Using the back-end pool mode, remote SSH cannot access

[yhfwww]

I configured the agent in the pool mode according to the installation and configuration steps in the official document, but used the simulated attacker to pass SSH root@ip Unable to access. The prompt is: connection rejected or connection closed by remote host
I feel that the documentation of the pool is still incomplete.
Here is my contextual information:

Expected behavior
When I use shell mode, everything is normal, but I need a high interaction honeypot. When I use pool mode, remote SSH cannot connect successfully.
Server (please complete the following information):

• OS:
  Linux VM-16-16-ubuntu 5.15.0-40-generic Cowrie and Tango splunk app #43-Ubuntu SMP Wed Jun 15 12:54:21 UTC 2022 x86_ 64 x86_ 64 x86_ 64 GNU/Linux
• Python:
  Python 3.10.4 (main, Apr 2 2022, 09:04:19) [GCC 11.2.0] on linux
  cowrie：
  cowrie 2.3.0
  Profile:
  cowrie.cfg
  [honeypot]
  hostname = webserver6
  interactive_ timeout = 1800
  authentication_ timeout = 0
  backend = proxy
  auth_ class = UserDB
  [backend_pool]
  pool_ only = false
  recycle_ period = 1500
  listen_ endpoints = tcp:6415:interface=127.0.0.1
  guest_ ssh_ port = 22
  guest_ telnet_ port = 23
  guest_ image_ path = /home/cowrie/cowrie-imgs/ubuntu18.04-minimal.qcow2
  guest_ hypervisor = qemu
  guest_ memory = 512
  guest_ qemu_ machine = pc-q35-bionic
  use_ nat = true
  nat_ public_ ip = 192.168.1.40
  [proxy]
  backend = pool
  pool_ max_ vms = 2
  pool_ vm_ unused_ timeout = 600
  pool_ share_ guests = false
  pool = local
  backend_ user = root
  backend_ pass = root
  [shell]
  ssh_ version = OpenSSH_ 7.9p1, OpenSSL 1.1.1a 20 Nov 2018
  [ssh]
  enabled = true
  version = SSH-2.0-OpenSSH_ 6.0p1 Debian-4+deb7u2
  listen_ endpoints = tcp:2222:interface=0.0.0.0
  sftp_ enabled = true
  forward_ redirect = false
  forward_ tunnel = false
  [telnet]
  enabled = true
  listen_ endpoints = tcp:2223:interface=0.0.0.0

any more：
in log file :
builtins.AttributeError: 'SSH' object has no attribute 'client'

[micheloosterhof]

Do you have anything else that's more descriptive in your log files?

[MandiYang]

