1
0
mirror of https://github.com/vimagick/dockerfiles.git synced 2024-12-23 01:39:27 +02:00
dockerfiles/cowrie/data/etc/cowrie.cfg
2020-11-05 19:22:21 +08:00

1034 lines
33 KiB
INI

# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# cowrie.cfg
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
# ============================================================================
# General Cowrie Options
# ============================================================================
[honeypot]
# Sensor name is used to identify this Cowrie instance. Used by the database
# logging modules such as mysql.
#
# If not specified, the logging modules will instead use the IP address of the
# server as the sensor name.
#
# (default: not specified)
#sensor_name=myhostname
# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment
#
# (default: svr04)
hostname = svr04
# Directory where to save log files in.
#
# (default: log)
log_path = var/log/cowrie
# Directory where to save downloaded artifacts in.
#
# (default: downloads)
download_path = ${honeypot:state_path}/downloads
# Directory for static data files
#
# (default: share/cowrie)
share_path = share/cowrie
# Directory for variable state files
#
# (default: var/lib/cowrie)
state_path = var/lib/cowrie
# Directory for config files
#
# (default: etc)
etc_path = etc
# Directory where virtual file contents are kept in.
#
# This is only used by commands like 'cat' to display the contents of files.
# Adding files here is not enough for them to appear in the honeypot - the
# actual virtual filesystem is kept in filesystem_file (see below)
#
# (default: honeyfs)
contents_path = honeyfs
# Directory for creating simple commands that only output text.
#
# The command must be placed under this directory with the proper path, such
# as:
# txtcmds/usr/bin/vi
# The contents of the file will be the output of the command when run inside
# the honeypot.
#
# In addition to this, the file must exist in the virtual filesystem
#
# (default: txtcmds)
txtcmds_path = txtcmds
# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'.
# A value of 0 means no limit. If the file size is known to be too big from the start,
# the file will not be stored on disk at all.
#
# (default: 0)
#download_limit_size = 10485760
# TTY logging will log a transcript of the complete terminal interaction in UML
# compatible format.
# (default: true)
ttylog = true
# Default directory for TTY logs.
# (default: ttylog_path = %(state_path)s/tty)
ttylog_path = ${honeypot:state_path}/tty
# Interactive timeout determines when logged in sessions are
# terminated for being idle. In seconds.
# (default: 180)
interactive_timeout = 180
# Authentication Timeout
# The server disconnects after this time if the user has not successfully logged in. If the value is 0,
# there is no time limit. The default is 120 seconds.
authentication_timeout = 120
# EXPERIMENTAL: back-end to user for Cowrie, options: proxy or shell
# (default: shell)
backend = shell
# Timezone Cowrie uses for logging
# This can be any valid timezone for the TZ environment variable
# The special value `system` will let Cowrie use the system time zone
# `system` is not recommended because you will need to deal with daylight
# savings time and other special cases yourself when analysing the logs.
timezone = UTC
# Custom prompt
# By default, Cowrie creates a shell prompt like: root@svr03:~#
# If you want something totally custom, uncomment the option below and set your prompt
# Beware that the path won't be included in your prompt any longer
# prompt = hello>
# ============================================================================
# Network Specific Options
# ============================================================================
# IP address to bind to when opening outgoing connections. Used by wget and
# curl commands.
#
# (default: not specified)
#out_addr = 0.0.0.0
# Fake address displayed as the address of the incoming connection.
# This doesn't affect logging, and is only used by honeypot commands such as
# 'w' and 'last'
#
# If not specified, the actual IP address is displayed instead (default
# behaviour).
#
# (default: not specified)
#fake_addr = 192.168.66.254
# The IP address on which this machine is reachable on from the internet.
# Useful if you use portforwarding or other mechanisms. If empty, Cowrie
# will determine by itself. Used in 'netstat' output
#
#internet_facing_ip = 9.9.9.9
# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1)
