一、Cowrie简介
Cowrie是一个基于SSH/Telnet协议的开源蜜罐项目,主要用于模拟SSH和Telnet服务,吸引攻击者并记录他们的行为。它可以模拟SSH登录过程,包括用户名、密码输入等,以便跟踪潜在的攻击者。Cowrie提供了日志记录、事件通知和存档等功能,有助于研究网络攻击的技术和模式。
二、前期准备
1、为了能够保证数据持久化,同时进行相关的参数传递,需提前创建准备目录
mkdir cowrie/log/ -p #cowrie txt输出日志目录,通过文本分析使用
mkdir cowrie/etc -p #cowrie 配置文件目录
2、在cowrie/etc目录创建cowrie配置cowrie.cfg,将以下配置复制到cowrie.cfg中,也可从官网cowrie.cfg.dist中获取,获取后需要手动把telnet 改为 true,文本获取改为 true,获取地址https://github.com/cowrie/cowrie/blob/master/etc/cowrie.cfg.dist
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# cowrie.cfg
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
# ============================================================================
# General Cowrie Options
# ============================================================================
[honeypot]
# Sensor name is used to identify this Cowrie instance. Used by the database
# logging modules such as mysql.
#
# If not specified, the logging modules will instead use the IP address of the
# server as the sensor name.
#
# (default: not specified)
#sensor_name=myhostname
# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment
#
# (default: svr04)
hostname = svr04
# Directory where to save log files in.
#
# (default: log)
log_path = var/log/cowrie
# Directory where to save downloaded artifacts in.
#
# (default: downloads)
download_path = ${honeypot:state_path}/downloads
# Directory for static data files
#
# (default: share/cowrie)
share_path = share/cowrie
# Directory for variable state files
#
# (default: var/lib/cowrie)
state_path = var/lib/cowrie
# Directory for config files
#
# (default: etc)
etc_path = etc
# Directory where virtual file contents are kept in.
#
# This is only used by commands like 'cat' to display the contents of files.
# Adding files here is not enough for them to appear in the honeypot - the
# actual virtual filesystem is kept in filesystem_file (see below)
#
# (default: honeyfs)
contents_path = honeyfs
# Directory for creating simple commands that only output text.
#
# The command must be placed under this directory with the proper path, such
# as:
# txtcmds/usr/bin/vi
# The contents of the file will be the output of the command when run inside
# the honeypot.
#
# In addition to this, the file must exist in the virtual filesystem
#
# (default: txtcmds)
txtcmds_path = txtcmds
# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'.
