cowrie.cfg.dist

# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# cowrie.cfg
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.

# ============================================================================
# General Cowrie Options
# ============================================================================
[honeypot]

# Sensor name is used to identify this Cowrie instance. Used by the database
# logging modules such as mysql.
#
# If not specified, the logging modules will instead use the IP address of the
# server as the sensor name.
#
# (default: not specified)
#sensor_name=myhostname

# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment
#
# (default: svr04)
hostname = svr04


# Directory where to save log files in.
#
# (default: log)
log_path = log


# Directory where to save downloaded artifacts in.
#
# (default: dl)
download_path = dl


# Directory for miscellaneous data files, such as the password database.
#
# (default: data_path)
data_path = data


# Directory where virtual file contents are kept in.
#
# This is only used by commands like 'cat' to display the contents of files.
# Adding files here is not enough for them to appear in the honeypot - the
# actual virtual filesystem is kept in filesystem_file (see below)
#
# (default: honeyfs)
contents_path = honeyfs


# File in the Python pickle format containing the virtual filesystem.
#
# This includes the filenames, paths, permissions for the Cowrie filesystem,
# but not the file contents. This is created by the bin/createfs utility from
# a real template linux installation.
#
# (default: fs.pickle)
filesystem_file = data/fs.pickle


# Directory for creating simple commands that only output text.
#
# The command must be placed under this directory with the proper path, such
# as:
#   txtcmds/usr/bin/vi
# The contents of the file will be the output of the command when run inside
# the honeypot.
#
# In addition to this, the file must exist in the virtual filesystem
#
# (default: txtcmds)
txtcmds_path = txtcmds


# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'.
# A value of 0 means no limit. If the file size is known to be too big from the start,
# the file will not be stored on disk at all.
#
# (default: 0)
#download_limit_size = 10485760


# TTY logging will log a transcript of the complete terminal interaction in UML
# compatible format.
# (default: true)
ttylog = true


# Default directory for TTY logs.
# (default: ttylog_path = %(log_path)s/tty)
ttylog_path = %(log_path)s/tty

# Interactive timeout determines when logged in sessions are
# terminated for being idle. In seconds.
# (default: 180)
interactive_timeout = 180

# EXPERIMENTAL: back-end to user for Cowrie, options: proxy or shell
# a limited implementation is available for proxy, with request_exec functionality only
# (default: shell)
backend = shell


[shell]
# Fake architectures/OS
# When Cowrie receive a command like /bin/cat XXXX (where XXXX is an executable)
# it replies with the content of a dummy executable (located in data_path/arch)
# compiled for an architecture/OS/endian_mode
# arch can be a comma separated list. When there are multiple elements, a random
# is chosen at login time.
# (default: linux-x64-lsb)

