DO NOT EDIT THIS FILE Changes to default files will be lost on update

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# cowrie.cfg
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
# ============================================================================
# General Cowrie Options
# ============================================================================
[honeypot]
# Sensor name is used to identify this Cowrie instance. Used by the database
# logging modules such as mysql.
#
# If not specified, the logging modules will instead use the IP address of the
# server as the sensor name.
#
# (default: not specified)
#sensor_name=myhostname
# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment
#
# (default: svr04)
hostname = svr04
# Directory where to save log files in.
#
# (default: log)
log_path = var/log/cowrie
# Directory where to save downloaded artifacts in.
#
# (default: downloads)
download_path = ${honeypot:state_path}/downloads
# Directory for static data files
#
# (default: share/cowrie)
share_path = share/cowrie
# Directory for variable state files
#
# (default: var/lib/cowrie)
state_path = var/lib/cowrie
# Directory for config files
#
# (default: etc)
etc_path = etc
# Directory where virtual file contents are kept in.
#
# This is only used by commands like 'cat' to display the contents of files.
# Adding files here is not enough for them to appear in the honeypot - the
# actual virtual filesystem is kept in filesystem_file (see below)
#
# (default: honeyfs)
contents_path = honeyfs
# Directory for creating simple commands that only output text.
#
# The command must be placed under this directory with the proper path, such
# as:
# txtcmds/usr/bin/vi
# The contents of the file will be the output of the command when run inside
# the honeypot.
#
# In addition to this, the file must exist in the virtual filesystem
#
# (default: txtcmds)
txtcmds_path = txtcmds
# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'.
# A value of 0 means no limit. If the file size is known to be too big from the start,
# the file will not be stored on disk at all.
#
# (default: 0)
#download_limit_size = 10485760
# TTY logging will log a transcript of the complete terminal interaction in UML
# compatible format.
# (default: true)
ttylog = true
# Default directory for TTY logs.
# (default: ttylog_path = %(state_path)s/tty)
ttylog_path = ${honeypot:state_path}/tty
# Interactive timeout determines when logged in sessions are
# terminated for being idle. In seconds.
# (default: 180)
interactive_timeout = 180
# Authentication Timeout
# The server disconnects after this time if the user has not successfully logged in. If the value is 0,
# there is no time limit. The default is 120 seconds.
authentication_timeout = 120
# EXPERIMENTAL: back-end to user for Cowrie, options: proxy or shell
# (default: shell)
backend = shell
# Timezone Cowrie uses for logging
# This can be any valid timezone for the TZ environment variable
# The special value `system` will let Cowrie use the system time zone
# `system` is not recommended because you will need to deal with daylight
# savings time and other special cases yourself when analysing the logs.
timezone = UTC
# ============================================================================
# Network Specific Options
# ============================================================================
# IP address to bind to when opening outgoing connections. Used by wget and
# curl commands.
#
# (default: not specified)
#out_addr = 0.0.0.0
# Fake address displayed as the address of the incoming connection.
# This doesn't affect logging, and is only used by honeypot commands such as
# 'w' and 'last'
#
# If not specified, the actual IP address is displayed instead (default
# behaviour).
#
# (default: not specified)
#fake_addr = 192.168.66.254
# The IP address on which this machine is reachable on from the internet.
# Useful if you use portforwarding or other mechanisms. If empty, Cowrie
# will determine by itself. Used in 'netstat' output
#
#internet_facing_ip = 9.9.9.9
# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1)