I also have seen this error

2023-01-11T00:40:26.509572Z [cowrie.ssh.factory.CowrieSSHFactory] New connection:<IP>:43404 (192.168.1.69:22) [session: 4985e48377d7]
2023-01-11T00:40:26.510947Z [backend_pool.pool_server.PoolServerFactory] Received connection from 127.0.0.1:37002
2023-01-11T00:40:26.511429Z [Uninitialized] Connected to backend pool
2023-01-11T00:40:26.511749Z [PoolServer,384,127.0.0.1] Requesting a VM for attacker @ <IP>
2023-01-11T00:40:26.511959Z [PoolServer,384,127.0.0.1] No VM available, returning error code
2023-01-11T00:40:26.512241Z [PoolClient,client] Error in pool while requesting guest. Losing connection...
2023-01-11T00:40:26.512439Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#info] Disconnecting with error, code 10
	reason: b'user closed connection'
2023-01-11T00:40:26.512727Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#info] connection lost
2023-01-11T00:40:26.512891Z [FrontendSSHTransport,383,<IP>] Unhandled Error
	Traceback (most recent call last):
	  File "/home/cowrie/cowrie_pxy/cowrie-env/lib/python3.10/site-packages/twisted/application/app.py", line 304, in runReactorWithLogging
	    reactor.run()
	  File "/home/cowrie/cowrie_pxy/cowrie-env/lib/python3.10/site-packages/twisted/internet/base.py", line 1318, in run
	    self.mainLoop()
	  File "/home/cowrie/cowrie_pxy/cowrie-env/lib/python3.10/site-packages/twisted/internet/base.py", line 1331, in mainLoop
	    reactorBaseSelf.doIteration(t)
	  File "/home/cowrie/cowrie_pxy/cowrie-env/lib/python3.10/site-packages/twisted/internet/epollreactor.py", line 244, in doPoll
	    log.callWithLogger(selectable, _drdw, selectable, fd, event)
	--- <exception caught here> ---
	  File "/home/cowrie/cowrie_pxy/cowrie-env/lib/python3.10/site-packages/twisted/python/log.py", line 96, in callWithLogger
	    return callWithContext({"system": lp}, func, *args, **kw)
	  File "/home/cowrie/cowrie_pxy/cowrie-env/lib/python3.10/site-packages/twisted/python/log.py", line 80, in callWithContext
	    return context.call({ILogContext: newCtx}, func, *args, **kw)
	  File "/home/cowrie/cowrie_pxy/cowrie-env/lib/python3.10/site-packages/twisted/python/context.py", line 117, in callWithContext
	    return self.currentContext().callWithContext(ctx, func, *args, **kw)
	  File "/home/cowrie/cowrie_pxy/cowrie-env/lib/python3.10/site-packages/twisted/python/context.py", line 82, in callWithContext
	    return func(*args, **kw)
	  File "/home/cowrie/cowrie_pxy/cowrie-env/lib/python3.10/site-packages/twisted/internet/posixbase.py", line 500, in _doReadOrWrite
	    self._disconnectSelectable(selectable, why, inRead)
	  File "/home/cowrie/cowrie_pxy/cowrie-env/lib/python3.10/site-packages/twisted/internet/posixbase.py", line 104, in _disconnectSelectable
	    selectable.connectionLost(f)
	  File "/home/cowrie/cowrie_pxy/cowrie-env/lib/python3.10/site-packages/twisted/internet/tcp.py", line 326, in connectionLost
	    protocol.connectionLost(reason)
	  File "/home/cowrie/cowrie_pxy/src/cowrie/ssh_proxy/server_transport.py", line 371, in connectionLost
	    if self.sshParse.client and self.sshParse.client.transport:
	builtins.AttributeError: 'SSH' object has no attribute 'client'

[MandiYang]

I Debbuged my error with Chatgpt, no guarantee this is correct:

The log indicates that a connection was received from the IP address 127.0.0.1 on February 18, 2023 at 00:50:21.350528 UTC. The backend pool received the connection and the server successfully reused a virtual machine (VM) that was not being used by an attacker.

However, when the pool server attempted to request a VM for an attacker with IP address ....Censored..., there was no VM available, so it returned an error code. This caused an error in the pool client, resulting in the connection being lost with the error "user closed connection."

After the connection was lost, an unhandled error occurred in the FrontendSSHTransport on line 371 of the server_transport.py file in the cowrie SSH proxy. The error message indicates that the SSH object has no attribute 'client'.

To resolve the issue, the cowrie SSH proxy code should be reviewed and modified as needed to ensure that the SSH object has the expected 'client' attribute. It may also be necessary to investigate why there were no virtual machines available in the pool to handle the incoming connection from the attacker.

[Denrogh]

I am also getting this error. I believe it has been said in other issues that SSH object has no attribute client is due to the connection dropping, the reason for that in this case is that No VM available, returning error code means that it is not serving up a VM hence the connection automatically drops. How to fix this error I don't know, the logs tell me that the VMs are booted but possibly something in-between is making them inaccessible. I will leave my cowrie.cfg and an extract from my logs to see

Cowrie.cfg

# Please make any changes to system defaults by overriding them in
# cowrie.cfg
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.