# IP address is obtained by querying http://myip.threatstream.com
#report_public_ip = true
# ============================================================================
# Authentication Specific Options
# ============================================================================
# Class that implements the checklogin() method.
#
# Class must be defined in cowrie/core/auth.py
# Default is the 'UserDB' class which uses the password database.
#
# Alternatively the 'AuthRandom' class can be used, which will let
# a user login after a random number of attempts.
# It will also cache username/password combinations that allow login.
#
auth_class = UserDB
# When AuthRandom is used also set the
# auth_class_parameters: <min try>, <max try>, <maxcache>
# for example: 2, 5, 10 = allows access after randint(2,5) attempts
# and cache 10 combinations.
#
#auth_class = AuthRandom
#auth_class_parameters = 2, 5, 10
# ============================================================================
# Historical SSH Specific Options
# historical options in [honeypot] that have not yet been moved to [ssh]
# ============================================================================
# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie)
#reported_ssh_port = 22
[backend_pool]
# ============================================================================
# Backend Pool Configurations
# only used on the cowrie instance that runs the pool
# ============================================================================
# enable this to solely run the pool, regardless of other configurations (disables SSH and Telnet)
pool_only = false
# time between full VM recycling (cleans older VMs and boots newer ones) - involves some downtime between cycles
# -1 to disable
recycle_period = 1500
# change interface below to allow connections from outside (e.g. remote pool)
listen_endpoints = tcp:6415:interface=127.0.0.1
# guest snapshots
save_snapshots = false
snapshot_path = ${honeypot:state_path}/snapshots
# pool xml configs
config_files_path = ${honeypot:share_path}/pool_configs
network_config = default_network.xml
nw_filter_config = default_filter.xml
# =====================================
# Guest details (for a generic x86-64 guest, like Ubuntu)
#
# Used to provide configuration details to save snapshots, identify
# running guests, and provide other details to Cowrie.
# - SSH and Telnet ports: which ports are listening for these services in the guest OS;
# if you're not using one of them omit the config or set to 0
# - Guest private key: used by the pool to control the guest's state via SSH; guest must
# have the corresponding pubkey in root's authorized_keys (not implemented)
# =====================================
guest_config = default_guest.xml
guest_privkey = ${honeypot:state_path}/ubuntu18.04-guest
guest_tag = ubuntu18.04
guest_ssh_port = 22
guest_telnet_port = 23
# Configs below are used on default XMLs provided.
# If you provide your own XML in guest_config you don't need these configs.
#
# Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM,
# which is more performant than the qemu software-based emulation. Guest arch
# must match your machine's. If it's older or you're unsure, set it to 'qemu'.
#
# Memory size is in MB.
#
# Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM
# If you get a "unsupported machine type" exception when VMs are loading, change
# it to a compatible machine listed by the command: 'qemu-system-x86_64 -machine help'
guest_image_path = /home/cowrie/cowrie-imgs/ubuntu18.04-minimal.qcow2
guest_hypervisor = kvm
guest_memory = 512
guest_qemu_machine = pc-q35-bionic
