From b3567b03b67a931b2fb9d03a5d58d1e73020ed97 Mon Sep 17 00:00:00 2001
From: Wonderfall <wonderfall@targaryen.house>
Date: Wed, 29 Mar 2017 14:57:43 +0200
Subject: [PATCH] add kippo-graph and update cowrie doc

---
 cowrie/Dockerfile                  |  3 +
 cowrie/README.md                   | 20 ++++++-
 kippo-graph/Dockerfile             | 47 ++++++++++++++++
 kippo-graph/README.md              | 27 +++++++++
 kippo-graph/nginx.conf             | 89 ++++++++++++++++++++++++++++++
 kippo-graph/php-fpm.conf           | 11 ++++
 kippo-graph/run.sh                 |  3 +
 kippo-graph/s6.d/.s6-svscan/finish |  3 +
 kippo-graph/s6.d/nginx/run         |  2 +
 kippo-graph/s6.d/php/run           |  2 +
 10 files changed, 206 insertions(+), 1 deletion(-)
 create mode 100644 kippo-graph/Dockerfile
 create mode 100644 kippo-graph/README.md
 create mode 100644 kippo-graph/nginx.conf
 create mode 100644 kippo-graph/php-fpm.conf
 create mode 100644 kippo-graph/run.sh
 create mode 100644 kippo-graph/s6.d/.s6-svscan/finish
 create mode 100644 kippo-graph/s6.d/nginx/run
 create mode 100644 kippo-graph/s6.d/php/run

diff --git a/cowrie/Dockerfile b/cowrie/Dockerfile
index ed52fdb..16964ee 100644
--- a/cowrie/Dockerfile
+++ b/cowrie/Dockerfile
@@ -16,6 +16,7 @@ RUN BUILD_DEPS=" \
     libressl-dev \
     python-dev \
     gmp-dev \
+    mariadb-dev \
     py2-pip \
     tar \
     gnupg" \
@@ -27,6 +28,7 @@ RUN BUILD_DEPS=" \
     python \
     py-setuptools \
     openssh-client \
+    mariadb-client-libs \
     tini \
     su-exec \
  && cd /tmp && wget -q http://www.mpfr.org/mpfr-current/mpfr-${MPFR_VERSION}.tar.gz \
@@ -57,6 +59,7 @@ RUN BUILD_DEPS=" \
  && mkdir /cowrie && cd /cowrie \
  && wget -qO- https://github.com/micheloosterhof/cowrie/archive/master.tar.gz | tar xz --strip 1 \
  && pip install --no-cache -r requirements.txt \
+ && pip install --no-cache mysql-python \
  && mv cowrie.cfg.dist cowrie.cfg \
  && apk del ${BUILD_DEPS} \
  && rm -rf /var/cache/apk/* /tmp/* /root/.gnupg
diff --git a/cowrie/README.md b/cowrie/README.md
index de3210d..e595d47 100644
--- a/cowrie/README.md
+++ b/cowrie/README.md
@@ -1,4 +1,4 @@
-x## wonderfall/cowrie
+### wonderfall/cowrie
 
 #### What is this?
 Cowrie is a medium interaction SSH honeypot designed to log brute force attacks and the shell interaction performed by the attacker. Cowrie is based on Kippo.
@@ -27,6 +27,8 @@ You can mount this single file to your Docker container.