# ============================================================================
# General Cowrie Options
# ============================================================================
[honeypot]

# Sensor name is used to identify this Cowrie instance. Used by the database
# logging modules such as mysql.
#
# If not specified, the logging modules will instead use the IP address of the
# server as the sensor name.
#
# (default: not specified)
#sensor_name=myhostname

# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment
#
# (default: svr04)
hostname = svr04


# Directory where to save log files in.
#
# (default: log)
log_path = var/log/cowrie


# Directory where to save downloaded artifacts in.
#
# (default: downloads)
download_path = ${honeypot:state_path}/downloads


# Directory for static data files
#
# (default: share/cowrie)
share_path = share/cowrie


# Directory for variable state files
#
# (default: var/lib/cowrie)
state_path = var/lib/cowrie


# Directory for config files
#
# (default: etc)
etc_path = etc


# Directory where virtual file contents are kept in.
#
# This is only used by commands like 'cat' to display the contents of files.
# Adding files here is not enough for them to appear in the honeypot - the
# actual virtual filesystem is kept in filesystem_file (see below)
#
# (default: honeyfs)
contents_path = honeyfs


# Directory for creating simple commands that only output text.
#
# The command must be placed under this directory with the proper path, such
# as:
#   txtcmds/usr/bin/vi
# The contents of the file will be the output of the command when run inside
# the honeypot.
#
# In addition to this, the file must exist in the virtual filesystem
#
# (default: txtcmds)
txtcmds_path = txtcmds


# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'.
# A value of 0 means no limit. If the file size is known to be too big from the start,
# the file will not be stored on disk at all.
#
# (default: 0)
#download_limit_size = 10485760

# TTY logging will log a transcript of the complete terminal interaction in UML
# compatible format.
# (default: true)
ttylog = false

# Default directory for TTY logs.
# (default: ttylog_path = %(state_path)s/tty)
ttylog_path = ${honeypot:state_path}/tty

# Interactive timeout determines when logged in sessions are
# terminated for being idle. In seconds.
# (default: 180, made longer as no harm in doing so)
interactive_timeout = 1800

# Authentication Timeout
# The server disconnects after this time if the user has not successfully logged in.
# The default is 120 seconds.
authentication_timeout = 120

# EXPERIMENTAL: back-end to user for Cowrie, options: proxy or shell
# (default: shell, changed to proxy mode)
backend = proxy

# Timezone Cowrie uses for logging
# This can be any valid timezone for the TZ environment variable
# The special value `system` will let Cowrie use the system time zone
# `system` is not recommended because you will need to deal with daylight
# savings time and other special cases yourself when analysing the logs.

timezone = UTC

# Custom prompt
# By default, Cowrie creates a shell prompt like: root@svr03:~#
# If you want something totally custom, uncomment the option below and set your prompt
# Beware that the path won't be included in your prompt any longer
# prompt = hello>


# ============================================================================
# Network Specific Options
# ============================================================================


# IP address to bind to when opening outgoing connections. Used by wget and
# curl commands.
#
# (default: not specified)
#out_addr = 0.0.0.0


# Fake address displayed as the address of the incoming connection.
# This doesn't affect logging, and is only used by honeypot commands such as
# 'w' and 'last'
#
# If not specified, the actual IP address is displayed instead (default
# behaviour).
#
# (default: not specified)
#fake_addr = 192.168.66.254


# The IP address on which this machine is reachable on from the internet.
# Useful if you use portforwarding or other mechanisms. If empty, Cowrie
# will determine by itself. Used in 'netstat' output
#
#internet_facing_ip = 9.9.9.9



# ============================================================================
# Authentication Specific Options
# ============================================================================


# Class that implements the checklogin() method.
#
# Class must be defined in cowrie/core/auth.py
# Default is the 'UserDB' class which uses the password database.
#
# Alternatively the 'AuthRandom' class can be used, which will let
# a user login after a random number of attempts.
# It will also cache username/password combinations that allow login.
#
auth_class = UserDB