# =====================================
# Guest details (for OpenWRT with ARM architecture)
#
# Used to provide configuration details to save snapshots, identify running guests,
# and provide other details to Cowrie.
# =====================================
#guest_config = wrt_arm_guest.xml
#guest_tag = wrt
#guest_ssh_port = 22
#guest_telnet_port = 23
# Configs below are used on default XMLs provided.
# If you provide your own XML in guest_config you don't need these configs.
#
# Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM,
# which is more performant than the qemu software-based emulation. Guest arch
# must match your machine's.
#
# Memory size is in MB.
#
# Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM
# If you get a "unsupported machine type" exception when VMs are loading, change
# it to a compatible machine listed by the command: 'qemu-system-arm -machine help'
#guest_image_path = /home/cowrie/cowrie-imgs/root.qcow2
#guest_hypervisor = qemu
#guest_memory = 256
#guest_kernel_image = /home/cowrie/cowrie-imgs/zImage
#guest_qemu_machine = virt-2.9
# =====================================
# Other configs
# =====================================
# Use NAT (for remote pool)
#
# Guests exist in a local interface created by libvirt; NAT functionality creates a port in the host,
# exposed to a public interface, and forwards TCP data to and from the libvirt private interface.
# Cowrie's proxy receives the public information instead of the local IP of guests.
use_nat = true
nat_public_ip = 192.168.1.40
# ============================================================================
# Proxy Options
# ============================================================================
[proxy]
# type of backend:
# - simple: backend machine deployed by you (CAREFUL WITH SECURITY ASPECTS!!), specify hosts and ports below
# - pool: cowrie-managed pool of virtual machines, configure below
backend = pool
# =====================================
# Simple Backend Configuration
# =====================================
backend_ssh_host = localhost
backend_ssh_port = 2022
backend_telnet_host = localhost
backend_telnet_port = 2023
# =====================================
# Pool Backend Configuration
# =====================================
# generic pool configurable settings
pool_max_vms = 5
pool_vm_unused_timeout = 600
# allow sharing guests between different attackers if no new VMs are available
pool_share_guests = true
# Where to deploy the backend pool (only if backend = pool)
# - "local": same machine as the proxy
# - "remote": set host and port of the pool below
pool = local
# Remote pool configurations (used with pool=remote)
pool_host = 192.168.1.40
pool_port = 6415
# =====================================
# Proxy Configurations
# =====================================
# real credentials to log into backend
backend_user = root
backend_pass = root
# Telnet prompt detection
#
# To detect authentication prompts (and spoof auth details to the ones the backend accepts) we need to capture
# login and password prompts, and spoof data to the backend in order to successfully authenticate. If disabled,
# attackers can only use the real user credentials of the backend.
telnet_spoof_authentication = true
# These regex were made using Ubuntu 18.04; you have to adapt these for the prompts
# from your backend. You can enable raw logging above to analyse data passing through
# and identify the format of the prompts you need.
# You should generally include ".*" at the beginning and end of prompts, since Telnet messages can contain
# more data than the prompt.
# For login it is usually <hostname> login:
telnet_username_prompt_regex = (\n|^)ubuntu login: .*