# A value of 0 means no limit. If the file size is known to be too big from the start,
# the file will not be stored on disk at all.
#
# (default: 0)
#download_limit_size = 10485760
# TTY logging will log a transcript of the complete terminal interaction in UML
# compatible format.
# (default: true)
ttylog = true
# Default directory for TTY logs.
# (default: ttylog_path = %(state_path)s/tty)
ttylog_path = ${honeypot:state_path}/tty
# Interactive timeout determines when logged in sessions are
# terminated for being idle. In seconds.
# (default: 180)
interactive_timeout = 180
# Authentication Timeout
# The server disconnects after this time if the user has not successfully logged in.
# The default is 120 seconds.
authentication_timeout = 120
# EXPERIMENTAL: back-end to user for Cowrie, options: proxy or shell
# (default: shell)
backend = shell
# Timezone Cowrie uses for logging
# This can be any valid timezone for the TZ environment variable
# The special value `system` will let Cowrie use the system time zone
# `system` is not recommended because you will need to deal with daylight
# savings time and other special cases yourself when analysing the logs.
timezone = UTC
# Custom prompt
# By default, Cowrie creates a shell prompt like: root@svr03:~#
# If you want something totally custom, uncomment the option below and set your prompt
# Beware that the path won't be included in your prompt any longer
# prompt = hello>
# ============================================================================
# Network Specific Options
# ============================================================================
# IP address to bind to when opening outgoing connections. Used by wget and
# curl commands.
#
# (default: not specified)
#out_addr = 0.0.0.0
# Fake address displayed as the address of the incoming connection.
# This doesn't affect logging, and is only used by honeypot commands such as
# 'w' and 'last'
#
# If not specified, the actual IP address is displayed instead (default
# behaviour).
#
# (default: not specified)
#fake_addr = 192.168.66.254
# The IP address on which this machine is reachable on from the internet.
# Useful if you use portforwarding or other mechanisms. If empty, Cowrie
# will determine by itself. Used in 'netstat' output
#
#internet_facing_ip = 9.9.9.9
# ============================================================================
# Authentication Specific Options
# ============================================================================
# Class that implements the checklogin() method.
#
# Class must be defined in cowrie/core/auth.py
# Default is the 'UserDB' class which uses the password database.
#
# Alternatively the 'AuthRandom' class can be used, which will let
# a user login after a random number of attempts.
# It will also cache username/password combinations that allow login.
#
auth_class = UserDB
# When AuthRandom is used also set the
# auth_class_parameters: <min try>, <max try>, <maxcache>
# for example: 2, 5, 10 = allows access after randint(2,5) attempts
# and cache 10 combinations.
#
#auth_class = AuthRandom
#auth_class_parameters = 2, 5, 10
[backend_pool]
# ============================================================================
# Backend Pool Configurations
# only used on the cowrie instance that runs the pool
# ============================================================================
# enable this to solely run the pool, regardless of other configurations (disables SSH and Telnet)
pool_only = false
# time between full VM recycling (cleans older VMs and boots newer ones) - involves some downtime between cycles
# -1 to disable
recycle_period = 1500
# change interface below to allow connections from outside (e.g. remote pool)
listen_endpoints = tcp:6415:interface=127.0.0.1
# guest snapshots
save_snapshots = false
snapshot_path = ${honeypot:state_path}/snapshots
# pool xml configs
config_files_path = ${honeypot:share_path}/pool_configs
network_config = default_network.xml
nw_filter_config = default_filter.xml
# libvirt URI, common settings are qemu:///system or qemu:///session
libvirt_uri = qemu:///system
# Use this syntax to directly connect to the UNIX socket
# libvirt_uri = qemu+unix:///session?socket=/home/cowrie/.cache/libvirt/libvirt-sock
# =====================================
# Guest details (for a generic x86-64 guest, like Ubuntu)
#
# Used to provide configuration details to save snapshots, identify
# running guests, and provide other details to Cowrie.
# - SSH and Telnet ports: which ports are listening for these services in the guest OS;
# if you're not using one of them omit the config or set to 0
# - Guest private key: used by the pool to control the guest's state via SSH; guest must
# have the corresponding pubkey in root's authorized_keys (not implemented)
# =====================================
guest_config = default_guest.xml
guest_privkey = ${honeypot:state_path}/ubuntu18.04-guest
guest_tag = ubuntu18.04
guest_ssh_port = 22
guest_telnet_port = 23
# Configs below are used on default XMLs provided.
# If you provide your own XML in guest_config you don't need these configs.
#
# Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM,
# which is more performant than the qemu software-based emulation. Guest arch
# must match your machine's. If it's older or you're unsure, set it to 'qemu'.
#
# Memory size is in MB.
#
# Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM
# If you get a "unsupported machine type" exception when VMs are loading, change
# it to a compatible machine listed by the command: 'qemu-system-x86_64 -machine help'
guest_image_path = /home/cowrie/cowrie-imgs/ubuntu18.04-minimal.qcow2
guest_hypervisor = kvm
guest_memory = 512
guest_qemu_machine = pc-q35-bionic
# =====================================
# Guest details (for OpenWRT with ARM architecture)
#
# Used to provide configuration details to save snapshots, identify running guests,
# and provide other details to Cowrie.
# =====================================
#guest_config = wrt_arm_guest.xml
#guest_tag = wrt
#guest_ssh_port = 22
#guest_telnet_port = 23
# Configs below are used on default XMLs provided.
# If you provide your own XML in guest_config you don't need these configs.
#
# Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM,
# which is more performant than the qemu software-based emulation. Guest arch
# must match your machine's.
#
# Memory size is in MB.
#
# Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM
# If you get a "unsupported machine type" exception when VMs are loading, change
# it to a compatible machine listed by the command: 'qemu-system-arm -machine help'
#guest_image_path = /home/cowrie/cowrie-imgs/root.qcow2
#guest_hypervisor = qemu
#guest_memory = 256
#guest_kernel_image = /home/cowrie/cowrie-imgs/zImage
#guest_qemu_machine = virt-2.9
# =====================================
# Other configs
# =====================================
# Use NAT (for remote pool)
#
# Guests exist in a local interface created by libvirt; NAT functionality creates a port in the host,
# exposed to a public interface, and forwards TCP data to and from the libvirt private interface.
# Cowrie's proxy receives the public information instead of the local IP of guests.
use_nat = true
nat_public_ip = 192.168.1.40
# ============================================================================
# Proxy Options
# ============================================================================
[proxy]