# IP address is obtained by querying http://myip.threatstream.com
#report_public_ip = true
# ============================================================================
# Authentication Specific Options
# ============================================================================
# Class that implements the checklogin() method.
#
# Class must be defined in cowrie/core/auth.py
# Default is the 'UserDB' class which uses the password database.
#
# Alternatively the 'AuthRandom' class can be used, which will let
# a user login after a random number of attempts.
# It will also cache username/password combinations that allow login.
#
auth_class = UserDB
# When AuthRandom is used also set the
# auth_class_parameters: <min try>, <max try>, <maxcache>
# for example: 2, 5, 10 = allows access after randint(2,5) attempts
# and cache 10 combinations.
#
#auth_class = AuthRandom
#auth_class_parameters = 2, 5, 10
# ============================================================================
# Historical SSH Specific Options
# historical options in [honeypot] that have not yet been moved to [ssh]
# ============================================================================
# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie)
#reported_ssh_port = 22
[backend_pool]
# ============================================================================
# Backend Pool Configurations
# only used on the cowrie instance that runs the pool
# ============================================================================
# enable this to solely run the pool, regardless of other configurations (disables SSH and Telnet)
pool_only = false
# time between full VM recycling (cleans older VMs and boots newer ones) - involves some downtime between cycles
# -1 to disable
recycle_period = 1500
# change interface below to allow connections from outside (e.g. remote pool)
listen_endpoints = tcp:6415:interface=127.0.0.1
# guest snapshots
save_snapshots = false
snapshot_path = ${honeypot:state_path}/snapshots
# pool xml configs
config_files_path = ${honeypot:share_path}/pool_configs
network_config = default_network.xml
nw_filter_config = default_filter.xml
# =====================================
# Guest details (for a generic x86-64 guest, like Ubuntu)
#
# Used to provide configuration details to save snapshots, identify
# running guests, and provide other details to Cowrie.
# - SSH and Telnet ports: which ports are listening for these services in the guest OS;
# if you're not using one of them omit the config or set to 0
# - Guest private key: used by the pool to control the guest's state via SSH; guest must
# have the corresponding pubkey in root's authorized_keys (not implemented)
# =====================================
guest_config = default_guest.xml
guest_privkey = ${honeypot:state_path}/ubuntu18.04-guest
guest_tag = ubuntu18.04
guest_ssh_port = 22
guest_telnet_port = 23
# Configs below are used on default XMLs provided.
# If you provide your own XML in guest_config you don't need these configs.
#
# Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM,
# which is more performant than the qemu software-based emulation. Guest arch
# must match your machine's. If it's older or you're unsure, set it to 'qemu'.
#
# Memory size is in MB.
#
# Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM
# If you get a "unsupported machine type" exception when VMs are loading, change
# it to a compatible machine listed by the command: 'qemu-system-x86_64 -machine help'
guest_image_path = /home/cowrie/cowrie-imgs/ubuntu18.04-minimal.qcow2
guest_hypervisor = kvm
guest_memory = 512
guest_qemu_machine = pc-q35-bionic
# =====================================
# Guest details (for OpenWRT with ARM architecture)
#
# Used to provide configuration details to save snapshots, identify running guests,
# and provide other details to Cowrie.
# =====================================
#guest_config = wrt_arm_guest.xml
#guest_tag = wrt
#guest_ssh_port = 22
#guest_telnet_port = 23
# Configs below are used on default XMLs provided.
# If you provide your own XML in guest_config you don't need these configs.
#
# Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM,