# Password prompt is usually only the word Password
telnet_password_prompt_regex = .*Password: .*
# This data is sent by clients at the beginning of negotiation (before the password prompt), and contains the username
# that is trying to log in. We replace that username with the one in "backend_user" to allow the chance of a successful
# login after the first password prompt. We are only able to check if credentials are allowed after the password is
# inserted. If they are, then a correct username was already sent and authentication succeeds; if not, we send a fake
# password to force authentication to fail.
telnet_username_in_negotiation_regex = (.*\xff\xfa.*USER\x01)(.*?)(\xff.*)
# Other configs #
# log raw TCP packets in SSh and Telnet
log_raw = false
# ============================================================================
# Shell Options
# Options around Cowrie's Shell Emulation
# ============================================================================
[shell]
# File in the Python pickle format containing the virtual filesystem.
#
# This includes the filenames, paths, permissions for the Cowrie filesystem,
# but not the file contents. This is created by the bin/createfs utility from
# a real template linux installation.
#
# (default: fs.pickle)
filesystem = ${honeypot:share_path}/fs.pickle
# File that contains output for the `ps` command.
#
# (default: share/cowrie/cmdoutput.json)
processes = share/cowrie/cmdoutput.json
# Fake architectures/OS
# When Cowrie receive a command like /bin/cat XXXX (where XXXX is an executable)
# it replies with the content of a dummy executable (located in data_path/arch)
# compiled for an architecture/OS/endian_mode
# arch can be a comma separated list. When there are multiple elements, a random
# is chosen at login time.
# (default: linux-x64-lsb)
arch = linux-x64-lsb
# Here the list of supported OS-ARCH-ENDIANESS executables
# bsd-aarch64-lsb: 64-bit LSB ARM aarch64 version 1 (SYSV)
# bsd-aarch64-msb: 64-bit MSB ARM aarch64 version 1 (SYSV)
# bsd-bfin-msb: 32-bit MSB Analog Devices Blackfin version 1 (SYSV)
# bsd-mips64-lsb: 64-bit LSB MIPS MIPS-III version 1 (SYSV)
# bsd-mips64-msb: 64-bit MSB MIPS MIPS-III version 1 (SYSV)
# bsd-mips-lsb: 32-bit LSB MIPS MIPS-I version 1 (FreeBSD)
# bsd-mips-msb: 32-bit MSB MIPS MIPS-I version 1 (FreeBSD)
# bsd-powepc64-lsb: 64-bit MSB 64-bit PowerPC or cisco 7500 version 1 (FreeBSD)
# bsd-powepc-msb: 32-bit MSB PowerPC or cisco 4500 version 1 (FreeBSD)
# bsd-riscv64-lsb: 64-bit LSB UCB RISC-V version 1 (SYSV)
# bsd-sparc64-msb: 64-bit MSB SPARC V9 relaxed memory ordering version 1 (FreeBSD)
# bsd-sparc-msb: 32-bit MSB SPARC version 1 (SYSV) statically
# bsd-x32-lsb: 32-bit LSB Intel 80386 version 1 (FreeBSD)
# bsd-x64-lsb: 64-bit LSB x86-64 version 1 (FreeBSD)
# linux-aarch64-lsb: 64-bit LSB ARM aarch64 version 1 (SYSV)
# linux-aarch64-msb: 64-bit MSB ARM aarch64 version 1 (SYSV)
# linux-alpha-lsb: 64-bit LSB Alpha (unofficial) version 1 (SYSV)
# linux-am33-lsb: 32-bit LSB Matsushita MN10300 version 1 (SYSV)
# linux-arc-lsb: 32-bit LSB ARC Cores Tangent-A5 version 1 (SYSV)
# linux-arc-msb: 32-bit MSB ARC Cores Tangent-A5 version 1 (SYSV)
# linux-arm-lsb: 32-bit LSB ARM EABI5 version 1 (SYSV)
# linux-arm-msb: 32-bit MSB ARM EABI5 version 1 (SYSV)
# linux-avr32-lsb: 32-bit LSB Atmel AVR 8-bit version 1 (SYSV)
# linux-bfin-lsb: 32-bit LSB Analog Devices Blackfin version 1 (SYSV)
# linux-c6x-lsb: 32-bit LSB TI TMS320C6000 DSP family version 1
# linux-c6x-msb: 32-bit MSB TI TMS320C6000 DSP family version 1
# linux-cris-lsb: 32-bit LSB Axis cris version 1 (SYSV)
# linux-frv-msb: 32-bit MSB Cygnus FRV (unofficial) version 1 (SYSV)