# type of backend:
# - simple: backend machine deployed by you (CAREFUL WITH SECURITY ASPECTS!!), specify hosts and ports below
# - pool: cowrie-managed pool of virtual machines, configure below
backend = pool
# =====================================
# Simple Backend Configuration
# =====================================
backend_ssh_host = localhost
backend_ssh_port = 2022
backend_telnet_host = localhost
backend_telnet_port = 2023
# =====================================
# Pool Backend Configuration
# =====================================
# generic pool configurable settings
pool_max_vms = 5
pool_vm_unused_timeout = 600
# allow sharing guests between different attackers if no new VMs are available
pool_share_guests = true
# Where to deploy the backend pool (only if backend = pool)
# - "local": same machine as the proxy
# - "remote": set host and port of the pool below
pool = local
# Remote pool configurations (used with pool=remote)
pool_host = 192.168.1.40
pool_port = 6415
# =====================================
# Proxy Configurations
# =====================================
# real credentials to log into backend
backend_user = root
backend_pass = root
# Telnet prompt detection
#
# To detect authentication prompts (and spoof auth details to the ones the backend accepts) we need to capture
# login and password prompts, and spoof data to the backend in order to successfully authenticate. If disabled,
# attackers can only use the real user credentials of the backend.
telnet_spoof_authentication = true
# These regex were made using Ubuntu 18.04; you have to adapt these for the prompts
# from your backend. You can enable raw logging above to analyse data passing through
# and identify the format of the prompts you need.
# You should generally include ".*" at the beginning and end of prompts, since Telnet messages can contain
# more data than the prompt.
# For login it is usually <hostname> login:
telnet_username_prompt_regex = (\n|^)ubuntu login: .*
# Password prompt is usually only the word Password
telnet_password_prompt_regex = .*Password: .*
# This data is sent by clients at the beginning of negotiation (before the password prompt), and contains the username
# that is trying to log in. We replace that username with the one in "backend_user" to allow the chance of a successful
# login after the first password prompt. We are only able to check if credentials are allowed after the password is
# inserted. If they are, then a correct username was already sent and authentication succeeds; if not, we send a fake
# password to force authentication to fail.
telnet_username_in_negotiation_regex = (.*\xff\xfa.*USER\x01)(.*?)(\xff.*)
# Other configs #
# log raw TCP packets in SSh and Telnet
log_raw = false
# ============================================================================
# Shell Options
# Options around Cowrie's Shell Emulation
# ============================================================================
[shell]
# File in the Python pickle format containing the virtual filesystem.
#
# This includes the filenames, paths, permissions for the Cowrie filesystem,
# but not the file contents. This is created by the bin/createfs utility from
# a real template linux installation.
#
# (default: fs.pickle)
filesystem = ${honeypot:share_path}/fs.pickle
# File that contains output for the `ps` command.
#
# (default: share/cowrie/cmdoutput.json)
processes = share/cowrie/cmdoutput.json
# Fake architectures/OS
# When Cowrie receive a command like /bin/cat XXXX (where XXXX is an executable)
# it replies with the content of a dummy executable (located in data_path/arch)
# compiled for an architecture/OS/endian_mode
# arch can be a comma separated list. When there are multiple elements, a random
# is chosen at login time.
# (default: linux-x64-lsb)
arch = linux-x64-lsb
# Here the list of supported OS-ARCH-ENDIANESS executables
# bsd-aarch64-lsb: 64-bit LSB ARM aarch64 version 1 (SYSV)
# bsd-aarch64-msb: 64-bit MSB ARM aarch64 version 1 (SYSV)
# bsd-bfin-msb: 32-bit MSB Analog Devices Blackfin version 1 (SYSV)
# bsd-mips64-lsb: 64-bit LSB MIPS MIPS-III version 1 (SYSV)
# bsd-mips64-msb: 64-bit MSB MIPS MIPS-III version 1 (SYSV)
# bsd-mips-lsb: 32-bit LSB MIPS MIPS-I version 1 (FreeBSD)
# bsd-mips-msb: 32-bit MSB MIPS MIPS-I version 1 (FreeBSD)
# bsd-powepc64-lsb: 64-bit MSB 64-bit PowerPC or cisco 7500 version 1 (FreeBSD)
# bsd-powepc-msb: 32-bit MSB PowerPC or cisco 4500 version 1 (FreeBSD)
# bsd-riscv64-lsb: 64-bit LSB UCB RISC-V version 1 (SYSV)
# bsd-sparc64-msb: 64-bit MSB SPARC V9 relaxed memory ordering version 1 (FreeBSD)
# bsd-sparc-msb: 32-bit MSB SPARC version 1 (SYSV) statically