# When AuthRandom is used also set the
#  auth_class_parameters: <min try>, <max try>, <maxcache>
#  for example: 2, 5, 10 = allows access after randint(2,5) attempts
#  and cache 10 combinations.
#
#auth_class = AuthRandom
#auth_class_parameters = 2, 5, 10


[backend_pool]
# ============================================================================
# Backend Pool Configurations
# only used on the cowrie instance that runs the pool
# ============================================================================

# enable this to solely run the pool, regardless of other configurations (disables SSH and Telnet)
pool_only = false

# time between full VM recycling (cleans older VMs and boots newer ones) - involves some downtime between cycles
# -1 to disable
recycle_period = 1500

# change interface below to allow connections from outside (e.g. remote pool)
listen_endpoints = tcp:6415:interface=127.0.0.1

# guest snapshots
save_snapshots = false
snapshot_path = ${honeypot:state_path}/snapshots

# pool xml configs
config_files_path = ${honeypot:share_path}/pool_configs

network_config = default_network.xml
nw_filter_config = default_filter.xml

# =====================================
# Guest details (for a generic x86-64 guest, like Ubuntu)
#
# Used to provide configuration details to save snapshots, identify
# running guests, and provide other details to Cowrie.
#   - SSH and Telnet ports: which ports are listening for these services in the guest OS;
#     if you're not using one of them omit the config or set to 0
#   - Guest private key: used by the pool to control the guest's state via SSH; guest must
#     have the corresponding pubkey in root's authorized_keys (not implemented)
# =====================================
guest_config = default_guest.xml
guest_privkey = ${honeypot:state_path}/ubuntu18.04-guest
guest_tag = ubuntu18.04
guest_ssh_port = 22
guest_telnet_port = 23

# Configs below are used on default XMLs provided.
# If you provide your own XML in guest_config you don't need these configs.
#
# Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM,
# which is more performant than the qemu software-based emulation. Guest arch
# must match your machine's. If it's older or you're unsure, set it to 'qemu'.
#
# Memory size is in MB.
#
# Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM
# If you get a "unsupported machine type" exception when VMs are loading, change
# it to a compatible machine listed by the command: 'qemu-system-x86_64 -machine help'
guest_image_path = /home/cowrie/cowrie/proxyimage/ubuntu18.04-minimal.qcow2
guest_hypervisor = kvm
guest_memory = 512
guest_qemu_machine = pc-q35-bionic

# =====================================
# Guest details (for OpenWRT with ARM architecture)
#
# Used to provide configuration details to save snapshots, identify running guests,
# and provide other details to Cowrie.
# =====================================
#guest_config = wrt_arm_guest.xml
#guest_tag = wrt
#guest_ssh_port = 22
#guest_telnet_port = 23

# Configs below are used on default XMLs provided.
# If you provide your own XML in guest_config you don't need these configs.
#
# Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM,
# which is more performant than the qemu software-based emulation. Guest arch
# must match your machine's.
#
# Memory size is in MB.
#
# Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM
# If you get a "unsupported machine type" exception when VMs are loading, change
# it to a compatible machine listed by the command: 'qemu-system-arm -machine help'
#guest_image_path = /home/cowrie/cowrie-imgs/root.qcow2
#guest_hypervisor = qemu
#guest_memory = 256
#guest_kernel_image = /home/cowrie/cowrie-imgs/zImage
#guest_qemu_machine = virt-2.9

# =====================================
# Other configs
# =====================================
# Use NAT (for remote pool)
#
# Guests exist in a local interface created by libvirt; NAT functionality creates a port in the host,
# exposed to a public interface, and forwards TCP data to and from the libvirt private interface.
# Cowrie's proxy receives the public information instead of the local IP of guests.
use_nat = true
nat_public_ip = 192.168.1.40


# ============================================================================
# Proxy Options
# ============================================================================
[proxy]