# linux-h8300-msb: 32-bit MSB Renesas H8/300 version 1 (SYSV)
# linux-hppa64-msb: 64-bit MSB PA-RISC 02.00.00 (LP64) version 1
# linux-hppa-msb: 32-bit MSB PA-RISC *unknown arch 0xf* version 1 (GNU/Linux)
# linux-ia64-lsb: 64-bit LSB IA-64 version 1 (SYSV)
# linux-m32r-msb: 32-bit MSB Renesas M32R version 1 (SYSV)
# linux-m68k-msb: 32-bit MSB Motorola m68k 68020 version 1 (SYSV)
# linux-microblaze-msb: 32-bit MSB Xilinx MicroBlaze 32-bit RISC version 1 (SYSV)
# linux-mips64-lsb: 64-bit LSB MIPS MIPS-III version 1 (SYSV)
# linux-mips64-msb: 64-bit MSB MIPS MIPS-III version 1 (SYSV)
# linux-mips-lsb: 32-bit LSB MIPS MIPS-I version 1 (SYSV)
# linux-mips-msb: 32-bit MSB MIPS MIPS-I version 1 (SYSV)
# linux-mn10300-lsb: 32-bit LSB Matsushita MN10300 version 1 (SYSV)
# linux-nios-lsb: 32-bit LSB Altera Nios II version 1 (SYSV)
# linux-nios-msb: 32-bit MSB Altera Nios II version 1 (SYSV)
# linux-powerpc64-lsb: 64-bit LSB 64-bit PowerPC or cisco 7500 version 1 (SYSV)
# linux-powerpc64-msb: 64-bit MSB 64-bit PowerPC or cisco 7500 version 1 (SYSV)
# linux-powerpc-lsb: 32-bit LSB PowerPC or cisco 4500 version 1 (SYSV)
# linux-powerpc-msb: 32-bit MSB PowerPC or cisco 4500 version 1 (SYSV)
# linux-riscv64-lsb: 64-bit LSB UCB RISC-V version 1 (SYSV)
# linux-s390x-msb: 64-bit MSB IBM S/390 version 1 (SYSV)
# linux-sh-lsb: 32-bit LSB Renesas SH version 1 (SYSV)
# linux-sh-msb: 32-bit MSB Renesas SH version 1 (SYSV)
# linux-sparc64-msb: 64-bit MSB SPARC V9 relaxed memory ordering version 1 (SYSV)
# linux-sparc-msb: 32-bit MSB SPARC version 1 (SYSV)
# linux-tilegx64-lsb: 64-bit LSB Tilera TILE-Gx version 1 (SYSV)
# linux-tilegx64-msb: 64-bit MSB Tilera TILE-Gx version 1 (SYSV)
# linux-tilegx-lsb: 32-bit LSB Tilera TILE-Gx version 1 (SYSV)
# linux-tilegx-msb: 32-bit MSB Tilera TILE-Gx version 1 (SYSV)
# linux-x64-lsb: 64-bit LSB x86-64 version 1 (SYSV)
# linux-x86-lsb: 32-bit LSB Intel 80386 version 1 (SYSV)
# linux-xtensa-msb: 32-bit MSB Tensilica Xtensa version 1 (SYSV)
# osx-x32-lsb: 32-bit LSB Intel 80386
# osx-x64-lsb: 64-bit LSB x86-64
# arch = bsd-aarch64-lsb, bsd-aarch64-msb, bsd-bfin-msb, bsd-mips-lsb, bsd-mips-msb, bsd-mips64-lsb, bsd-mips64-msb, bsd-powepc-msb, bsd-powepc64-lsb, bsd-riscv64-lsb, bsd-sparc-msb, bsd-sparc64-msb, bsd-x32-lsb, bsd-x64-lsb, linux-aarch64-lsb, linux-aarch64-msb, linux-alpha-lsb, linux-am33-lsb, linux-arc-lsb, linux-arc-msb, linux-arm-lsb, linux-arm-msb, linux-avr32-lsb, linux-bfin-lsb, linux-c6x-lsb, linux-c6x-msb, linux-cris-lsb, linux-frv-msb, linux-h8300-msb, linux-hppa-msb, linux-hppa64-msb, linux-ia64-lsb, linux-m32r-msb, linux-m68k-msb, linux-microblaze-msb, linux-mips-lsb, linux-mips-msb, linux-mips64-lsb, linux-mips64-msb, linux-mn10300-lsb, linux-nios-lsb, linux-nios-msb, linux-powerpc-lsb, linux-powerpc-msb, linux-powerpc64-lsb, linux-powerpc64-msb, linux-riscv64-lsb, linux-s390x-msb, linux-sh-lsb, linux-sh-msb, linux-sparc-msb, linux-sparc64-msb, linux-tilegx-lsb, linux-tilegx-msb, linux-tilegx64-lsb, linux-tilegx64-msb, linux-x64-lsb, linux-x86-lsb, linux-xtensa-msb, osx-x32-lsb, osx-x64-lsb
# Modify the response of '/bin/uname'
# Default (uname -a): Linux <hostname> <kernel_version> <kernel_build_string> <hardware_platform> <operating system>
kernel_version = 3.2.0-4-amd64
kernel_build_string = #1 SMP Debian 3.2.68-1+deb7u1
hardware_platform = x86_64
operating_system = GNU/Linux
# SSH Version as printed by "ssh -V" in shell emulation
ssh_version = OpenSSH_7.9p1, OpenSSL 1.1.1a 20 Nov 2018
# ============================================================================
# SSH Specific Options
# ============================================================================
[ssh]