# bsd-x32-lsb: 32-bit LSB Intel 80386 version 1 (FreeBSD)
# bsd-x64-lsb: 64-bit LSB x86-64 version 1 (FreeBSD)
# linux-aarch64-lsb: 64-bit LSB ARM aarch64 version 1 (SYSV)
# linux-aarch64-msb: 64-bit MSB ARM aarch64 version 1 (SYSV)
# linux-alpha-lsb: 64-bit LSB Alpha (unofficial) version 1 (SYSV)
# linux-am33-lsb: 32-bit LSB Matsushita MN10300 version 1 (SYSV)
# linux-arc-lsb: 32-bit LSB ARC Cores Tangent-A5 version 1 (SYSV)
# linux-arc-msb: 32-bit MSB ARC Cores Tangent-A5 version 1 (SYSV)
# linux-arm-lsb: 32-bit LSB ARM EABI5 version 1 (SYSV)
# linux-arm-msb: 32-bit MSB ARM EABI5 version 1 (SYSV)
# linux-avr32-lsb: 32-bit LSB Atmel AVR 8-bit version 1 (SYSV)
# linux-bfin-lsb: 32-bit LSB Analog Devices Blackfin version 1 (SYSV)
# linux-c6x-lsb: 32-bit LSB TI TMS320C6000 DSP family version 1
# linux-c6x-msb: 32-bit MSB TI TMS320C6000 DSP family version 1
# linux-cris-lsb: 32-bit LSB Axis cris version 1 (SYSV)
# linux-frv-msb: 32-bit MSB Cygnus FRV (unofficial) version 1 (SYSV)
# linux-h8300-msb: 32-bit MSB Renesas H8/300 version 1 (SYSV)
# linux-hppa64-msb: 64-bit MSB PA-RISC 02.00.00 (LP64) version 1
# linux-hppa-msb: 32-bit MSB PA-RISC *unknown arch 0xf* version 1 (GNU/Linux)
# linux-ia64-lsb: 64-bit LSB IA-64 version 1 (SYSV)
# linux-m32r-msb: 32-bit MSB Renesas M32R version 1 (SYSV)
# linux-m68k-msb: 32-bit MSB Motorola m68k 68020 version 1 (SYSV)
# linux-microblaze-msb: 32-bit MSB Xilinx MicroBlaze 32-bit RISC version 1 (SYSV)
# linux-mips64-lsb: 64-bit LSB MIPS MIPS-III version 1 (SYSV)
# linux-mips64-msb: 64-bit MSB MIPS MIPS-III version 1 (SYSV)
# linux-mips-lsb: 32-bit LSB MIPS MIPS-I version 1 (SYSV)
# linux-mips-msb: 32-bit MSB MIPS MIPS-I version 1 (SYSV)
# linux-mn10300-lsb: 32-bit LSB Matsushita MN10300 version 1 (SYSV)
# linux-nios-lsb: 32-bit LSB Altera Nios II version 1 (SYSV)
# linux-nios-msb: 32-bit MSB Altera Nios II version 1 (SYSV)
# linux-powerpc64-lsb: 64-bit LSB 64-bit PowerPC or cisco 7500 version 1 (SYSV)
# linux-powerpc64-msb: 64-bit MSB 64-bit PowerPC or cisco 7500 version 1 (SYSV)
# linux-powerpc-lsb: 32-bit LSB PowerPC or cisco 4500 version 1 (SYSV)
# linux-powerpc-msb: 32-bit MSB PowerPC or cisco 4500 version 1 (SYSV)
# linux-riscv64-lsb: 64-bit LSB UCB RISC-V version 1 (SYSV)
# linux-s390x-msb: 64-bit MSB IBM S/390 version 1 (SYSV)
# linux-sh-lsb: 32-bit LSB Renesas SH version 1 (SYSV)
# linux-sh-msb: 32-bit MSB Renesas SH version 1 (SYSV)
# linux-sparc64-msb: 64-bit MSB SPARC V9 relaxed memory ordering version 1 (SYSV)
# linux-sparc-msb: 32-bit MSB SPARC version 1 (SYSV)
# linux-tilegx64-lsb: 64-bit LSB Tilera TILE-Gx version 1 (SYSV)
# linux-tilegx64-msb: 64-bit MSB Tilera TILE-Gx version 1 (SYSV)
# linux-tilegx-lsb: 32-bit LSB Tilera TILE-Gx version 1 (SYSV)
# linux-tilegx-msb: 32-bit MSB Tilera TILE-Gx version 1 (SYSV)
# linux-x64-lsb: 64-bit LSB x86-64 version 1 (SYSV)
# linux-x86-lsb: 32-bit LSB Intel 80386 version 1 (SYSV)
# linux-xtensa-msb: 32-bit MSB Tensilica Xtensa version 1 (SYSV)
# osx-x32-lsb: 32-bit LSB Intel 80386
# osx-x64-lsb: 64-bit LSB x86-64
# arch = bsd-aarch64-lsb, bsd-aarch64-msb, bsd-bfin-msb, bsd-mips-lsb, bsd-mips-msb, bsd-mips64-lsb, bsd-mips64-msb, bsd-powepc-msb, bsd-powepc64-lsb, bsd-riscv64-lsb, bsd-sparc-msb, bsd-sparc64-msb, bsd-x32-lsb, bsd-x64-lsb, linux-aarch64-lsb, linux-aarch64-msb, linux-alpha-lsb, linux-am33-lsb, linux-arc-lsb, linux-arc-msb, linux-arm-lsb, linux-arm-msb, linux-avr32-lsb, linux-bfin-lsb, linux-c6x-lsb, linux-c6x-msb, linux-cris-lsb, linux-frv-msb, linux-h8300-msb, linux-hppa-msb, linux-hppa64-msb, linux-ia64-lsb, linux-m32r-msb, linux-m68k-msb, linux-microblaze-msb, linux-mips-lsb, linux-mips-msb, linux-mips64-lsb, linux-mips64-msb, linux-mn10300-lsb, linux-nios-lsb, linux-nios-msb, linux-powerpc-lsb, linux-powerpc-msb, linux-powerpc64-lsb, linux-powerpc64-msb, linux-riscv64-lsb, linux-s390x-msb, linux-sh-lsb, linux-sh-msb, linux-sparc-msb, linux-sparc64-msb, linux-tilegx-lsb, linux-tilegx-msb, linux-tilegx64-lsb, linux-tilegx64-msb, linux-x64-lsb, linux-x86-lsb, linux-xtensa-msb, osx-x32-lsb, osx-x64-lsb
# Modify the response of '/bin/uname'
# Default (uname -a): Linux <hostname> <kernel_version> <kernel_build_string> <hardware_platform> <operating system>
kernel_version = 3.2.0-4-amd64
kernel_build_string = #1 SMP Debian 3.2.68-1+deb7u1
hardware_platform = x86_64
operating_system = GNU/Linux
# SSH Version as printed by "ssh -V" in shell emulation
ssh_version = OpenSSH_7.9p1, OpenSSL 1.1.1a 20 Nov 2018
# ============================================================================
# SSH Specific Options
# ============================================================================
[ssh]
