initial commit

cowrie/Dockerfile

@@ -0,0 +1,47 @@
+FROM alpine:3.3
+MAINTAINER Wonderfall <wonderfall@mondedie.fr>
+
+ENV HOSTNAME=svr04 DL_LIMIT=10485760 FACING_IP=9.9.9.9 JSON_LOG=False CUSTOM=False GID=1000 UID=1000
+
+RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
+ && echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
+ && apk -U add \
+    build-base \
+    libffi \
+    libffi-dev \
+    openssl \
+    openssl-dev \
+    python \
+    python-dev \
+    py-pip \
+    tar \
+    tini@commuedge \
+    gosu@testing \
+ && pip install --no-cache \
+    pyasn1 \
+    service_identity \
+    pyOpenSSL \
+    twisted==15.4.0 \
+    pycrypto \
+    cryptography \
+ && apk del \
+    build-base \
+    libffi-dev \
+    openssl-dev \
+    python-dev \
+    py-pip \
+ && rm -f /var/cache/apk/*
+
+RUN mkdir /cowrie && cd /cowrie \
+ && wget -qO- https://github.com/micheloosterhof/cowrie/archive/master.tar.gz \
+  | tar xz --strip 1 \
+ && mv cowrie.cfg.dist cowrie.cfg \
+ && sed -i "s|download_path = dl|download_path = /dl|g" cowrie.cfg \
+ && sed -i "s|log_path = log|log_path = /log|g" cowrie.cfg
+
+COPY run.sh /usr/local/bin/run.sh
+RUN chmod +x /usr/local/bin/run.sh
+
+VOLUME /dl /log /honeyfs /data /txtcmds /utils
+EXPOSE 2222
+CMD ["tini","--","run.sh"]

cowrie/README.md

@@ -0,0 +1,50 @@
+## wonderfall/cowrie
+[![](https://badge.imagelayers.io/wonderfall/cowrie:latest.svg)](https://imagelayers.io/?images=wonderfall/cowrie:latest 'Get your own badge on imagelayers.io')
+
+![](https://i.goopics.net/lO.jpg)
+
+#### What is this?
+Cowrie is a medium interaction SSH honeypot designed to log brute force attacks and the shell interaction performed by the attacker. Cowrie is based on Kippo.
+
+#### Environment variables
+- **HOSTNAME** is the hostname displayed in the honeypot. 
+- **DL_LIMIT** is the maximum size (in bytes!) of a stored downloaded file (0 = no limit). 
+- **FACING_IP** is your IP (you have to set it manually because cowrie fails to detect it when running in Docker). 
+- **JSON_LOG** equals False by default, so json logging is disabled. If you want this feature enabled, set `$JSON_LOG` to True (or anything else...).
+
+#### Volumes
+- **/dl** : where downloads are stored.
+- **/log** : cowrie and tty sessions logs.
+
+#### Custom mode
+`$CUSTOM` can be interpreted as a custom mode. You have access, if set to True, to :
+- **honeyfs dir** (/honeyfs) : file contents for the fake filesystem, feel free to copy a real system here
+- **data dir** (/data) : fake filesystem + users database
+- **txtcmds dir** (/txtcmds) : modify, or add new text commands (if new, must be added to the fake fs)
+- **utils dir** (/utils) : useful for fake fs creation
+
+You have to know that, once these directories are polluted by the run.sh script, nothing will be done for you. You'll have to update manually (except utils) and things may break in the future. Always backup your changes. If you just want to run the honeypot without any customisation, do not enable this mode.
+
+#### Docker compose (example)
+```
+cowrie:
+  image: wonderfall/cowrie
+  ports:
+    - "2222:2222"
+  volumes:
+    - /mnt/cowrie/dl:/dl
+    - /mnt/cowrie/log:/log
+    ### IF CUSTOM MODE
+    #- /mnt/cowrie/honeyfs:/honeyfs
+    #- /mnt/cowrie/data:/data
+    #- /mnt/cowrie/txtcmds:/txtcmds
+    #- /mnt/cowrie/utils:/utils
+  environment:
+    - HOSTNAME=foobar
+    - DL_LIMIT=2048
+    - FACING_IP=9.9.9.9
+    - JSON_LOG=False
+    - CUSTOM=False
+    - GID=1000
+    - UID=1000
+```

cowrie/run.sh

@@ -0,0 +1,41 @@
+#!/bin/sh
+cd /cowrie
+sed -i "s/hostname = svr04/hostname = $HOSTNAME/g" cowrie.cfg
+sed -i "s/#download_limit_size = 10485760/download_limit_size = $DL_LIMIT/g" cowrie.cfg
+sed -i "s/#internet_facing_ip = 9.9.9.9/internet_facing_ip = $FACING_IP/g" cowrie.cfg
+
+if [ "$JSON_LOG" == "False" ]; then
+    sed -i "s/\[output_jsonlog\]/#\[output_jsonlog\]/g" cowrie.cfg
+    sed -i "s|logfile = log/cowrie.json|#logfile = log/cowrie.json|g" cowrie.cfg
+fi
+    
+if [ "$CUSTOM" == "True"]; then
+    sed -i "s|contents_path = honeyfs|contents_path = /honeyfs|g" cowrie.cfg
+    sed -i "s|data_path = data|data_path = /data|g" cowrie.cfg
+    sed -i "s|txtcmds_path = txtcmds|txtcmds_path = /txtcmds|g" cowrie.cfg
+    
+    if [ -d honeyfs ] && [ ! -d /honeyfs/etc ]; then
+        mv honeyfs/* /honeyfs
+    fi
+    
+    if [ -d data ] && [ ! -f /data/userdb.txt ]; then
+        mv data/* /data
+    fi
+    
+    if [ -d txtcmds ] && [ ! -d /txtcmds/bin ]; then
+        mv txtcmds/* /txtcmds
+    fi
+    
+    if [ -d utils ]; then
+        rm -rf /utils/*
+        mv utils/* /utils
+    fi
+
+    rm -rf honeyfs data txtcmds utils
+    ln -s /data data #fix
+    chown -R $UID:$GID /honeyfs /data /txtcmds /utils
+fi
+
+mkdir /log/tty
+chown -R $UID:$GID /cowrie /dl /log
+gosu $UID:$GID twistd -n -l /log/cowrie.log cowrie