# type of backend:
#   - simple: backend machine deployed by you (CAREFUL WITH SECURITY ASPECTS!!), specify hosts and ports below
#   - pool: cowrie-managed pool of virtual machines, configure below
backend = pool

# =====================================
# Simple Backend Configuration
# =====================================
backend_ssh_host = localhost
backend_ssh_port = 2022

backend_telnet_host = localhost
backend_telnet_port = 2023

# =====================================
# Pool Backend Configuration
# =====================================

# generic pool configurable settings
# Default pool_max_vms = 5
pool_max_vms = 3
pool_vm_unused_timeout = 600

# allow sharing guests between different attackers if no new VMs are available
pool_share_guests = true

# Where to deploy the backend pool (only if backend = pool)
#   - "local": same machine as the proxy
#   - "remote": set host and port of the pool below
pool = local

# Remote pool configurations (used with pool=remote)
pool_host = 192.168.1.40
pool_port = 6415

# =====================================
# Proxy Configurations
# =====================================

# real credentials to log into backend

backend_user = root
backend_pass = root

# Telnet prompt detection
#
# To detect authentication prompts (and spoof auth details to the ones the backend accepts) we need to capture
# login and password prompts, and spoof data to the backend in order to successfully authenticate. If disabled,
# attackers can only use the real user credentials of the backend.
telnet_spoof_authentication = true

# These regex were made using Ubuntu 18.04; you have to adapt these for the prompts
# from your backend. You can enable raw logging above to analyse data passing through
# and identify the format of the prompts you need.
# You should generally include ".*" at the beginning and end of prompts, since Telnet messages can contain
# more data than the prompt.

# For login it is usually <hostname> login:
telnet_username_prompt_regex = (\n|^)ubuntu login: .*

# Password prompt is usually only the word Password
telnet_password_prompt_regex = .*Password: .*

# This data is sent by clients at the beginning of negotiation (before the password prompt), and contains the username
# that is trying to log in. We replace that username with the one in "backend_user" to allow the chance of a successful
# login after the first password prompt. We are only able to check if credentials are allowed after the password is
# inserted. If they are, then a correct username was already sent and authentication succeeds; if not, we send a fake
# password to force authentication to fail.
telnet_username_in_negotiation_regex = (.*\xff\xfa.*USER\x01)(.*?)(\xff.*)

# Other configs #
# log raw TCP packets in SSh and Telnet
log_raw = true


# ============================================================================
# Shell Options
# Options around Cowrie's Shell Emulation
# ============================================================================

[shell]

# File in the Python pickle format containing the virtual filesystem.
#
# This includes the filenames, paths, permissions for the Cowrie filesystem,
# but not the file contents. This is created by the bin/createfs utility from
# a real template linux installation.
#
# (default: fs.pickle)
filesystem = ${honeypot:share_path}/fs.pickle


# File that contains output for the `ps` command.
#
# (default: share/cowrie/cmdoutput.json)
processes = share/cowrie/cmdoutput.json


# Fake architectures/OS
# When Cowrie receive a command like /bin/cat XXXX (where XXXX is an executable)
# it replies with the content of a dummy executable (located in data_path/arch)
# compiled for an architecture/OS/endian_mode
# arch can be a comma separated list. When there are multiple elements, a random
# is chosen at login time.
# (default: linux-x64-lsb)