# Enable SSH support
# (default: true)
enabled = true
# Public and private SSH key files. If these don't exist, they are created
# automatically.
rsa_public_key = ${honeypot:state_path}/ssh_host_rsa_key.pub
rsa_private_key = ${honeypot:state_path}/ssh_host_rsa_key
dsa_public_key = ${honeypot:state_path}/ssh_host_dsa_key.pub
dsa_private_key = ${honeypot:state_path}/ssh_host_dsa_key
ecdsa_public_key = ${honeypot:state_path}/ssh_host_ecdsa_key.pub
ecdsa_private_key = ${honeypot:state_path}/ssh_host_ecdsa_key
ed25519_public_key = ${honeypot:state_path}/ssh_host_ed25519_key.pub
ed25519_private_key = ${honeypot:state_path}/ssh_host_ed25519_key
# Public keys supported are: ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, ssh-ed25519
public_key_auth = ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
# SSH version string as present to the client.
#
# Version string MUST start with SSH-2.0- or SSH-1.99-
#
# Use these to disguise your honeypot from a simple SSH version scan
# Examples:
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-1.99-OpenSSH_4.3
# SSH-1.99-OpenSSH_4.7
# SSH-1.99-Sun_SSH_1.1
# SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1
# SSH-2.0-OpenSSH_4.3
# SSH-2.0-OpenSSH_4.6
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
# SSH-2.0-OpenSSH_5.5p1 Debian-6
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
# SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
# SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
# SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
# SSH-2.0-OpenSSH_5.9
#
# (default: "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2")
version = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
# Cipher encryption algorithms to be used.
#
# MUST be supplied as a comma-separated string without
# any spaces or newlines.
#
# Use ciphers to limit to more secure algorithms only
# any spaces.
# Supported ciphers:
#
# aes128-ctr
# aes192-ctr
# aes256-ctr
# aes256-cbc
# aes192-cbc
# aes128-cbc
# 3des-cbc
# blowfish-cbc
# cast128-cbc
ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc
# MAC Algorithm to be used.
#
# MUST be supplied as a comma-separated string without
# any spaces or newlines.
#
# hmac-sha1 and hmac-md5 are considered insecure now, and
# instead MACs with higher number of bits should be used.
#
# Supported HMACs:
# hmac-sha2-512
# hmac-sha2-384
# hmac-sha2-256
# hmac-sha1
# hmac-md5
macs = hmac-sha2-512,hmac-sha2-384,hmac-sha2-256,hmac-sha1,hmac-md5
# Compression Method to be used.
#
# MUST be supplied as a comma-separated string without
# any spaces or newlines.
#
# Supported Compression Methods:
# zlib@openssh.com
# zlib
# none
compression = zlib@openssh.com,zlib,none
# Endpoint to listen on for incoming SSH connections.
# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers
# (default: listen_endpoints = tcp:2222:interface=0.0.0.0)
# (use systemd: endpoint for systemd activation)
# listen_endpoints = systemd:domain=INET:index=0
# For both IPv4 and IPv6: listen_endpoints = tcp6:2222:interface=\:\:
# Listening on multiple endpoints is supported with a single space seperator
# e.g listen_endpoints = "tcp:2222:interface=0.0.0.0 tcp:1022:interface=0.0.0.0" will result listening both on ports 2222 and 1022
# use authbind for port numbers under 1024
listen_endpoints = tcp:2222:interface=0.0.0.0
# Enable the SFTP subsystem
# (default: true)
sftp_enabled = true
# Enable SSH direct-tcpip forwarding
# (default: true)
forwarding = true
# This enables redirecting forwarding requests to another address
# Useful for forwarding protocols to other honeypots
# (default: false)
forward_redirect = false
# Configure where to forward the data to.
# forward_redirect_<portnumber> = <redirect ip>:<redirect port>
# Redirect http/https
# forward_redirect_80 = 127.0.0.1:8000
# forward_redirect_443 = 127.0.0.1:8443
# To record SMTP traffic, install an SMTP honeypoint.
# (e.g https://github.com/awhitehatter/mailoney), run
# python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525
# forward_redirect_25 = 127.0.0.1:12525
# forward_redirect_587 = 127.0.0.1:12525
# This enables tunneling forwarding requests to another address
# Useful for forwarding protocols to a proxy like Squid
# (default: false)
forward_tunnel = false
# Configure where to tunnel the data to.
# forward_tunnel_<portnumber> = <tunnel ip>:<tunnel port>
# Tunnel http/https
# forward_tunnel_80 = 127.0.0.1:3128
# forward_tunnel_443 = 127.0.0.1:3128
# No authentication checking at all
# enabling 'auth_none' will enable the ssh2 'auth_none' authentication method
# this allows the requested user in without any verification at all
#
# (default: false)
#auth_none_enabled = false
# Configure keyboard-interactive login
auth_keyboard_interactive_enabled = false
# ============================================================================
# Telnet Specific Options
# ============================================================================
[telnet]
# Enable Telnet support, disabled by default
enabled = true
# Endpoint to listen on for incoming Telnet connections.
# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers
# (default: listen_endpoints = tcp:2223:interface=0.0.0.0)
# (use systemd: endpoint for systemd activation)
# listen_endpoints = systemd:domain=INET:index=0
# For IPv4 and IPv6: listen_endpoints = tcp6:2223:interface=\:\: tcp:2223:interface=0.0.0.0
# Listening on multiple endpoints is supported with a single space seperator
# e.g "listen_endpoints = tcp:2223:interface=0.0.0.0 tcp:2323:interface=0.0.0.0" will result listening both on ports 2223 and 2323
# use authbind for port numbers under 1024
listen_endpoints = tcp:2223:interface=0.0.0.0
# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie)