# Enable SSH support
# (default: true)
enabled = true
# Public and private SSH key files. If these don't exist, they are created
# automatically.
rsa_public_key = ${honeypot:state_path}/ssh_host_rsa_key.pub
rsa_private_key = ${honeypot:state_path}/ssh_host_rsa_key
dsa_public_key = ${honeypot:state_path}/ssh_host_dsa_key.pub
dsa_private_key = ${honeypot:state_path}/ssh_host_dsa_key
# SSH version string as present to the client.
#
# Version string MUST start with SSH-2.0- or SSH-1.99-
#
# Use these to disguise your honeypot from a simple SSH version scan
# Examples:
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-1.99-OpenSSH_4.3
# SSH-1.99-OpenSSH_4.7
# SSH-1.99-Sun_SSH_1.1
# SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1
# SSH-2.0-OpenSSH_4.3
# SSH-2.0-OpenSSH_4.6
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
# SSH-2.0-OpenSSH_5.5p1 Debian-6
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
# SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
# SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
# SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
# SSH-2.0-OpenSSH_5.9
#
# (default: "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2")
version = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
# Cipher encryption algorithms to be used.
#
# MUST be supplied as a comma-separated string without
# any spaces or newlines.
#
# Use ciphers to limit to more secure algorithms only
# any spaces.
# Supported ciphers:
#
# aes128-ctr
# aes192-ctr
# aes256-ctr
# aes256-cbc
# aes192-cbc
# aes128-cbc
# 3des-cbc
# blowfish-cbc
# cast128-cbc
ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc
# MAC Algorithm to be used.
#
# MUST be supplied as a comma-separated string without
# any spaces or newlines.
#
# hmac-sha1 and hmac-md5 are considered insecure now, and
# instead MACs with higher number of bits should be used.
#
# Supported HMACs:
# hmac-sha2-512
# hmac-sha2-384
# hmac-sha2-256
# hmac-sha1
# hmac-md5
macs = hmac-sha2-512,hmac-sha2-384,hmac-sha2-56,hmac-sha1,hmac-md5
# Compression Method to be used.
#
# MUST be supplied as a comma-separated string without
# any spaces or newlines.
#
# Supported Compression Methods:
# zlib@openssh.com
# zlib
# none
compression = zlib@openssh.com,zlib,none
# Endpoint to listen on for incoming SSH connections.
# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers
# (default: listen_endpoints = tcp:2222:interface=0.0.0.0)
# (use systemd: endpoint for systemd activation)
# listen_endpoints = systemd:domain=INET:index=0
# For both IPv4 and IPv6: listen_endpoints = tcp6:2222:interface=\:\:
# Listening on multiple endpoints is supported with a single space seperator
# e.g listen_endpoints = "tcp:2222:interface=0.0.0.0 tcp:1022:interface=0.0.0.0" will result listening both on ports 2222 and 1022
# use authbind for port numbers under 1024
listen_endpoints = tcp:2222:interface=0.0.0.0
# Enable the SFTP subsystem
# (default: true)
sftp_enabled = true
# Enable SSH direct-tcpip forwarding
# (default: true)
forwarding = true
# This enables redirecting forwarding requests to another address
# Useful for forwarding protocols to other honeypots
# (default: false)
forward_redirect = false
# Configure where to forward the data to.
# forward_redirect_<portnumber> = <redirect ip>:<redirect port>
# Redirect http/https
# forward_redirect_80 = 127.0.0.1:8000
# forward_redirect_443 = 127.0.0.1:8443
# To record SMTP traffic, install an SMTP honeypoint.
# (e.g https://github.com/awhitehatter/mailoney), run
# python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525
# forward_redirect_25 = 127.0.0.1:12525
# forward_redirect_587 = 127.0.0.1:12525
# This enables tunneling forwarding requests to another address
# Useful for forwarding protocols to a proxy like Squid
# (default: false)
forward_tunnel = false
# Configure where to tunnel the data to.
# forward_tunnel_<portnumber> = <tunnel ip>:<tunnel port>
# Tunnel http/https
# forward_tunnel_80 = 127.0.0.1:3128
# forward_tunnel_443 = 127.0.0.1:3128
# No authentication checking at all
# enabling 'auth_none' will enable the ssh2 'auth_none' authentication method
# this allows the requested user in without any verification at all
#
# (default: false)
#auth_none_enabled = false
# Configure keyboard-interactive login
auth_keyboard_interactive_enabled = false
# ============================================================================
# Telnet Specific Options
# ============================================================================
[telnet]
# Enable Telnet support, disabled by default
enabled = false
# Endpoint to listen on for incoming Telnet connections.
# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers
# (default: listen_endpoints = tcp:2223:interface=0.0.0.0)
# (use systemd: endpoint for systemd activation)
# listen_endpoints = systemd:domain=INET:index=0
# For IPv4 and IPv6: listen_endpoints = tcp6:2223:interface=\:\: tcp:2223:interface=0.0.0.0
# Listening on multiple endpoints is supported with a single space seperator
# e.g "listen_endpoints = tcp:2223:interface=0.0.0.0 tcp:2323:interface=0.0.0.0" will result listening both on ports 2223 and 2323
# use authbind for port numbers under 1024
listen_endpoints = tcp:2223:interface=0.0.0.0
# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie)