arch = linux-x64-lsb

# Here the list of supported OS-ARCH-ENDIANESS executables
# bsd-aarch64-lsb:          64-bit      LSB     ARM aarch64 version 1 (SYSV)
# bsd-aarch64-msb:          64-bit      MSB     ARM aarch64 version 1 (SYSV)
# bsd-bfin-msb:             32-bit      MSB     Analog Devices Blackfin version 1 (SYSV)
# bsd-mips64-lsb:               64-bit  LSB     MIPS MIPS-III version 1 (SYSV)
# bsd-mips64-msb:               64-bit  MSB     MIPS MIPS-III version 1 (SYSV)
# bsd-mips-lsb:             32-bit      LSB     MIPS MIPS-I version 1 (FreeBSD)
# bsd-mips-msb:             32-bit      MSB     MIPS MIPS-I version 1 (FreeBSD)
# bsd-powepc64-lsb:         64-bit      MSB     64-bit PowerPC or cisco 7500 version 1 (FreeBSD)
# bsd-powepc-msb:               32-bit  MSB     PowerPC or cisco 4500 version 1 (FreeBSD)
# bsd-riscv64-lsb:          64-bit      LSB     UCB RISC-V version 1 (SYSV)
# bsd-sparc64-msb:          64-bit      MSB     SPARC V9 relaxed memory ordering version 1 (FreeBSD)
# bsd-sparc-msb:                32-bit  MSB     SPARC version 1 (SYSV) statically
# bsd-x32-lsb:              32-bit      LSB     Intel 80386 version 1 (FreeBSD)
# bsd-x64-lsb:              64-bit      LSB     x86-64 version 1 (FreeBSD)
# linux-aarch64-lsb:    64-bit  LSB     ARM aarch64 version 1 (SYSV)
# linux-aarch64-msb:    64-bit  MSB     ARM aarch64 version 1 (SYSV)
# linux-alpha-lsb:          64-bit      LSB     Alpha (unofficial) version 1 (SYSV)
# linux-am33-lsb:               32-bit  LSB     Matsushita MN10300 version 1 (SYSV)
# linux-arc-lsb:                32-bit  LSB     ARC Cores Tangent-A5 version 1 (SYSV)
# linux-arc-msb:                32-bit  MSB     ARC Cores Tangent-A5 version 1 (SYSV)
# linux-arm-lsb:                32-bit  LSB     ARM EABI5 version 1 (SYSV)
# linux-arm-msb:                32-bit  MSB     ARM EABI5 version 1 (SYSV)
# linux-avr32-lsb:          32-bit      LSB     Atmel AVR 8-bit version 1 (SYSV)
# linux-bfin-lsb:               32-bit  LSB     Analog Devices Blackfin version 1 (SYSV)
# linux-c6x-lsb:                32-bit  LSB     TI TMS320C6000 DSP family version 1
# linux-c6x-msb:                32-bit  MSB     TI TMS320C6000 DSP family version 1
# linux-cris-lsb:               32-bit  LSB     Axis cris version 1 (SYSV)
# linux-frv-msb:                32-bit  MSB     Cygnus FRV (unofficial) version 1 (SYSV)
# linux-h8300-msb:          32-bit      MSB     Renesas H8/300 version 1 (SYSV)
# linux-hppa64-msb:         64-bit      MSB     PA-RISC 02.00.00 (LP64) version 1
# linux-hppa-msb:               32-bit  MSB     PA-RISC *unknown arch 0xf* version 1 (GNU/Linux)
# linux-ia64-lsb:               64-bit  LSB     IA-64 version 1 (SYSV)
# linux-m32r-msb:               32-bit  MSB     Renesas M32R version 1 (SYSV)
# linux-m68k-msb:               32-bit  MSB     Motorola m68k 68020 version 1 (SYSV)
# linux-microblaze-msb: 32-bit  MSB     Xilinx MicroBlaze 32-bit RISC version 1 (SYSV)
# linux-mips64-lsb:         64-bit      LSB     MIPS MIPS-III version 1 (SYSV)
# linux-mips64-msb:         64-bit      MSB     MIPS MIPS-III version 1 (SYSV)
# linux-mips-lsb:               32-bit  LSB     MIPS MIPS-I version 1 (SYSV)
# linux-mips-msb:               32-bit  MSB     MIPS MIPS-I version 1 (SYSV)
# linux-mn10300-lsb:    32-bit  LSB     Matsushita MN10300 version 1 (SYSV)
# linux-nios-lsb:               32-bit  LSB     Altera Nios II version 1 (SYSV)
# linux-nios-msb:               32-bit  MSB     Altera Nios II version 1 (SYSV)
# linux-powerpc64-lsb:  64-bit  LSB     64-bit PowerPC or cisco 7500 version 1 (SYSV)
# linux-powerpc64-msb:  64-bit  MSB     64-bit PowerPC or cisco 7500 version 1 (SYSV)
# linux-powerpc-lsb:    32-bit  LSB     PowerPC or cisco 4500 version 1 (SYSV)
# linux-powerpc-msb:    32-bit  MSB     PowerPC or cisco 4500 version 1 (SYSV)
# linux-riscv64-lsb:    64-bit  LSB     UCB RISC-V version 1 (SYSV)
# linux-s390x-msb:      64-bit  MSB     IBM S/390 version 1 (SYSV)
# linux-sh-lsb:         32-bit  LSB     Renesas SH version 1 (SYSV)
# linux-sh-msb:         32-bit  MSB     Renesas SH version 1 (SYSV)
# linux-sparc64-msb:    64-bit  MSB     SPARC V9 relaxed memory ordering version 1 (SYSV)
# linux-sparc-msb:      32-bit  MSB     SPARC version 1 (SYSV)
# linux-tilegx64-lsb:   64-bit  LSB     Tilera TILE-Gx version 1 (SYSV)
# linux-tilegx64-msb:   64-bit  MSB     Tilera TILE-Gx version 1 (SYSV)
# linux-tilegx-lsb:     32-bit  LSB     Tilera TILE-Gx version 1 (SYSV)
# linux-tilegx-msb:     32-bit  MSB     Tilera TILE-Gx version 1 (SYSV)
# linux-x64-lsb:            64-bit      LSB     x86-64 version 1 (SYSV)
# linux-x86-lsb:            32-bit      LSB     Intel 80386 version 1 (SYSV)
# linux-xtensa-msb:     32-bit  MSB     Tensilica Xtensa version 1 (SYSV)
# osx-x32-lsb:          32-bit  LSB Intel 80386
# osx-x64-lsb:          64-bit  LSB     x86-64