arch = linux-x64-lsb

# Here the list of supported OS-ARCH-ENDIANESS executables
# bsd-aarch64-lsb:	    64-bit	LSB	ARM aarch64 version 1 (SYSV)			
# bsd-aarch64-msb:	    64-bit	MSB	ARM aarch64 version 1 (SYSV)			
# bsd-bfin-msb:		    32-bit	MSB	Analog Devices Blackfin	version	1 (SYSV)		
# bsd-mips64-lsb:		64-bit	LSB	MIPS MIPS-III version 1	(SYSV)			
# bsd-mips64-msb:		64-bit	MSB	MIPS MIPS-III version 1	(SYSV)			
# bsd-mips-lsb:		    32-bit	LSB	MIPS MIPS-I version 1 (FreeBSD)			
# bsd-mips-msb:		    32-bit	MSB	MIPS MIPS-I version 1 (FreeBSD)			
# bsd-powepc64-lsb:	    64-bit	MSB	64-bit PowerPC or cisco	7500 version 1 (FreeBSD)
# bsd-powepc-msb:		32-bit	MSB	PowerPC	or cisco 4500 version 1	(FreeBSD)	
# bsd-riscv64-lsb:	    64-bit	LSB	UCB RISC-V version 1 (SYSV)			
# bsd-sparc64-msb:	    64-bit	MSB	SPARC V9 relaxed memory	ordering version 1 (FreeBSD)
# bsd-sparc-msb:		32-bit	MSB	SPARC version 1	(SYSV) statically			
# bsd-x32-lsb:		    32-bit	LSB	Intel 80386 version 1 (FreeBSD)			
# bsd-x64-lsb:		    64-bit	LSB	x86-64 version 1 (FreeBSD)		
# linux-aarch64-lsb:	64-bit	LSB	ARM aarch64 version 1 (SYSV)			
# linux-aarch64-msb:	64-bit	MSB	ARM aarch64 version 1 (SYSV)			
# linux-alpha-lsb:	    64-bit	LSB	Alpha (unofficial) version 1 (SYSV)			
# linux-am33-lsb:		32-bit	LSB	Matsushita MN10300 version 1 (SYSV)			
# linux-arc-lsb:		32-bit	LSB	ARC Cores Tangent-A5 version 1 (SYSV)		
# linux-arc-msb:		32-bit	MSB	ARC Cores Tangent-A5 version 1 (SYSV)		
# linux-arm-lsb:		32-bit	LSB	ARM EABI5 version 1 (SYSV)			
# linux-arm-msb:		32-bit	MSB	ARM EABI5 version 1 (SYSV)			
# linux-avr32-lsb:	    32-bit	LSB	Atmel AVR 8-bit	version 1 (SYSV)		
# linux-bfin-lsb:		32-bit	LSB	Analog Devices Blackfin version	1 (SYSV)		
# linux-c6x-lsb:		32-bit	LSB	TI TMS320C6000 DSP family version 1		
# linux-c6x-msb:		32-bit	MSB	TI TMS320C6000 DSP family version 1		
# linux-cris-lsb:		32-bit	LSB	Axis cris version 1 (SYSV)
# linux-frv-msb:		32-bit	MSB	Cygnus FRV (unofficial) version	1 (SYSV)		
# linux-h8300-msb:	    32-bit	MSB	Renesas	H8/300 version 1 (SYSV)			
# linux-hppa64-msb:	    64-bit	MSB	PA-RISC	02.00.00 (LP64) version	1			
# linux-hppa-msb:		32-bit	MSB	PA-RISC	*unknown arch 0xf* version 1 (GNU/Linux)	
# linux-ia64-lsb:		64-bit	LSB	IA-64 version 1	(SYSV)		
# linux-m32r-msb:		32-bit	MSB	Renesas	M32R version 1 (SYSV)			
# linux-m68k-msb:		32-bit	MSB	Motorola m68k 68020 version 1 (SYSV)		
# linux-microblaze-msb:	32-bit	MSB	Xilinx MicroBlaze 32-bit RISC version 1	(SYSV)	
# linux-mips64-lsb:	    64-bit	LSB	MIPS MIPS-III version 1	(SYSV)	
# linux-mips64-msb:	    64-bit	MSB	MIPS MIPS-III version 1	(SYSV)
# linux-mips-lsb:		32-bit	LSB	MIPS MIPS-I version 1 (SYSV)
# linux-mips-msb:		32-bit	MSB	MIPS MIPS-I version 1 (SYSV)			
# linux-mn10300-lsb:	32-bit	LSB	Matsushita MN10300 version 1 (SYSV)			
# linux-nios-lsb:		32-bit	LSB	Altera Nios II version 1 (SYSV)		
# linux-nios-msb:		32-bit	MSB	Altera Nios II version 1 (SYSV)		
# linux-powerpc64-lsb:	64-bit	LSB	64-bit PowerPC or cisco	7500 version 1 (SYSV)
# linux-powerpc64-msb:	64-bit	MSB	64-bit PowerPC or cisco	7500 version 1 (SYSV)
# linux-powerpc-lsb:	32-bit	LSB	PowerPC	or cisco 4500 version 1 (SYSV)	
# linux-powerpc-msb:	32-bit	MSB	PowerPC	or cisco 4500 version 1 (SYSV)	
# linux-riscv64-lsb:  	64-bit	LSB	UCB RISC-V version 1 (SYSV)			
# linux-s390x-msb:    	64-bit	MSB	IBM S/390 version 1 (SYSV)			
# linux-sh-lsb:	    	32-bit	LSB	Renesas	SH version 1 (SYSV)			
# linux-sh-msb:	    	32-bit	MSB	Renesas	SH version 1 (SYSV)			
# linux-sparc64-msb:  	64-bit	MSB	SPARC V9 relaxed memory	ordering version 1 (SYSV)
# linux-sparc-msb:    	32-bit	MSB	SPARC version 1	(SYSV)
# linux-tilegx64-lsb:	64-bit	LSB	Tilera TILE-Gx version 1 (SYSV)			
# linux-tilegx64-msb: 	64-bit	MSB	Tilera TILE-Gx version 1 (SYSV)			
# linux-tilegx-lsb:   	32-bit	LSB	Tilera TILE-Gx version 1 (SYSV)			
# linux-tilegx-msb:   	32-bit	MSB	Tilera TILE-Gx version 1 (SYSV)			
# linux-x64-lsb:	    64-bit	LSB	x86-64 version 1 (SYSV)			
# linux-x86-lsb:	    32-bit	LSB	Intel 80386 version 1 (SYSV)			
# linux-xtensa-msb:   	32-bit	MSB	Tensilica Xtensa version 1 (SYSV)			
# osx-x32-lsb:	    	32-bit	LSB Intel 80386
# osx-x64-lsb:	    	64-bit	LSB	x86-64

