add cowrie honeypot

2025-04-20 04:19:18 +00:00 · 2016-05-14 23:49:46 +02:00 · 2016-05-14 23:49:46 +02:00 · 18111ca978
commit 18111ca978
parent 2bc8a218a9
3 changed files with 140 additions and 0 deletions
--- a/cowrie/Dockerfile
+++ b/cowrie/Dockerfile
@ -0,0 +1,84 @@
+FROM alpine:3.3
+MAINTAINER Wonderfall <wonderfall@schrodinger.io>
+
+ARG MPFR_VERSION=3.1.4
+ARG MPC_VERSION=1.0.3
+
+ARG GPG_MPFR="07F3 DBBE CC1A 3960 5078  094D 980C 1976 98C3 739D"
+ARG GPG_MPC="AD17 A21E F8AE D8F1 CC02  DBD9 F7D5 C9BF 765C 61E3"
+ARG SHA1_MPC="b8be66396c726fdc36ebb0f692ed8a8cca3bcc66"
+
+ENV UID=1000 \
+    GID=1000 \
+    HOSTNAME=svr04 \
+    DL_LIMIT=10485760 \
+    FACING_IP=9.9.9.9 \
+    JSON_LOG=False
+
+RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
+ && BUILD_DEPS=" \
+    build-base \
+    libtool \
+    libffi-dev \
+    openssl-dev \
+    python-dev \
+    gmp-dev \
+    py-pip \
+    tar \
+    gnupg" \
+ && apk -U add \
+    ${BUILD_DEPS} \
+    libffi \
+    gmp \
+    openssl \
+    python \
+    tini@commuedge \
+    su-exec \
+ && cd /tmp \
+ && wget -q http://www.mpfr.org/mpfr-current/mpfr-${MPFR_VERSION}.tar.gz \
+ && echo "Verifying authenticity of mpfr-${MPFR_VERSION}.tar.gz..." \
+ && wget -q http://www.mpfr.org/mpfr-current/mpfr-${MPFR_VERSION}.tar.gz.asc \
+ && gpg --recv-keys 98C3739D \
+ && FINGERPRINT="$(LANG=C gpg --verify mpfr-${MPFR_VERSION}.tar.gz.asc mpfr-${MPFR_VERSION}.tar.gz 2>&1 \
+  | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
+ && if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
+ && if [ "${FINGERPRINT}" != "${GPG_MPFR}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
+ && echo "All seems good, now unpacking mpfr-${MPFR_VERSION}.tar.gz..." \
+ && tar xzf mpfr-${MPFR_VERSION}.tar.gz && cd mpfr-${MPFR_VERSION} \
+ && ./configure && make && make install \
+ && cd /tmp \
+ && wget -q ftp://ftp.gnu.org/gnu/mpc/mpc-${MPC_VERSION}.tar.gz \
+ && echo "Verifying both integrity and authenticity of mpc-${MPC_VERSION}.tar.gz..." \
+ && CHECKSUM=$(sha1sum mpc-${MPC_VERSION}.tar.gz | awk '{print $1}') \
+ && if [ "${CHECKSUM}" != "${SHA1_MPC}" ]; then echo "Warning! Checksum does not match!" && exit 1; fi \
+ && wget -q ftp://ftp.gnu.org/gnu/mpc/mpc-${MPC_VERSION}.tar.gz.sig \
+ && gpg --recv-keys 0xF7D5C9BF765C61E3 \
+ && FINGERPRINT="$(LANG=C gpg --verify mpc-${MPC_VERSION}.tar.gz.sig mpc-${MPC_VERSION}.tar.gz 2>&1 \
+  | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
+ && if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
+ && if [ "${FINGERPRINT}" != "${GPG_MPC}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
+ && echo "All seems good, now unpacking mpc-${MPC_VERSION}.tar.gz..." \
+ && tar xzf mpc-${MPC_VERSION}.tar.gz && cd mpc-${MPC_VERSION} \
+ && ./configure --with-mpfr-lib=/usr/local/lib --with-mpfr-include=/usr/local/include \
+ && make && make install \
+ && pip install --no-cache \
+    pyasn1 \
+    service_identity \
+    pyOpenSSL \
+    twisted \
+    pycrypto \
+    cryptography \
+    gmpy2 \
+ && mkdir /cowrie && cd /cowrie \
+ && wget -qO- https://github.com/micheloosterhof/cowrie/archive/master.tar.gz | tar xz --strip 1 \
+ && mv cowrie.cfg.dist cowrie.cfg \
+ && apk del ${BUILD_DEPS} \
+ && rm -rf /var/cache/apk/* /tmp/*
+
+COPY run.sh /usr/local/bin/run.sh
+
+RUN chmod +x /usr/local/bin/run.sh
+
+VOLUME /cowrie/log /cowrie/dl /cowrie/custom
+EXPOSE 2222
+CMD ["/sbin/tini","--","run.sh"]
--- a/cowrie/README.md
+++ b/cowrie/README.md
@ -0,0 +1,40 @@
+## wonderfall/cowrie
+
+#### What is this?
+Cowrie is a medium interaction SSH honeypot designed to log brute force attacks and the shell interaction performed by the attacker. Cowrie is based on Kippo.
+
+#### Build-time variables
+- **MPFR_VERSION** : GNU MPFR version.
+- **MPC_VERSION** : GNU MPC version.
+- **GPG_** : fingerprints of signing keys.
+- **SHA_** : fingerprints of tarballs
+
+#### Environment variables
+- **HOSTNAME** : the hostname displayed in the honeypot. 
+- **DL_LIMIT** : the maximum size (in bytes!) of a stored downloaded file (0 = no limit). 
+- **FACING_IP** : your IP (you have to set it manually because cowrie fails to detect it when running in Docker). 
+- **JSON_LOG** : disables json logging if set to False.
+
+#### Volumes
+- **/cowrie/dl** : where downloads are stored.
+- **/cowrie/log** : cowrie and tty sessions logs.
+- **/cowrie/custom** : feel free to customize cowrie structure.
+
+#### Docker compose (example)
+```
+cowrie:
+  image: wonderfall/cowrie
+  ports:
+    - "2222:2222"
+  volumes:
+    - /mnt/cowrie/dl:/dl
+    - /mnt/cowrie/log:/log
+  environment:
+    - HOSTNAME=foobar
+    - DL_LIMIT=2048
+    - FACING_IP=9.9.9.9
+    - JSON_LOG=False
+    - GID=1000
+    - UID=1000
+```
+
--- a/cowrie/run.sh
+++ b/cowrie/run.sh
@ -0,0 +1,16 @@
+#!/bin/sh
+cd /cowrie
+sed -i "s/hostname = svr04/hostname = $HOSTNAME/g" cowrie.cfg
+sed -i "s/#download_limit_size = 10485760/download_limit_size = $DL_LIMIT/g" cowrie.cfg
+sed -i "s/#internet_facing_ip = 9.9.9.9/internet_facing_ip = $FACING_IP/g" cowrie.cfg
+
+if [ "$JSON_LOG" == "False" ]; then
+    sed -i "s/\[output_jsonlog\]/#\[output_jsonlog\]/g" cowrie.cfg
+    sed -i "s|logfile = log/cowrie.json|#logfile = log/cowrie.json|g" cowrie.cfg
+fi
+
+mkdir -p /cowrie/log/tty
+mv -f /cowrie/custom/* /cowrie
+chown -R $UID:$GID /cowrie
+
+su-exec $UID:$GID twistd -n -l /cowrie/log/cowrie.log cowrie