#reported_port = 23
# ============================================================================
# Database logging Specific Options
# ============================================================================
# XMPP Logging
# Log to an xmpp server.
#
#[database_xmpp]
#server = sensors.carnivore.it
#user = anonymous@sensors.carnivore.it
#password = anonymous
#muc = dionaea.sensors.carnivore.it
#signal_createsession = cowrie-events
#signal_connectionlost = cowrie-events
#signal_loginfailed = cowrie-events
#signal_loginsucceeded = cowrie-events
#signal_command = cowrie-events
#signal_clientversion = cowrie-events
#debug=true
# ============================================================================
# Output Plugins
# These provide an extensible mechanism to send audit log entries to third
# parties. The audit entries contain information on clients connecting to
# the honeypot.
#
# Output entries need to start with 'output_' and have the 'enabled' entry.
# ============================================================================
[output_xmpp]
enabled=false
server = conference.cowrie.local
user = cowrie@cowrie.local
password = cowrie
muc = hacker_room
# JSON based logging module
#
[output_jsonlog]
enabled = true
logfile = ${honeypot:log_path}/cowrie.json
epoch_timestamp = false
# Supports logging to Elasticsearch
# This is a simple early release
#
[output_elasticsearch]
enabled = false
host = localhost
port = 9200
index = cowrie
# type has been deprecated since ES 6.0.0
# use _doc which is the default type. See
# https://stackoverflow.com/a/53688626 for
# more information
#type = _doc
# set pipeline = geoip to map src_ip to
# geo location data. You can use a custom
# pipeline but you must ensure it exists
# in elasticsearch.
#pipeline = geoip
#
# Authentication. When x-pack.security is enabled
# in ES, default users have been created and requests
# must be authenticated.
#
# Credentials
#username = elastic
#password =
#
# TLS encryption. Communications between the client (cowrie)
# and the ES server should naturally be protected by encryption
# if requests are authenticated (to prevent from man-in-the-middle
# attacks). The following options are then paramount
# if username and password are provided.
#
# use ssl/tls
#ssl = true
# Path to trusted CA certs on disk
#ca_certs = /cowrie/cowrie-git/etc/elastic_ca.crt
# verify SSL certificates
#verify_certs = true
# Send login attemp information to SANS DShield
# See https://isc.sans.edu/ssh.html
# You must signup for an api key.
# Once registered, find your details at: https://isc.sans.edu/myaccount.html
#
[output_dshield]
enabled = false
userid = userid_here
auth_key = auth_key_here
batch_size = 100
#
# Graylog logging module for GELF http input
[output_graylog]
enabled = false
url = http://graylog.example.com:122011/gelf
#
# Local Syslog output module
#
# This sends log messages to the local syslog daemon.
# Facility can be:
# KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7.
#
# Format can be:
# text, cef
#
[output_localsyslog]
enabled = false
facility = USER
format = text
# Text output
# This writes audit log entries to a text file
#
# Format can be:
# text, cef
#
[output_textlog]
enabled = true
logfile = ${honeypot:log_path}/audit.log
format = text
# MySQL logging module
# Database structure for this module is supplied in docs/sql/mysql.sql
#
# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev
# MySQL logging requires an extra Python module: pip install mysql-python
#
[output_mysql]
enabled = false
host = localhost
database = cowrie
username = cowrie
password = secret
port = 3306
debug = false
# Rethinkdb output module
# Rethinkdb output module requires extra Python module: pip install rethinkdb
[output_rethinkdblog]
enabled = false
host = 127.0.0.1
port = 28015
table = output
password =
db = cowrie
# SQLite3 logging module
#
# Logging to SQLite3 database. To init the database, use the script
# docs/sql/sqlite3.sql:
# sqlite3 <db_file> < docs/sql/sqlite3.sql
#
[output_sqlite]
enabled = false
db_file = cowrie.db
# MongoDB logging module
#
# MongoDB logging requires an extra Python module: pip install pymongo
#
[output_mongodb]
enabled = false
connection_string = mongodb://username:password@host:port/database
database = dbname
# Splunk HTTP Event Collector (HEC) output module
# sends JSON directly to Splunk over HTTP or HTTPS
# Use 'https' if your HEC is encrypted, else 'http'
# mandatory fields: url, token
# optional fields: index, source, sourcetype, host
#
[output_splunk]
enabled = false
url = https://localhost:8088/services/collector/event
token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8
index = cowrie
sourcetype = cowrie
source = cowrie
# HPFeeds3
# Python3 implementation of HPFeeds
[output_hpfeeds3]
enabled = false
server = hpfeeds.mysite.org
port = 10000
identifier = abc123
secret = secret
debug=false
# VirusTotal output module
# You must signup for an api key.
#
[output_virustotal]
enabled = false
api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
upload = True
debug = False
scan_file = True
scan_url = False
# Cuckoo output module
[output_cuckoo]
enabled = false
# no slash at the end
url_base = http://127.0.0.1:8090
user = user
passwd = passwd
# force will upload duplicated files to cuckoo
force = 0
# upload to MalShare
# Register at https://malshare.com/register.php to get your API key
[output_malshare]