# NO SPACE BETWEEN ELEMENTS!
# arch = bsd-aarch64-lsb,bsd-aarch64-msb,bsd-bfin-msb,bsd-mips-lsb,bsd-mips-msb,bsd-mips64-lsb,bsd-mips64-msb,bsd-powepc-msb,bsd-powepc64-lsb,bsd-riscv64-lsb,bsd-sparc-msb,bsd-sparc64-msb,bsd-x32-lsb,bsd-x64-lsb,linux-aarch64-lsb,linux-aarch64-msb,linux-alpha-lsb,linux-am33-lsb,linux-arc-lsb,linux-arc-msb,linux-arm-lsb,linux-arm-msb,linux-avr32-lsb,linux-bfin-lsb,linux-c6x-lsb,linux-c6x-msb,linux-cris-lsb,linux-frv-msb,linux-h8300-msb,linux-hppa-msb,linux-hppa64-msb,linux-ia64-lsb,linux-m32r-msb,linux-m68k-msb,linux-microblaze-msb,linux-mips-lsb,linux-mips-msb,linux-mips64-lsb,linux-mips64-msb,linux-mn10300-lsb,linux-nios-lsb,linux-nios-msb,linux-powerpc-lsb,linux-powerpc-msb,linux-powerpc64-lsb,linux-powerpc64-msb,linux-riscv64-lsb,linux-s390x-msb,linux-sh-lsb,linux-sh-msb,linux-sparc-msb,linux-sparc64-msb,linux-tilegx-lsb,linux-tilegx-msb,linux-tilegx64-lsb,linux-tilegx64-msb,linux-x64-lsb,linux-x86-lsb,linux-xtensa-msb,osx-x32-lsb,osx-x64-lsb

# ============================================================================
# Network Specific Options
# ============================================================================


# IP address to bind to when opening outgoing connections. Used by wget and
# curl commands.
#
# (default: not specified)
#out_addr = 0.0.0.0


# Fake address displayed as the address of the incoming connection.
# This doesn't affect logging, and is only used by honeypot commands such as
# 'w' and 'last'
#
# If not specified, the actual IP address is displayed instead (default
# behaviour).
#
# (default: not specified)
#fake_addr = 192.168.66.254


# The IP address on which this machine is reachable on from the internet.
# Useful if you use portforwarding or other mechanisms. If empty, Cowrie
# will determine by itself. Used in 'netstat' output
#
#internet_facing_ip = 9.9.9.9


# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1)
# IP address is obtained by querying http://myip.threatstream.com
#report_public_ip = true



# ============================================================================
# Authentication Specific Options
# ============================================================================


# Class that implements the checklogin() method.
#
# Class must be defined in cowrie/core/auth.py
# Default is the 'UserDB' class which uses the password database.
#
# Alternatively the 'AuthRandom' class can be used, which will let
# a user login after a random number of attempts.
# It will also cache username/password combinations that allow login.
#
auth_class = UserDB

# When AuthRandom is used also set the
#  auth_class_parameters: <min try>, <max try>, <maxcache>
#  for example: 2, 5, 10 = allows access after randint(2,5) attempts
#  and cache 10 combinations.
#
#auth_class = AuthRandom
#auth_class_parameters = 2, 5, 10


# No authentication checking at all
# enabling 'auth_none' will enable the ssh2 'auth_none' authentication method
# this allows the requested user in without any verification at all
#
# (default: false)
#auth_none_enabled = false



# ============================================================================
# Historical SSH Specific Options
# historical options in [honeypot] that have not yet been moved to [ssh]
# ============================================================================

# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie)
#reported_ssh_port = 22



# ============================================================================
# SSH Specific Options
# ============================================================================
[ssh]

# Enable SSH support
# (default: true)
enabled = true


# Public and private SSH key files. If these don't exist, they are created
# automatically.
rsa_public_key = etc/ssh_host_rsa_key.pub
rsa_private_key = etc/ssh_host_rsa_key
dsa_public_key = etc/ssh_host_dsa_key.pub
dsa_private_key = etc/ssh_host_dsa_key