# which is more performant than the qemu software-based emulation. Guest arch
# must match your machine's.
#
# Memory size is in MB.
#
# Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM
# If you get a "unsupported machine type" exception when VMs are loading, change
# it to a compatible machine listed by the command: 'qemu-system-arm -machine help'
#guest_image_path = /home/cowrie/cowrie-imgs/root.qcow2
#guest_hypervisor = qemu
#guest_memory = 256
#guest_kernel_image = /home/cowrie/cowrie-imgs/zImage
#guest_qemu_machine = virt-2.9
# =====================================
# Other configs
# =====================================
# Use NAT (for remote pool)
#
# Guests exist in a local interface created by libvirt; NAT functionality creates a port in the host,
# exposed to a public interface, and forwards TCP data to and from the libvirt private interface.
# Cowrie's proxy receives the public information instead of the local IP of guests.
use_nat = true
nat_public_ip = 192.168.1.40
# ============================================================================
# Proxy Options
# ============================================================================
[proxy]
# type of backend:
# - simple: backend machine deployed by you (CAREFUL WITH SECURITY ASPECTS!!), specify hosts and ports below
# - pool: cowrie-managed pool of virtual machines, configure below
backend = pool
# =====================================
# Simple Backend Configuration
# =====================================
backend_ssh_host = localhost
backend_ssh_port = 2022
backend_telnet_host = localhost
backend_telnet_port = 2023
# =====================================
# Pool Backend Configuration
# =====================================
# generic pool configurable settings
pool_max_vms = 5
pool_vm_unused_timeout = 600
# allow sharing guests between different attackers if no new VMs are available
pool_share_guests = true
# Where to deploy the backend pool (only if backend = pool)
# - "local": same machine as the proxy
# - "remote": set host and port of the pool below
pool = local
# Remote pool configurations (used with pool=remote)
pool_host = 192.168.1.40
pool_port = 6415
# =====================================
# Proxy Configurations
# =====================================
# real credentials to log into backend
backend_user = root
backend_pass = root
# Telnet prompt detection
#
# To detect authentication prompts (and spoof auth details to the ones the backend accepts) we need to capture
# login and password prompts, and spoof data to the backend in order to successfully authenticate. If disabled,
# attackers can only use the real user credentials of the backend.
telnet_spoof_authentication = true
# These regex were made using Ubuntu 18.04; you have to adapt these for the prompts
# from your backend. You can enable raw logging above to analyse data passing through
# and identify the format of the prompts you need.
# You should generally include ".*" at the beginning and end of prompts, since Telnet messages can contain
# more data than the prompt.
# For login it is usually <hostname> login:
telnet_username_prompt_regex = (\n|^)ubuntu login: .*
# Password prompt is usually only the word Password
telnet_password_prompt_regex = .*Password: .*
# This data is sent by clients at the beginning of negotiation (before the password prompt), and contains the username
# that is trying to log in. We replace that username with the one in "backend_user" to allow the chance of a successful
# login after the first password prompt. We are only able to check if credentials are allowed after the password is
# inserted. If they are, then a correct username was already sent and authentication succeeds; if not, we send a fake
# password to force authentication to fail.
telnet_username_in_negotiation_regex = (.*\xff\xfa.*USER\x01)(.*?)(\xff.*)
# Other configs #
# log raw TCP packets in SSh and Telnet
log_raw = false
# ============================================================================
# Shell Options
# Options around Cowrie's Shell Emulation
# ============================================================================
[shell]