 ```
 cowrie:
   image: wonderfall/cowrie
+  links:                           ### MySQL output
+    - cowrie-db:cowrie-db          ### MySQL output
   ports:
     - "2222:2222"
   volumes:
@@ -37,5 +39,21 @@ cowrie:
   environment:
     - GID=1000
     - UID=1000
+
+### MySQL output
+# First, you'll have to initialise tables with a .sql file
+# wget https://github.com/micheloosterhof/cowrie/blob/master/doc/sql/mysql.sql -P /mnt/cowrie/schema.sql
+# It needs also to be configured in the cowrie.cfg file
+
+cowrie-db:
+  image: mariadb:10
+  volumes:
+    - /mnt/cowrie/db:/var/lib/mysql
+    - /mnt/cowrie/schema.sql:/docker-entrypoint-initdb.d
+  environment:
+    - MYSQL_ROOT_PASSWORD=supersecretpassword
+    - MYSQL_DATABASE=nextcloud
+    - MYSQL_USER=nextcloud
+    - MYSQL_PASSWORD=supersecretpassword
 ```
 
diff --git a/kippo-graph/Dockerfile b/kippo-graph/Dockerfile
new file mode 100644
index 0000000..70443d0
--- /dev/null
+++ b/kippo-graph/Dockerfile
@@ -0,0 +1,47 @@
+FROM alpine:edge
+
+ENV GID=991 UID=991
+
+RUN echo "@testing https://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
+ && BUILD_DEPS="tar libressl ca-certificates" \
+ && apk -U upgrade && apk add \
+    $BUILD_DEPS \
+    nginx \
+    s6 \
+    su-exec \
+    coreutils \
+    bind-tools \
+    php7-fpm@testing \
+    php7-mysqlnd@testing \
+    php7-pdo@testing \
+    php7-pdo_mysql@testing \
+    php7-openssl@testing \
+    php7-gd@testing \
+    php7-curl@testing \
+    php7-phar@testing \
+    php7-dom@testing \
+ && mkdir kippo-graph && cd kippo-graph \
+ && wget -qO- https://github.com/ikoniaris/kippo-graph/archive/master.tar.gz | tar xz --strip 1 \
+ && chmod 777 generated-graphs \
+ && mv config.php.dist config.php \
+ && rm /kippo-graph/include/maxmind/GeoLite2-City.mmdb /kippo-graph/include/maxmind/geoip2.phar \
+ && wget -q https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz -P /kippo-graph/include/maxmind \
+ && gzip -d /kippo-graph/include/maxmind/GeoLite2-City.mmdb.gz \
+ && wget -q https://github.com/maxmind/GeoIP2-php/releases/download/v2.4.5/geoip2.phar -P /kippo-graph/include/maxmind \
+ && apk del $BUILD_DEPS \
+ && rm -f /var/cache/apk/*
+
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY php-fpm.conf /etc/php7/php-fpm.conf
+COPY run.sh /usr/local/bin/run.sh
+COPY s6.d /etc/s6.d
+
+RUN chmod +x /usr/local/bin/run.sh /etc/s6.d/*/* /etc/s6.d/.s6-svscan/*
+
+VOLUME /kippo-graph/generated-graphs
+
+EXPOSE 8888
+
+LABEL maintainer="Wonderfall <wonderfall@targaryen.house>"
+
+CMD ["run.sh"]
diff --git a/kippo-graph/README.md b/kippo-graph/README.md
new file mode 100644
index 0000000..cb7dfcd
--- /dev/null
+++ b/kippo-graph/README.md
@@ -0,0 +1,27 @@
+### wonderfall/cowrie
+
+#### What is this?
+Kippo-Graph is a full featured script to visualize statistics for a Kippo based SSH honeypot.
+
+#### Environment variables
+- **UID** *(default : 991)*
+- **GID** *(default : 991)*
+
+#### How to configure
+You should provide your own configuration file from this base : https://github.com/ikoniaris/kippo-graph/blob/master/config.php.dist
+You can mount this single file to your Docker container.