# SSH Version String
#
# Use these to disguise your honeypot from a simple SSH version scan
# Examples:
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-1.99-OpenSSH_4.3
# SSH-1.99-OpenSSH_4.7
# SSH-1.99-Sun_SSH_1.1
# SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1
# SSH-2.0-OpenSSH_4.3
# SSH-2.0-OpenSSH_4.6
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
# SSH-2.0-OpenSSH_5.5p1 Debian-6
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
# SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
# SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
# SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
# SSH-2.0-OpenSSH_5.9
#
# (default: "SSH-2.0-SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2")
version = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2


# IP addresses to listen for incoming SSH connections.
# (DEPRECATED: use listen_endpoints instead)
#
# (default: 0.0.0.0) = any IPv4 address
#listen_addr = 0.0.0.0
# (use :: for listen to all IPv6 and IPv4 addresses)
#listen_addr = ::


# Port to listen for incoming SSH connections.
# (DEPRECATED: use listen_endpoints instead)
#
# (default: 2222)
#listen_port = 2222


# Endpoint to listen on for incoming SSH connections.
# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers
# (default: listen_endpoints = tcp:2222:interface=0.0.0.0)
# (use systemd: endpoint for systemd activation)
# listen_endpoints = systemd:domain=INET:index=0
# For both IPv4 and IPv6: listen_endpoints = tcp6:2222:interface=\:\:
listen_endpoints = tcp:2222:interface=0.0.0.0


# Enable the SFTP subsystem
# (default: true)
sftp_enabled = true


# Enable SSH direct-tcpip forwarding
# (default: true)
forwarding = true


# This enables redirecting forwarding requests to another address
# Useful for forwarding protocols to other honeypots
# (default: false)
forward_redirect = false


# Configure where to forward the data to.
# forward_redirect_<portnumber> = <redirect ip>:<redirect port>

# Redirect http/https
# forward_redirect_80 = 127.0.0.1:8000
# forward_redirect_443 = 127.0.0.1:8443

# To record SMTP traffic, install an SMTP honeypoint.
# (e.g https://github.com/awhitehatter/mailoney), run
# python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525
# forward_redirect_25 = 127.0.0.1:12525
# forward_redirect_587 = 127.0.0.1:12525


# This enables tunneling forwarding requests to another address
# Useful for forwarding protocols to a proxy like Squid
# (default: false)
forward_tunnel = false


# Configure where to tunnel the data to.
# forward_tunnel_<portnumber> = <tunnel ip>:<tunnel port>

# Tunnel http/https
# forward_tunnel_80 = 127.0.0.1:3128
# forward_tunnel_443 = 127.0.0.1:3128


# ============================================================================
# Telnet Specific Options
# ============================================================================
[telnet]

# Enable Telnet support, disabled by default
enabled = false

# IP addresses to listen for incoming Telnet connections.
# (DEPRECATED: use listen_endpoints instead)
#
# (default: 0.0.0.0) = any IPv4 address
#listen_addr = 0.0.0.0
# (use :: for listen to all IPv6 and IPv4 addresses)
#listen_addr = ::


# Port to listen for incoming Telnet connections.
# (DEPRECATED: use listen_endpoints instead)
#
# (default: 2223)
#listen_port = 2223


# Endpoint to listen on for incoming Telnet connections.
# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers
# (default: listen_endpoints = tcp:2223:interface=0.0.0.0)
# (use systemd: endpoint for systemd activation)
# listen_endpoints = systemd:domain=INET:index=0
# For IPv4 and IPv6: listen_endpoints = tcp6:2223:interface=\:\: tcp:2223:interface=0.0.0.0
listen_endpoints = tcp:2223:interface=0.0.0.0


# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie)
#reported_port = 23



# ============================================================================
# Database logging Specific Options
# ============================================================================

# XMPP Logging
# Log to an xmpp server.
#
#[database_xmpp]
#server = sensors.carnivore.it
#user = anonymous@sensors.carnivore.it
#password = anonymous
#muc = dionaea.sensors.carnivore.it
#signal_createsession = cowrie-events
#signal_connectionlost = cowrie-events
#signal_loginfailed = cowrie-events
#signal_loginsucceeded = cowrie-events
#signal_command = cowrie-events
#signal_clientversion = cowrie-events
#debug=true



# ============================================================================
# Output Plugins
# These provide an extensible mechanism to send audit log entries to third
# parties. The audit entries contain information on clients connecting to
# the honeypot.
# ============================================================================


# JSON based logging module
#
[output_jsonlog]
logfile = log/cowrie.json


# Supports logging to Elasticsearch
# This is a simple early release
#
#[output_elasticsearch]
#host = localhost
#port = 9200
#index = cowrie
#type = cowrie