# File in the Python pickle format containing the virtual filesystem.
#
# This includes the filenames, paths, permissions for the Cowrie filesystem,
# but not the file contents. This is created by the bin/createfs utility from
# a real template linux installation.
#
# (default: fs.pickle)
filesystem = ${honeypot:share_path}/fs.pickle
# File that contains output for the `ps` command.
#
# (default: share/cowrie/cmdoutput.json)
processes = share/cowrie/cmdoutput.json
# Fake architectures/OS
# When Cowrie receive a command like /bin/cat XXXX (where XXXX is an executable)
# it replies with the content of a dummy executable (located in data_path/arch)
# compiled for an architecture/OS/endian_mode
# arch can be a comma separated list. When there are multiple elements, a random
# is chosen at login time.
# (default: linux-x64-lsb)
arch = linux-x64-lsb
# Here the list of supported OS-ARCH-ENDIANESS executables
# bsd-aarch64-lsb: 64-bit LSB ARM aarch64 version 1 (SYSV)
# bsd-aarch64-msb: 64-bit MSB ARM aarch64 version 1 (SYSV)
# bsd-bfin-msb: 32-bit MSB Analog Devices Blackfin version 1 (SYSV)
# bsd-mips64-lsb: 64-bit LSB MIPS MIPS-III version 1 (SYSV)
# bsd-mips64-msb: 64-bit MSB MIPS MIPS-III version 1 (SYSV)
# bsd-mips-lsb: 32-bit LSB MIPS MIPS-I version 1 (FreeBSD)
# bsd-mips-msb: 32-bit MSB MIPS MIPS-I version 1 (FreeBSD)
# bsd-powepc64-lsb: 64-bit MSB 64-bit PowerPC or cisco 7500 version 1 (FreeBSD)
# bsd-powepc-msb: 32-bit MSB PowerPC or cisco 4500 version 1 (FreeBSD)
# bsd-riscv64-lsb: 64-bit LSB UCB RISC-V version 1 (SYSV)
# bsd-sparc64-msb: 64-bit MSB SPARC V9 relaxed memory ordering version 1 (FreeBSD)
# bsd-sparc-msb: 32-bit MSB SPARC version 1 (SYSV) statically
# bsd-x32-lsb: 32-bit LSB Intel 80386 version 1 (FreeBSD)
# bsd-x64-lsb: 64-bit LSB x86-64 version 1 (FreeBSD)
# linux-aarch64-lsb: 64-bit LSB ARM aarch64 version 1 (SYSV)
# linux-aarch64-msb: 64-bit MSB ARM aarch64 version 1 (SYSV)
# linux-alpha-lsb: 64-bit LSB Alpha (unofficial) version 1 (SYSV)
# linux-am33-lsb: 32-bit LSB Matsushita MN10300 version 1 (SYSV)
# linux-arc-lsb: 32-bit LSB ARC Cores Tangent-A5 version 1 (SYSV)
# linux-arc-msb: 32-bit MSB ARC Cores Tangent-A5 version 1 (SYSV)
# linux-arm-lsb: 32-bit LSB ARM EABI5 version 1 (SYSV)
# linux-arm-msb: 32-bit MSB ARM EABI5 version 1 (SYSV)
# linux-avr32-lsb: 32-bit LSB Atmel AVR 8-bit version 1 (SYSV)
# linux-bfin-lsb: 32-bit LSB Analog Devices Blackfin version 1 (SYSV)
# linux-c6x-lsb: 32-bit LSB TI TMS320C6000 DSP family version 1
# linux-c6x-msb: 32-bit MSB TI TMS320C6000 DSP family version 1
# linux-cris-lsb: 32-bit LSB Axis cris version 1 (SYSV)
# linux-frv-msb: 32-bit MSB Cygnus FRV (unofficial) version 1 (SYSV)
# linux-h8300-msb: 32-bit MSB Renesas H8/300 version 1 (SYSV)
# linux-hppa64-msb: 64-bit MSB PA-RISC 02.00.00 (LP64) version 1
# linux-hppa-msb: 32-bit MSB PA-RISC *unknown arch 0xf* version 1 (GNU/Linux)
# linux-ia64-lsb: 64-bit LSB IA-64 version 1 (SYSV)
# linux-m32r-msb: 32-bit MSB Renesas M32R version 1 (SYSV)
# linux-m68k-msb: 32-bit MSB Motorola m68k 68020 version 1 (SYSV)
# linux-microblaze-msb: 32-bit MSB Xilinx MicroBlaze 32-bit RISC version 1 (SYSV)
# linux-mips64-lsb: 64-bit LSB