+
+#### Docker compose (example)
+```
+kippo-graph:
+  image: wonderfall/kippo-graph
+  links:
+    - cowrie-db:cowrie-db
+  volumes:
+    - /mnt/kippo-graph/config.php:/kippo-graph/config.php
+    - /mnt/cowrie/log:/opt/cowrie/log
+  environment:
+    - GID=991
+    - UID=991
+```
+
diff --git a/kippo-graph/nginx.conf b/kippo-graph/nginx.conf
new file mode 100644
index 0000000..8c18d58
--- /dev/null
+++ b/kippo-graph/nginx.conf
@@ -0,0 +1,89 @@
+worker_processes auto;
+pid /tmp/nginx.pid;
+daemon off;
+
+events {
+    worker_connections 1024; 
+    use epoll;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    access_log off;
+    error_log /tmp/ngx_error.log error;
+    
+    sendfile on;
+    keepalive_timeout 15;
+    keepalive_disable msie6;
+    keepalive_requests 100;
+    tcp_nopush on;
+    tcp_nodelay on;
+    server_tokens off;
+
+    fastcgi_temp_path /tmp/fastcgi 1 2;
+    client_body_temp_path /tmp/client_body 1 2;
+    proxy_temp_path /tmp/proxy 1 2;
+    uwsgi_temp_path /tmp/uwsgi 1 2;
+    scgi_temp_path /tmp/scgi 1 2;
+    
+    gzip on;
+    gzip_comp_level 5;
+    gzip_min_length 512;
+    gzip_buffers 4 8k;
+    gzip_proxied any;
+    gzip_vary on;
+    gzip_disable "msie6";
+    gzip_types
+        text/css
+        text/javascript
+        text/xml
+        text/plain
+        text/x-component
+        application/javascript
+        application/x-javascript
+        application/json
+        application/xml
+        application/rss+xml
+        application/vnd.ms-fontobject
+        font/truetype
+        font/opentype
+        image/svg+xml;
+
+    server {
+    	listen 8888;
+    	root /kippo-graph;
+    	index index.php index.html;
+
+    	location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ {
+    		expires 30d;
+    		access_log off;
+	}
+
+        location ~ ^/(data|cfg|tmp) {                                        
+            deny all;                                                        
+        }                                                                    
+                                                                             
+        location ~* /(.*)\.(?:markdown|md|twig|yaml|yml|ht|htaccess|ini)$ {  
+            deny all;                                                        
+        } 
+    
+        location ~ /\. {
+            deny all;
+        }
+
+    	location / {
+        	try_files $uri $uri/ /index.php;
+    	}
+
+	location ~ \.php$ {
+    		fastcgi_index index.php;
+    		fastcgi_pass unix:/tmp/php-fpm.sock;
+    		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    		include /etc/nginx/fastcgi_params;
+	}
+
+    }
+
+}
diff --git a/kippo-graph/php-fpm.conf b/kippo-graph/php-fpm.conf
new file mode 100644
index 0000000..f636044
--- /dev/null
+++ b/kippo-graph/php-fpm.conf
@@ -0,0 +1,11 @@
+[global]
+daemonize = no
+
+[www]
+listen = /tmp/php-fpm.sock
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+chdir = /
diff --git a/kippo-graph/run.sh b/kippo-graph/run.sh
new file mode 100644
index 0000000..e875cc8
--- /dev/null
+++ b/kippo-graph/run.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+chown -R $UID:$GID /kippo-graph /etc/nginx /etc/php5 /var/log /var/lib/nginx /tmp /etc/s6.d
+exec su-exec $UID:$GID /bin/s6-svscan /etc/s6.d
diff --git a/kippo-graph/s6.d/.s6-svscan/finish b/kippo-graph/s6.d/.s6-svscan/finish
new file mode 100644
index 0000000..c52d3c2
--- /dev/null
+++ b/kippo-graph/s6.d/.s6-svscan/finish
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exit 0
diff --git a/kippo-graph/s6.d/nginx/run b/kippo-graph/s6.d/nginx/run
new file mode 100644
index 0000000..eaf8049
--- /dev/null
+++ b/kippo-graph/s6.d/nginx/run
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec nginx
diff --git a/kippo-graph/s6.d/php/run b/kippo-graph/s6.d/php/run
new file mode 100644
index 0000000..e238021
--- /dev/null
+++ b/kippo-graph/s6.d/php/run
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec php-fpm7