#reported_port = 23
# ============================================================================
# Database logging Specific Options
# ============================================================================
# XMPP Logging
# Log to an xmpp server.
#
#[database_xmpp]
#server = sensors.carnivore.it
#user = anonymous@sensors.carnivore.it
#password = anonymous
#muc = dionaea.sensors.carnivore.it
#signal_createsession = cowrie-events
#signal_connectionlost = cowrie-events
#signal_loginfailed = cowrie-events
#signal_loginsucceeded = cowrie-events
#signal_command = cowrie-events
#signal_clientversion = cowrie-events
#debug=true
# ============================================================================
# Output Plugins
# These provide an extensible mechanism to send audit log entries to third
# parties. The audit entries contain information on clients connecting to
# the honeypot.
#
# Output entries need to start with 'output_' and have the 'enabled' entry.
# ============================================================================
#[output_xmpp]
#enabled=true
#server = conference.cowrie.local
#user = cowrie@cowrie.local
#password = cowrie
#muc = hacker_room
# JSON based logging module
#
[output_jsonlog]
enabled = true
logfile = ${honeypot:log_path}/cowrie.json
epoch_timestamp = false
# Supports logging to Elasticsearch
# This is a simple early release
#
#[output_elasticsearch]
#enabled = false
#host = localhost
#port = 9200
#index = cowrie
# type has been deprecated since ES 6.0.0
# use _doc which is the default type. See
# https://stackoverflow.com/a/53688626 for
# more information
#type = _doc
# set pipeline = geoip to map src_ip to
# geo location data. You can use a custom
# pipeline but you must ensure it exists
# in elasticsearch.
#pipeline = geoip
#
# Authentication. When x-pack.security is enabled
# in ES, default users have been created and requests
# must be authenticated.
#
# Credentials
#username = elastic
#password =
#
# TLS encryption. Communications between the client (cowrie)
# and the ES server should naturally be protected by encryption
# if requests are authenticated (to prevent from man-in-the-middle
# attacks). The following options are then paramount
# if username and password are provided.
#
# use ssl/tls
#ssl = true
# Path to trusted CA certs on disk
#ca_certs = /cowrie/cowrie-git/etc/elastic_ca.crt
# verify SSL certificates
#verify_certs = true
# Send login attemp information to SANS DShield
# See https://isc.sans.edu/ssh.html
# You must signup for an api key.
# Once registered, find your details at: https://isc.sans.edu/myaccount.html
#
#[output_dshield]
#userid = userid_here
#auth_key = auth_key_here
#batch_size = 100
#enabled = false
# Local Syslog output module
#
# This sends log messages to the local syslog daemon.
# Facility can be:
# KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7.
#
# Format can be:
# text, cef
#
#[output_localsyslog]
#enabled = false
#facility = USER
#format = text
# Text output
# This writes audit log entries to a text file
#
# Format can be:
# text, cef
#
#[output_textlog]
#enabled = false
#logfile = ${honeypot:log_path}/audit.log
#format = text
# MySQL logging module
# Database structure for this module is supplied in docs/sql/mysql.sql
#
# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev
# MySQL logging requires an extra Python module: pip install mysql-python
#
#[output_mysql]
#enabled = false
#host = localhost
#database = cowrie
#username = cowrie
#password = secret
#port = 3306
#debug = false
# Rethinkdb output module
# Rethinkdb output module requires extra Python module: pip install rethinkdb
#[output_rethinkdblog]
#enabled = false
#host = 127.0.0.1
#port = 28015
#table = output
#password =
#db = cowrie
# SQLite3 logging module
#
# Logging to SQLite3 database. To init the database, use the script
# docs/sql/sqlite3.sql:
# sqlite3 <db_file> < docs/sql/sqlite3.sql
#
#[output_sqlite]
#enabled = false
#db_file = cowrie.db
# MongoDB logging module
#
# MongoDB logging requires an extra Python module: pip install pymongo
#
#[output_mongodb]
#enabled = false
#connection_string = mongodb://username:password@host:port/database
#database = dbname
# Splunk HTTP Event Collector (HEC) output module
# sends JSON directly to Splunk over HTTP or HTTPS
# Use 'https' if your HEC is encrypted, else 'http'
# mandatory fields: url, token
# optional fields: index, source, sourcetype, host
#
#[output_splunk]
#enabled = false
#url = https://localhost:8088/services/collector/event
#token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8
#index = cowrie
#sourcetype = cowrie
#source = cowrie
# HPFeeds
#
#[output_hpfeeds3]
#enabled = false
#server = hpfeeds.mysite.org
#port = 10000
#identifier = abc123
#secret = secret
#debug = false
# HPFeeds3
# Python3 implementation of HPFeeds
#[output_hpfeeds3]