MIPS MIPS-III version 1 (SYSV)
# linux-mips64-msb: 64-bit MSB MIPS MIPS-III version 1 (SYSV)
# linux-mips-lsb: 32-bit LSB MIPS MIPS-I version 1 (SYSV)
# linux-mips-msb: 32-bit MSB MIPS MIPS-I version 1 (SYSV)
# linux-mn10300-lsb: 32-bit LSB Matsushita MN10300 version 1 (SYSV)
# linux-nios-lsb: 32-bit LSB Altera Nios II version 1 (SYSV)
# linux-nios-msb: 32-bit MSB Altera Nios II version 1 (SYSV)
# linux-powerpc64-lsb: 64-bit LSB 64-bit PowerPC or cisco 7500 version 1 (SYSV)
# linux-powerpc64-msb: 64-bit MSB 64-bit PowerPC or cisco 7500 version 1 (SYSV)
# linux-powerpc-lsb: 32-bit LSB PowerPC or cisco 4500 version 1 (SYSV)
# linux-powerpc-msb: 32-bit MSB PowerPC or cisco 4500 version 1 (SYSV)
# linux-riscv64-lsb: 64-bit LSB UCB RISC-V version 1 (SYSV)
# linux-s390x-msb: 64-bit MSB IBM S/390 version 1 (SYSV)
# linux-sh-lsb: 32-bit LSB Renesas SH version 1 (SYSV)
# linux-sh-msb: 32-bit MSB Renesas SH version 1 (SYSV)
# linux-sparc64-msb: 64-bit MSB SPARC V9 relaxed memory ordering version 1 (SYSV)
# linux-sparc-msb: 32-bit MSB SPARC version 1 (SYSV)
# linux-tilegx64-lsb: 64-bit LSB Tilera TILE-Gx version 1 (SYSV)
# linux-tilegx64-msb: 64-bit MSB Tilera TILE-Gx version 1 (SYSV)
# linux-tilegx-lsb: 32-bit LSB Tilera TILE-Gx version 1 (SYSV)
# linux-tilegx-msb: 32-bit MSB Tilera TILE-Gx version 1 (SYSV)
# linux-x64-lsb: 64-bit LSB x86-64 version 1 (SYSV)
# linux-x86-lsb: 32-bit LSB Intel 80386 version 1 (SYSV)
# linux-xtensa-msb: 32-bit MSB Tensilica Xtensa version 1 (SYSV)
# osx-x32-lsb: 32-bit LSB Intel 80386
# osx-x64-lsb: 64-bit LSB x86-64
# arch = bsd-aarch64-lsb, bsd-aarch64-msb, bsd-bfin-msb, bsd-mips-lsb, bsd-mips-msb, bsd-mips64-lsb, bsd-mips64-msb, bsd-powepc-msb, bsd-powepc64-lsb, bsd-riscv64-lsb, bsd-sparc-msb, bsd-sparc64-msb, bsd-x32-lsb, bsd-x64-lsb, linux-aarch64-lsb, linux-aarch64-msb, linux-alpha-lsb, linux-am33-lsb, linux-arc-lsb, linux-arc-msb, linux-arm-lsb, linux-arm-msb, linux-avr32-lsb, linux-bfin-lsb, linux-c6x-lsb, linux-c6x-msb, linux-cris-lsb, linux-frv-msb, linux-h8300-msb, linux-hppa-msb, linux-hppa64-msb, linux-ia64-lsb, linux-m32r-msb, linux-m68k-msb, linux-microblaze-msb, linux-mips-lsb, linux-mips-msb, linux-mips64-lsb, linux-mips64-msb, linux-mn10300-lsb, linux-nios-lsb, linux-nios-msb, linux-powerpc-lsb, linux-powerpc-msb, linux-powerpc64-lsb, linux-powerpc64-msb, linux-riscv64-lsb, linux-s390x-msb, linux-sh-lsb, linux-sh-msb, linux-sparc-msb, linux-sparc64-msb, linux-tilegx-lsb, linux-tilegx-msb, linux-tilegx64-lsb, linux-tilegx64-msb, linux-x64-lsb, linux-x86-lsb, linux-xtensa-msb, osx-x32-lsb, osx-x64-lsb
# Modify the response of '/bin/uname'
# Default (uname -a): Linux <hostname> <kernel_version> <kernel_build_string> <hardware_platform> <operating system>
kernel_version = 3.2.0-4-amd64
kernel_build_string = #1 SMP Debian 3.2.68-1+deb7u1
hardware_platform = x86_64
operating_system = GNU/Linux
# SSH Version as printed by "ssh -V" in shell emulation
ssh_version = OpenSSH_7.9p1, OpenSSL 1.1.1a 20 Nov 2018
# ============================================================================
# SSH Specific Options
# ============================================================================
[ssh]
