A Docker container for Cowrie - SSH honeypot based on kippo. Minimal image (228.4 MB).
Image is based on the gliderlabs/alpine base image.
docker run -p 2222 -p 2223 -v $(pwd)/dl:/home/cowrie/cowrie/dl -v $(pwd)/log:/home/cowrie/cowrie/log gosecure/cowrie
Attack surface
- If you don't want SSH exposed, remove
-p 2222
- If you don't want Telnet exposed, remove
-p 2223
Volumes are mapped on the host for a convenient access to logs and evidence.
dl/
- files transferred from the attacker to the honeypot are stored herelog/cowrie.json
- transaction output in JSON formatlog/cowrie.log
- log/debug outputlog/tty/*.log
- session logs
docker run --restart=on-failure:10 -p 2222:2222 gosecure/cowrie
docker run --restart=always -p 22:2222 gosecure/cowrie
cowrie.cfg
- Cowrie's configuration file.data/fs.pickle
- fake filesystemdata/userdb.txt
- credentials allowed or disallowed to access the honeypothoneyfs/
- file contents for the fake filesystem - feel free to copy a real system here or useutils/fsctl.py
txtcmds/
- file contents for the fake commands
docker build -t gosecure/cowrie .
utils/createfs.py
- used to create the fake filesystemutils/playlog.py
- utility to replay session logs