# Send login attemp information to SANS DShield
# See https://isc.sans.edu/ssh.html
# You must signup for an api key.
# Once registered, find your details at: https://isc.sans.edu/myaccount.html
#
#[output_dshield]
#userid = userid_here
#auth_key = auth_key_here
#batch_size = 100


# Local Syslog output module
#
# This sends log messages to the local syslog daemon.
# Facility can be:
# KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7.
#
# Format can be:
# text, cef
#
#[output_localsyslog]
#facility = USER
#format = text


# Text output
# This writes audit log entries to a text file
#
# Format can be:
# text, cef
#
#[output_textlog]
#logfile = log/audit.log
#format = text


# MySQL logging module
# Database structure for this module is supplied in doc/sql/mysql.sql
#
# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev
# MySQL logging requires an extra Python module: pip install mysql-python
#
#[output_mysql]
#host = localhost
#database = cowrie
#username = cowrie
#password = secret
#port = 3306
#store_input = true
#debug = false

# Rethinkdb output module
# Rethinkdb output module requires extra Python module: pip install rethinkdb

#[output_rethinkdblog]
#host = 127.0.0.1
#port = 28015
#table = output
#password =
#db = cowrie

# SQLite3 logging module
#
# Logging to SQLite3 database. To init the database, use the script
# doc/sql/sqlite3.sql:
#     sqlite3 <db_file> < doc/sql/sqlite3.sql
#
#[output_sqlite]
#db_file = cowrie.db

# MongoDB logging module
#
# MongoDB logging requires an extra Python module: pip install pymongo
#
#[output_mongodb]
#connection_string = mongodb://username:password@host:port/database
#database = dbname


# Splunk SDK output module - Legacy. Requires Splunk API installed
# This sends logs directly to Splunk using the Python REST SDK
#
#[output_splunklegacy]
#host = localhost
#port = 8889
#username = admin
#password = password
#index = cowrie


# Splunk HTTP Event Collector (HEC) output module
# Sends JSON directly to Splunk over HTTPS
# mandatory fields: url, token
# optional fields: index, source, sourcetype, host
#
#[output_splunk]
#url = https://localhost:8088/services/collector/event
#token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8
#index = cowrie
#sourcetype = cowrie
#source = cowrie


# HPFeeds
#
#[output_hpfeeds]
#server = hpfeeds.mysite.org
#port = 10000
#identifier = abc123
#secret = secret
#debug=false


# VirusTotal output module
# You must signup for an api key.
#
#[output_virustotal]
#api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
#upload = True
#debug = False


# Cuckoo output module
#[output_cuckoo]
# no slash at the end
#url_base = http://127.0.0.1:8090
#user = user
#passwd = passwd
# force will upload duplicated files to cuckoo
#force = 0

# upload to MalShare
#[output_malshare]
#enabled = false

#[output_slack]
# This will produce a _lot_ of messages - you have been warned....
#channel = channel_that_events_should_be_posted_in
#token = slack_token_for_your_bot
##debug=true


# https://csirtg.io
# You must signup for an api key.
#
#[output_csirtg]
#username=wes
#feed=scanners
#description=random scanning activity
#token=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef


#[output_socketlog]
#address = 127.0.0.1:9000
#timeout = 5

# Upload files that cowrie has captured to an S3 (or compatible bucket)
# Files are stored with a name that is the SHA of their contents
#
#[output_s3]
#
# The AWS credentials to use.
# Leave these blank to use botocore's credential discovery e.g .aws/config or ENV variables.
# As per https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L50-L65
#access_key_id = AKIDEXAMPLE
#secret_access_key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY
#
# The bucket to store the files in. The bucket must already exist.
#bucket = my-cowrie-bucket
#
# The region the bucket is in
#region = eu-west-1
#
# An alternate endpoint URL. If you self host a pithos instance you can set
# this to its URL (e.g. https://s3.mydomain.com) - can otherwise be blank
#endpoint =
#
# Whether or not to validate the S3 certificate. Set this to 'no' to turn this
# off. Do not do this for real AWS. It's only needed for self-hosted S3 clone
# where you don't yet have real certificates.
#verify = no

#[output_influx]
#host = 127.0.0.1
#port = 8086
#database_name = cowrie
#retention_policy_duration = 12w


#[output_redis]
# Host of the redis server. Required
#host = 127.0.0.1

# Port of the redis server. Required
#port = 6379

# DB of the redis server. Defaults to 0
#db = 0

# Password of the redis server. Defaults to None
#password = secret

# Name of the list to push to or the channel to publish to. Required
#keyname = cowrie

# Method to use when sending data to redis.
# Can be one of [lpush, rpush, publish]. Defaults to lpush
#send_method = lpush