# Enable SSH support
# (default: true)
enabled = true
# Public and private SSH key files. If these don't exist, they are created
# automatically.
rsa_public_key = ${honeypot:state_path}/ssh_host_rsa_key.pub
rsa_private_key = ${honeypot:state_path}/ssh_host_rsa_key
dsa_public_key = ${honeypot:state_path}/ssh_host_dsa_key.pub
dsa_private_key = ${honeypot:state_path}/ssh_host_dsa_key
# SSH version string as present to the client.
#
# Version string MUST start with SSH-2.0- or SSH-1.99-
#
# Use these to disguise your honeypot from a simple SSH version scan
# Examples:
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-1.99-OpenSSH_4.3
# SSH-1.99-OpenSSH_4.7
# SSH-1.99-Sun_SSH_1.1
# SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1
# SSH-2.0-OpenSSH_4.3
# SSH-2.0-OpenSSH_4.6
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
# SSH-2.0-OpenSSH_5.5p1 Debian-6
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
# SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
# SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
# SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
# SSH-2.0-OpenSSH_5.9
#
# (default: "SSH-2.0-SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2")
version = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
# Cipher encryption algorithms to be used.
#
# MUST be supplied as a comma-separated string without
# any spaces or newlines.
#
# Use ciphers to limit to more secure algorithms only
# any spaces.
# Supported ciphers:
#
# aes128-ctr
# aes192-ctr
# aes256-ctr
# aes256-cbc
# aes192-cbc
# aes128-cbc
# 3des-cbc
# blowfish-cbc
# cast128-cbc
ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc
# MAC Algorithm to be used.
#
# MUST be supplied as a comma-separated string without
# any spaces or newlines.
#
# hmac-sha1 and hmac-md5 are considered insecure now, and
# instead MACs with higher number of bits should be used.
#
# Supported HMACs:
# hmac-sha2-512
# hmac-sha2-384
# hmac-sha2-256
# hmac-sha1
# hmac-md5
macs = hmac-sha2-512,hmac-sha2-384,hmac-sha2-56,hmac-sha1,hmac-md5
# Compression Method to be used.
#
# MUST be supplied as a comma-separated string without
# any spaces or newlines.
#
# Supported Compression Methods:
# zlib@openssh.com
# zlib
# none
compression = zlib@openssh.com,zlib,none
# Endpoint to listen on for incoming SSH connections.
# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers
# (default: listen_endpoints = tcp:2222:interface=0.0.0.0)
# (use systemd: endpoint for systemd activation)
# listen_endpoints = systemd:domain=INET:index=0
# For both IPv4 and IPv6: listen_endpoints = tcp6:2222:interface=\:\:
# Listening on multiple endpoints is supported with a single space seperator
# e.g listen_endpoints = "tcp:2222:interface=0.0.0.0 tcp:1022:interface=0.0.0.0" will result listening both on ports 2222 and 1022
