mirror of
https://github.com/hoellen/dockerfiles.git
synced 2025-04-19 20:09:16 +00:00
wonderfall/cowrie
What is this?
Cowrie is a medium interaction SSH honeypot designed to log brute force attacks and the shell interaction performed by the attacker. Cowrie is based on Kippo.
Environment variables
- HOSTNAME is the hostname displayed in the honeypot.
- DL_LIMIT is the maximum size (in bytes!) of a stored downloaded file (0 = no limit).
- FACING_IP is your IP (you have to set it manually because cowrie fails to detect it when running in Docker).
- JSON_LOG equals False by default, so json logging is disabled. If you want this feature enabled, set
$JSON_LOGto True (or anything else...).
Volumes
- /dl : where downloads are stored.
- /log : cowrie and tty sessions logs.
Custom mode
$CUSTOM can be interpreted as a custom mode. You have access, if set to True, to :
- honeyfs dir (/honeyfs) : file contents for the fake filesystem, feel free to copy a real system here
- data dir (/data) : fake filesystem + users database
- txtcmds dir (/txtcmds) : modify, or add new text commands (if new, must be added to the fake fs)
- utils dir (/utils) : useful for fake fs creation
You have to know that, once these directories are polluted by the run.sh script, nothing will be done for you. You'll have to update manually (except utils) and things may break in the future. Always backup your changes. If you just want to run the honeypot without any customisation, do not enable this mode.
Docker compose (example)
cowrie:
image: wonderfall/cowrie
ports:
- "2222:2222"
volumes:
- /mnt/cowrie/dl:/dl
- /mnt/cowrie/log:/log
### IF CUSTOM MODE
#- /mnt/cowrie/honeyfs:/honeyfs
#- /mnt/cowrie/data:/data
#- /mnt/cowrie/txtcmds:/txtcmds
#- /mnt/cowrie/utils:/utils
environment:
- HOSTNAME=foobar
- DL_LIMIT=2048
- FACING_IP=9.9.9.9
- JSON_LOG=False
- CUSTOM=False
- GID=1000
- UID=1000