api_key = 130928309823098
enabled = false
# This will produce a _lot_ of messages - you have been warned....
[output_slack]
enabled = false
channel = channel_that_events_should_be_posted_in
token = slack_token_for_your_bot
debug = false
# https://csirtg.io
# You must signup for an api key.
#
[output_csirtg]
enabled = false
username = wes
feed = scanners
description = random scanning activity
token = a1b2c3d4
debug = false
[output_socketlog]
enabled = false
address = 127.0.0.1:9000
timeout = 5
# Upload files that cowrie has captured to an S3 (or compatible bucket)
# Files are stored with a name that is the SHA of their contents
#
[output_s3]
enabled = false
#
# The AWS credentials to use.
# Leave these blank to use botocore's credential discovery e.g .aws/config or ENV variables.
# As per https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L50-L65
access_key_id = AKIDEXAMPLE
secret_access_key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY
#
# The bucket to store the files in. The bucket must already exist.
bucket = my-cowrie-bucket
#
# The region the bucket is in
region = eu-west-1
#
# An alternate endpoint URL. If you self host a pithos instance you can set
# this to its URL (e.g. https://s3.mydomain.com) - can otherwise be blank
#endpoint =
#
# Whether or not to validate the S3 certificate. Set this to 'no' to turn this
# off. Do not do this for real AWS. It's only needed for self-hosted S3 clone
# where you don't yet have real certificates.
#verify = no
[output_influx]
enabled = false
host = 127.0.0.1
port = 8086
database_name = cowrie
retention_policy_duration = 12w
[output_kafka]
enabled = false
host = 127.0.0.1
port = 9092
topic = cowrie
[output_redis]
enabled = false
host = 127.0.0.1
port = 6379
# DB of the redis server. Defaults to 0
db = 0
# Password of the redis server. Defaults to None
# password = secret
# Name of the list to push to or the channel to publish to. Required
keyname = cowrie
# Method to use when sending data to redis.
# Can be one of [lpush, rpush, publish]. Defaults to lpush
send_method = lpush
# Perform Reverse DNS lookup
[output_reversedns]
enabled = false
# Timeout in seconds
timeout = 3
[output_greynoise]
enabled = false
debug = false
# Name of the tags separated by comma, for which the IP has to be scanned for.
# Example "SHODAN,JBOSS_WORM,CPANEL_SCANNER_LOW"
# If there isn't any specific tag then just leave it "all"
tags = all
# It's optional to have API key, so if you don't want to but
# API key then leave this option commented
#api_key = 1234567890
# Upload all files to a MISP instance of your liking.
# The API key can be found under Event Actions -> Automation
[output_misp]
enabled = false
base_url = https://misp.somedomain.com
api_key = secret_key
verify_cert = true
publish_event = true
debug = false
# Send message using Telegram bot
# 1. Create a bot following https://core.telegram.org/bots#6-botfather to get token.
# 2. Send message to your bot, then use https://api.telegram.org/bot{bot_token}/getUpdates to find chat_id.
# N.b. bot will only send messages on cowrie.login.success, cowrie.command.input/.failed, and
# cowrie.session.file_download, to prevent spam.
[output_telegram]
enabled = false
bot_token = 123456789:AbCDEfGhiJkLmnOpQRstUVWxYZ
chat_id = 987654321
# The crashreporter sends data on Python exceptions to api.cowrie.org
# To disable set `enabled = false` in cowrie.cfg
[output_crashreporter]
enabled = false
debug = false
# Reports login attempts to AbuseIPDB. A short guide is in the original
# pull request on GitHub: https://github.com/cowrie/cowrie/pull/1346
[output_abuseipdb]
enabled = false
#api_key =
#rereport_after = 24
#tolerance_window is in minutes
#tolerance_window = 120
#tolerance_attempts = 10
# WARNING: A binary file is read from this directory on start-up. Do not
# change unless you understand the security implications!
#dump_path = ${honeypot:state_path}/abuseipdb
# Report login and session tracking attempts via the ThreatJammer.com Report API.
# ThreatJammer.com is a risk assessment tool <https://threatjammer.com>
# Read the docs for more information: https://cowrie.readthedocs.io/en/latest/threatjammer/README.html
[output_threatjammer]
enabled = false
bearer_token = THREATJAMMER_API_TOKEN
#api_url=https://dublin.report.threatjammer.com/v1/ip
#track_login = true
#track_session = false
#ttl = 86400
#category = ABUSE
#tags = COWRIE,LOGIN,SESSION
# Send output to a Discord webhook
[output_discord]
enabled = false
url = https://discord.com/api/webhooks/id/token
# Datadog output module
# sends JSON directly to Datadog
# mandatory field: api_key
# optional fields (fallback configured in module): ddsource, ddtags, service
# For more information on fields https://docs.datadoghq.com/api/latest/logs/#send-logs
[output_datadog]
enabled = false
url = https://http-intake.logs.datadoghq.com/api/v2/logs
api_key = abcdef1234567890fedcba0987654321
ddsource = cowrie
ddtags = env:dev
service = honeypot
# Oracle Cloud custom logs output module
# sends JSON directly to Oracle Cloud custom logs
# mandatory field: authtype, log_ocid
# optional fields (to be set if user_principals is selected as authtype): user_ocid, fingerprint, tenancy_ocid, region, keyfile
# For more information on Oracle Cloud custom logs: https://docs.oracle.com/en-us/iaas/Content/Logging/Concepts/custom_logs.htm
# For more information on Oracle Cloud user principal authentication method: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm#five
# For more information on Oracle Cloud instance principal authentication method: https://blogs.oracle.com/developers/post/accessing-the-oracle-cloud-infrastructure-api-using-instance-principals
[output_oraclecloud]
enabled = false
# authtype must be set either to user_principals or to instance_principals
authtype = instance_principals
# following parameters must be set in case user_principals is used. keyfile is the absolute path to your API pem key file.