# use authbind for port numbers under 1024
listen_endpoints = tcp:2222:interface=0.0.0.0
# Enable the SFTP subsystem
# (default: true)
sftp_enabled = true
# Enable SSH direct-tcpip forwarding
# (default: true)
forwarding = true
# This enables redirecting forwarding requests to another address
# Useful for forwarding protocols to other honeypots
# (default: false)
forward_redirect = false
# Configure where to forward the data to.
# forward_redirect_<portnumber> = <redirect ip>:<redirect port>
# Redirect http/https
# forward_redirect_80 = 127.0.0.1:8000
# forward_redirect_443 = 127.0.0.1:8443
# To record SMTP traffic, install an SMTP honeypoint.
# (e.g https://github.com/awhitehatter/mailoney), run
# python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525
# forward_redirect_25 = 127.0.0.1:12525
# forward_redirect_587 = 127.0.0.1:12525
# This enables tunneling forwarding requests to another address
# Useful for forwarding protocols to a proxy like Squid
# (default: false)
forward_tunnel = false
# Configure where to tunnel the data to.
# forward_tunnel_<portnumber> = <tunnel ip>:<tunnel port>
# Tunnel http/https
# forward_tunnel_80 = 127.0.0.1:3128
# forward_tunnel_443 = 127.0.0.1:3128
# No authentication checking at all
# enabling 'auth_none' will enable the ssh2 'auth_none' authentication method
# this allows the requested user in without any verification at all
#
# (default: false)
#auth_none_enabled = false
# Configure keyboard-interactive login
auth_keyboard_interactive_enabled = false
# ============================================================================
# Telnet Specific Options
# ============================================================================
[telnet]
# Enable Telnet support, disabled by default
enabled = true
# Endpoint to listen on for incoming Telnet connections.
# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers
# (default: listen_endpoints = tcp:2223:interface=0.0.0.0)
# (use systemd: endpoint for systemd activation)
# listen_endpoints = systemd:domain=INET:index=0
# For IPv4 and IPv6: listen_endpoints = tcp6:2223:interface=\:\: tcp:2223:interface=0.0.0.0
# Listening on multiple endpoints is supported with a single space seperator
# e.g "listen_endpoints = tcp:2223:interface=0.0.0.0 tcp:2323:interface=0.0.0.0" will result listening both on ports 2223 and 2323
# use authbind for port numbers under 1024
listen_endpoints = tcp:2223:interface=0.0.0.0
# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie)
#reported_port = 23
# ============================================================================
# Database logging Specific Options
# ============================================================================
# XMPP Logging
# Log to an xmpp server.
#
#[database_xmpp]
#server = sensors.carnivore.it
#user = anonymous@sensors.carnivore.it
#password = anonymous
#muc = dionaea.sensors.carnivore.it
#signal_createsession = cowrie-events
#signal_connectionlost = cowrie-events
#signal_loginfailed = cowrie-events
#signal_loginsucceeded = cowrie-events
#signal_command = cowrie-events
#signal_clientversion = cowrie-events
#debug=true
# ============================================================================
# Output Plugins
# These provide an extensible mechanism to send audit log entries to third
# parties. The audit entries contain information on clients connecting to
# the honeypot.
#
# Output entries need to start with 'output_' and have the 'enabled' entry.
# ============================================================================
#[output_xmpp]
#enabled=true
#server = conference.cowrie.local
#user = cowrie@cowrie.local
#password = cowrie
#muc = hacker_room
# JSON based logging module
#
[output_jsonlog]
enabled = true
logfile = ${honeypot:log_path}/cowrie.json
epoch_timestamp = false
# Supports logging to Elasticsearch
# This is a simple early release
#
#[output_elasticsearch]
#enabled = false
#host = localhost
#port = 9200
#index = cowrie
#type = cowrie
#pipeline = geoip
# Send login attemp information to SANS DShield
# See https://isc.sans.edu/ssh.html
# You must signup for an api key.
# Once registered, find your details at: https://isc.sans.edu/myaccount.html
#
#[output_dshield]
#userid = userid_here
#auth_key = auth_key_here
#batch_size = 100
#enabled = false
# Local Syslog output module
#
# This sends log messages to the local syslog daemon.
# Facility can be:
# KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7.
#
# Format can be:
# text, cef
#
#[output_localsyslog]
#enabled = false
#facility = USER
#format = text
# Text output
# This writes audit log entries to a text file
#
# Format can be:
# text, cef
#
#[output_textlog]
#enabled = false
#logfile = ${honeypot:log_path}/audit.log
#format = text
# MySQL logging module
# Database structure for this module is supplied in docs/sql/mysql.sql
#
# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev
# MySQL logging requires an extra Python module: pip install mysql-python
#
#[output_mysql]
#enabled = false
#host = localhost
#database = cowrie
#username = cowrie
#password = secret
#port = 3306
#debug = false
# Rethinkdb output module
# Rethinkdb output module requires extra Python module: pip install rethinkdb
#[output_rethinkdblog]
#enabled = false
#host = 127.0.0.1
#port = 28015
#table = output
#password =
#db = cowrie
# SQLite3 logging module
#
# Logging to SQLite3 database. To init the database, use the script
# docs/sql/sqlite3.sql:
# sqlite3 <db_file> < docs/sql/sqlite3.sql
#
#[output_sqlite]
#enabled = false
#db_file = cowrie.db
# MongoDB logging module
#
# MongoDB logging requires an extra Python module: pip install pymongo
#
#[output_mongodb]
#enabled = false
#connection_string = mongodb://username:password@host:port/database
#database = dbname
# Splunk HTTP Event Collector (HEC) output module
# sends JSON directly to Splunk over HTTP or HTTPS
# Use 'https' if your HEC is encrypted, else 'http'
# mandatory fields: url, token
# optional fields: index, source, sourcetype, host
#
#[output_splunk]
#enabled = false
#url = https://localhost:8088/services/collector/event
#token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8
#index = cowrie
#sourcetype = cowrie
#source = cowrie
# HPFeeds
#
#[output_hpfeeds]
