Question

[boisgada]

First and foremost, thank you for the work on Cowrie. Very useful tool.

I have set up a single sanbox VM running Cowrie. Connections reach this VM via a second gateway VM which initiates ssh connections to several VPS servers by running autossh using the -R (see below):

$AUTOSSH -vvv -M $AUTOSSH_PORT -f -2N -R \*:22:$COWRIE_HOST:2222 $REMOTE_USER@$VPS_SERVER -o ExitOnForwardFailure=yes

This allows a single gateway box to control when the service is available on all VPS servers. The downside, the source IP address in the Cowrie logs is always the gateway server. Can you see any way around this consequence of the setup?

[micheloosterhof]

This is an interesting idea. You could log in both places but it will be difficult to correlate the two together in particular on busy servers.

Ideally you'd want to pass on the original IP address inside the SSH protocol, the same way a proxy can send an X-Forwarded-For:. But it will take some work at the Cowrie level (fairly straightforward) and more work in your connection forwarder to make this all work.