = 5
[output_socketlog]
enabled = false
address = 127.0.0.1:9000
timeout = 5
# Upload files that cowrie has captured to an S3 (or compatible bucket)
# Files are stored with a name that is the SHA of their contents
#
#[output_s3]
[output_s3]
enabled = false
#
# The AWS credentials to use.
# Leave these blank to use botocore's credential discovery e.g .aws/config or ENV variables.
# As per https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L50-L65
#access_key_id = AKIDEXAMPLE
#secret_access_key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY
access_key_id = AKIDEXAMPLE
secret_access_key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY
#
# The bucket to store the files in. The bucket must already exist.
#bucket = my-cowrie-bucket
bucket = my-cowrie-bucket
#
# The region the bucket is in
#region = eu-west-1
region = eu-west-1
#
# An alternate endpoint URL. If you self host a pithos instance you can set
# this to its URL (e.g. https://s3.mydomain.com) - can otherwise be blank
@ -957,12 +946,12 @@ epoch_timestamp = false
# where you don't yet have real certificates.
#verify = no
#[output_influx]
#enabled = false
#host = 127.0.0.1
#port = 8086
#database_name = cowrie
#retention_policy_duration = 12w
[output_influx]
enabled = false
host = 127.0.0.1
port = 8086
database_name = cowrie
retention_policy_duration = 12w
[output_kafka]
enabled = false
@ -971,47 +960,57 @@ port = 9092
topic = cowrie
#[output_redis]
#enabled = false
#host = 127.0.0.1
#port = 6379
[output_redis]
enabled = false
host = 127.0.0.1
port = 6379
# DB of the redis server. Defaults to 0
#db = 0
db = 0
# Password of the redis server. Defaults to None
#password = secret
# password = secret
# Name of the list to push to or the channel to publish to. Required
#keyname = cowrie
keyname = cowrie
# Method to use when sending data to redis.
# Can be one of [lpush, rpush, publish]. Defaults to lpush
#send_method = lpush
send_method = lpush
# Perform Reverse DNS lookup
#[output_reversedns]
#enabled = true
[output_reversedns]
enabled = false
# Timeout in seconds
#timeout = 3
timeout = 3
#[output_greynoise]
#enabled = true
#debug=False
[output_greynoise]
enabled = false
debug = false
# Name of the tags separated by comma, for which the IP has to be scanned for.
# Example "SHODAN,JBOSS_WORM,CPANEL_SCANNER_LOW"
# If there isn't any specific tag then just leave it "all"
#tags = all
tags = all
# It's optional to have API key, so if you don't want to but
# API key then leave this option commented
#api_key = 1234567890
# Upload all files to a MISP instance of your liking.
# The API key can be found under Event Actions -> Automation
#[output_misp]
#enabled = true
#base_url = https://misp.somedomain.com
#api_key = secret_key
#verify_cert = true
#publish_event = true
#debug = false
[output_misp]
enabled = false
base_url = https://misp.somedomain.com
api_key = secret_key
verify_cert = true
publish_event = true
debug = false
# Send message using Telegram bot
# 1. Create a bot following https://core.telegram.org/bots#6-botfather to get token.
# 2. Send message to your bot, then use https://api.telegram.org/bot{bot_token}/getUpdates to find chat_id.
# N.b. bot will only send messages on cowrie.login.success, cowrie.command.input/.failed, and
# cowrie.session.file_download, to prevent spam.
[output_telegram]
enabled = false
bot_token = 123456789:AbCDEfGhiJkLmnOpQRstUVWxYZ
chat_id = 987654321
# The crashreporter sends data on Python exceptions to api.cowrie.org
# To disable set `enabled = false` in cowrie.cfg
@ -1021,8 +1020,8 @@ debug = false
# Reports login attempts to AbuseIPDB. A short guide is in the original
# pull request on GitHub: https://github.com/cowrie/cowrie/pull/1346
#[output_abuseipdb]
#enabled = true
[output_abuseipdb]
enabled = false
#api_key =
#rereport_after = 24
#tolerance_window is in minutes
@ -1031,3 +1030,34 @@ debug = false
# WARNING: A binary file is read from this directory on start-up. Do not
# change unless you understand the security implications!
#dump_path = ${honeypot:state_path}/abuseipdb
# Report login and session tracking attempts via the ThreatJammer.com Report API.
# ThreatJammer.com is a risk assessment tool <https://threatjammer.com>
# Read the docs for more information: https://cowrie.readthedocs.io/en/latest/threatjammer/README.html
[output_threatjammer]
enabled = false
bearer_token = THREATJAMMER_API_TOKEN
#api_url=https://dublin.report.threatjammer.com/v1/ip
#track_login = true
#track_session = false
#ttl = 86400
#category = ABUSE
#tags = COWRIE,LOGIN,SESSION
# Send output to a Discord webhook
[output_discord]
enabled = false
url = https://discord.com/api/webhooks/id/token
# Datadog output module
# sends JSON directly to Datadog
# mandatory field: api_key
# optional fields (fallback configured in module): ddsource, ddtags, service
# For more information on fields https://docs.datadoghq.com/api/latest/logs/#send-logs
[output_datadog]
enabled = false
url = https://http-intake.logs.datadoghq.com/api/v2/logs
api_key = abcdef1234567890fedcba0987654321
ddsource = cowrie
ddtags = env:dev
service = honeypot

4
cowrie/data/etc/userdb.txt
View File

@ -8,7 +8,7 @@
# Field #1 contains the username
# Field #2 is currently unused
# Field #3 contains the password
# '*' for password allows any password
# '*' for any username or password
# '!' at the start of a password will not grant this password access
# '/' can be used to write a regular expression
#
@ -18,3 +18,5 @@ root:x:!/honeypot/i
root:x:*
tomcat:x:*
oracle:x:*
*:x:somepassword
*:x:*