#enabled = false
#server = hpfeeds.mysite.org
#port = 10000
#identifier = abc123
#secret = secret
#debug=false
# VirusTotal output module
# You must signup for an api key.
#
#[output_virustotal]
#enabled = false
#api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
#upload = True
#debug = False
#scan_file = True
#scan_url = False
# Cuckoo output module
#[output_cuckoo]
#enabled = false
# no slash at the end
#url_base = http://127.0.0.1:8090
#user = user
#passwd = passwd
# force will upload duplicated files to cuckoo
#force = 0
# upload to MalShare
#[output_malshare]
#enabled = false
# This will produce a _lot_ of messages - you have been warned....
#[output_slack]
#enabled = false
#channel = channel_that_events_should_be_posted_in
#token = slack_token_for_your_bot
#debug = false
# https://csirtg.io
# You must signup for an api key.
#
#[output_csirtg]
#enabled = false
#username = wes
#feed = scanners
#description = random scanning activity
#token = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
#[output_socketlog]
#enabled = false
#address = 127.0.0.1:9000
#timeout = 5
# Upload files that cowrie has captured to an S3 (or compatible bucket)
# Files are stored with a name that is the SHA of their contents
#
#[output_s3]
#
# The AWS credentials to use.
# Leave these blank to use botocore's credential discovery e.g .aws/config or ENV variables.
# As per https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L50-L65
#access_key_id = AKIDEXAMPLE
#secret_access_key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY
#
# The bucket to store the files in. The bucket must already exist.
#bucket = my-cowrie-bucket
#
# The region the bucket is in
#region = eu-west-1
#
# An alternate endpoint URL. If you self host a pithos instance you can set
# this to its URL (e.g. https://s3.mydomain.com) - can otherwise be blank
#endpoint =
#
# Whether or not to validate the S3 certificate. Set this to 'no' to turn this
# off. Do not do this for real AWS. It's only needed for self-hosted S3 clone
# where you don't yet have real certificates.
#verify = no
#[output_influx]
#enabled = false
#host = 127.0.0.1
#port = 8086
#database_name = cowrie
#retention_policy_duration = 12w
[output_kafka]
enabled = false
host = 127.0.0.1
port = 9092
topic = cowrie
#[output_redis]
#enabled = false
#host = 127.0.0.1
#port = 6379
# DB of the redis server. Defaults to 0
#db = 0
# Password of the redis server. Defaults to None
#password = secret
# Name of the list to push to or the channel to publish to. Required
#keyname = cowrie
# Method to use when sending data to redis.
# Can be one of [lpush, rpush, publish]. Defaults to lpush
#send_method = lpush
# Perform Reverse DNS lookup
#[output_reversedns]
#enabled = true
# Timeout in seconds
#timeout = 3
#[output_greynoise]
#enabled = true
#debug=False
# Name of the tags separated by comma, for which the IP has to be scanned for.
# Example "SHODAN,JBOSS_WORM,CPANEL_SCANNER_LOW"
# If there isn't any specific tag then just leave it "all"
#tags = all
# It's optional to have API key, so if you don't want to but
# API key then leave this option commented
#api_key = 1234567890
# The crashreporter sends data on Python exceptions to api.cowrie.org
# To disable set `enabled = false` in cowrie.cfg
[output_crashreporter]
enabled = true
debug = false