#enabled = false
#server = hpfeeds.mysite.org
#port = 10000
#identifier = abc123
#secret = secret
#debug=false
# VirusTotal output module
# You must signup for an api key.
#
#[output_virustotal]
#enabled = false
#api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
#upload = True
#debug = False
#scan_file = True
#scan_url = False
# Cuckoo output module
#[output_cuckoo]
#enabled = false
# no slash at the end
#url_base = http://127.0.0.1:8090
#user = user
#passwd = passwd
# force will upload duplicated files to cuckoo
#force = 0
# upload to MalShare
#[output_malshare]
#enabled = false
# This will produce a _lot_ of messages - you have been warned....
#[output_slack]
#enabled = false
#channel = channel_that_events_should_be_posted_in
#token = slack_token_for_your_bot
#debug = false
# https://csirtg.io
# You must signup for an api key.
#
#[output_csirtg]
#enabled = false
#username = wes
#feed = scanners
#description = random scanning activity
#token = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
#[output_socketlog]
#enabled = false
#address = 127.0.0.1:9000
#timeout = 5
# Upload files that cowrie has captured to an S3 (or compatible bucket)
# Files are stored with a name that is the SHA of their contents
#
#[output_s3]
#
# The AWS credentials to use.
# Leave these blank to use botocore's credential discovery e.g .aws/config or ENV variables.
# As per https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L50-L65
#access_key_id = AKIDEXAMPLE
#secret_access_key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY
#
# The bucket to store the files in. The bucket must already exist.
#bucket = my-cowrie-bucket
#
# The region the bucket is in
#region = eu-west-1
#
# An alternate endpoint URL. If you self host a pithos instance you can set
# this to its URL (e.g. https://s3.mydomain.com) - can otherwise be blank
#endpoint =
#
# Whether or not to validate the S3 certificate. Set this to 'no' to turn this
# off. Do not do this for real AWS. It's only needed for self-hosted S3 clone
# where you don't yet have real certificates.
#verify = no
#[output_influx]
#enabled = false
#host = 127.0.0.1
#port = 8086
#database_name = cowrie
#retention_policy_duration = 12w
[output_kafka]
enabled = false
host = 127.0.0.1
port = 9092
topic = cowrie
#[output_redis]
#enabled = false
#host = 127.0.0.1
#port = 6379
# DB of the redis server. Defaults to 0
#db = 0
# Password of the redis server. Defaults to None
#password = secret
# Name of the list to push to or the channel to publish to. Required
#keyname = cowrie
# Method to use when sending data to redis.
# Can be one of [lpush, rpush, publish]. Defaults to lpush
#send_method = lpush
# Perform Reverse DNS lookup
#[output_reversedns]
#enabled = true
# Timeout in seconds
#timeout = 3
#[output_greynoise]
#enabled = true
#debug=False
# Name of the tags separated by comma, for which the IP has to be scanned for.
# Example "SHODAN,JBOSS_WORM,CPANEL_SCANNER_LOW"
# If there isn't any specific tag then just leave it "all"
#tags = all
# It's optional to have API key, so if you don't want to but
# API key then leave this option commented
#api_key = 1234567890
# Upload all files to a MISP instance of your liking.
# The API key can be found under Event Actions -> Automation
#[output_misp]
#enabled = true
#base_url = https://misp.somedomain.com
#api_key = secret_key
#verify_cert = true
#publish_event = true
#debug = false
# The crashreporter sends data on Python exceptions to api.cowrie.org
# To disable set `enabled = false` in cowrie.cfg
[output_crashreporter]
enabled = false
debug = false
# Reports login attempts to AbuseIPDB. A short guide is in the original
# pull request on GitHub: https://github.com/cowrie/cowrie/pull/1346
#[output_abuseipdb]
#enabled = true
#api_key =
#rereport_after = 24
#tolerance_window is in minutes
#tolerance_window = 120
#tolerance_attempts = 10
# WARNING: A binary file is read from this directory on start-up. Do not
# change unless you understand the security implications!
#dump_path = ${honeypot:state_path}/abuseipdb