#log_ocid = ocid1.log.oc1.eu-stockholm-1.xxx
#user_ocid = ocid1.user.oc1..xxx
#fingerprint = 77:9c:4xxxxx
#tenancy_ocid = ocid1.tenancy.oc1..xxx
#region = eu-stockholm-1
#keyfile = /home/xx/key.pem3、在cowrie/log目录创建日志文件并赋权,用于接收cowrie输出
touch audit.log
touch cowrie.json
chwon polkitd:input
chmod 755 audit.log
chmod 755 cowrie.json4、修改宿主机ssh端口,将22改为其他端口,如3332
vim /etc/ssh/sshd_config //将port 22 改为port 3222
systemctl restart sshd.service //重启ssh生效 无法重启可能SELinux的问题,临时关闭SELinux :setenforce 05、注意事项
(1)如开了iptables记得添加3222端口。
(2)在docker运行的时候,不能关闭火墙,否则导致docker规则被清空,现象为宿主机能访问容器映射的端口,但是其他机器无法访问容器映射的端口,解决方法为重启docker。
(3)无法通过docker exec -it 进入容器内部,原因未知。
三、通过docker拉取并运行cowrie镜像
docker run -d --name cowrie01 -p 22:2222 -p 23:2223 -v /home/webapp/Honeypot/cowrie/etc:/cowrie/cowrie-git/etc -v /home/webapp/Honeypot/cowrie/downloads:/cowrie/cowrie-git/var/lib/cowrie/downloads -v /home/webapp/Honeypot/cowrie/log:/cowrie/cowrie-git/var/log/cowrie cowrie/cowrie 四、cowrie与微信告警联动
注意!!!需确保能成功调用企业微信API,如何设置及测试请看我另一份文章:如何通过linux调用企业微信发送告警消息。
该脚本分为两个部分,第一个部分为告警分析,第二部分为通过企业微信接口发送告警消息。
说明:我写的分析脚本比较简单,通过定时任务触发,统计昨日通过ssh登录的用户有多少,统计好了发送到企业微信,当然你可以自定义分析及要发送内容。
#!/bin/bash
#第一部分告警配置
#获取昨日时间
yesterday=`date -d yesterday +%Y-%m-%d`
#备份日志
cp ./audit.log ./audit.log.${yesterday}.log
cat /dev/null > ./audit.log
#分析昨日登录次数
tologin=`grep login audit.log.${yesterday}.log | grep ${yesterday} | wc -l`
#第二部分与企业微信联动
#设置企业微信相关信息
#每个企业都拥有唯一的corpid,获取此信息可在管理后台“我的企业”-“企业信息”下查看“企业ID”(需要有管理员权限)
corpid="xxxxx"
#secret是企业应用里面用于保障数据安全的“钥匙”,每一个应用都有一个独立的访问密钥,为了保证数据的安全,secret务必不能泄漏。secret查看方法:在管理后台->“应用管理”->“应用”->“自建”,点进某个应用,即可看到。
corpsecret="xxxxx"
#每个应用都有唯一的agentid。在管理后台->“应用管理”->“应用”,点进某个应用,即可看到agentid。
agentid="xxxxx"
#每个部门都有唯一的id,在管理后台->“通讯录”->“组织架构”->点击某个部门右边的小圆点可以看到
#toparty="PartyID"
#每个成员都有唯一的userid,即所谓“账号”。在管理后台->“通讯录”->点进某个成员的详情页,可以看到。
userids="xxxxx|xxxxx"
#获取access_token URL
url="https://qyapi.weixin.qq.com/cgi-bin/gettoken"
# access_token是企业后台去企业微信的后台获取信息时的重要票据,由corpid和secret产生。所有接口在通信时都需要携带此信息用于验证接口的访问权限,jq 可通过 yum install jq 安装。
access_token=$(curl -s -G "$url" --data-urlencode "corpid=$corpid" --data-urlencode "corpsecret=$corpsecret" | jq -r .access_token)
# 发送的消息
message="{\"touser\" : \"$userids\", \"toparty\" : \"$toparty\", \"msgtype\" : \"text\", \"agentid\" : \"$agentid\", \"text\" : {\"content\" : \"您昨日ssh被登录:$tologin次,请及时处理!\"}}"
curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/message/send?access_token=$access_token" -d "$message"
五、创建定时任务
创建定时任务,每天24点执行,向微信发送今日ssh登录情况
crontab -e
00 00 * * * /home/webapp/Honeypot/cowrie/log/analyze.sh
478
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