# arch = bsd-aarch64-lsb, bsd-aarch64-msb, bsd-bfin-msb, bsd-mips-lsb, bsd-mips-msb, bsd-mips64-lsb, bsd-mips64-msb, bsd-powepc-msb, bsd-powepc64-lsb, bsd-riscv64-lsb, bsd-sparc-msb, bsd-sparc64-msb, bsd-x32-lsb, bsd-x64-lsb, linux-aarch64-lsb, linux-aarch64-msb, linux-alpha-lsb, linux-am33-lsb, linux-arc-lsb, linux-arc-msb, linux-arm-lsb, linux-arm-msb, linux-avr32-lsb, linux-bfin-lsb, linux-c6x-lsb, linux-c6x-msb, linux-cris-lsb, linux-frv-msb, linux-h8300-msb, linux-hppa-msb, linux-hppa64-msb, linux-ia64-lsb, linux-m32r-msb, linux-m68k-msb, linux-microblaze-msb, linux-mips-lsb, linux-mips-msb, linux-mips64-lsb, linux-mips64-msb, linux-mn10300-lsb, linux-nios-lsb, linux-nios-msb, linux-powerpc-lsb, linux-powerpc-msb, linux-powerpc64-lsb, linux-powerpc64-msb, linux-riscv64-lsb, linux-s390x-msb, linux-sh-lsb, linux-sh-msb, linux-sparc-msb, linux-sparc64-msb, linux-tilegx-lsb, linux-tilegx-msb, linux-tilegx64-lsb, linux-tilegx64-msb, linux-x64-lsb, linux-x86-lsb, linux-xtensa-msb, osx-x32-lsb, osx-x64-lsb

# Modify the response of '/bin/uname'
# Default (uname -a): Linux <hostname> <kernel_version> <kernel_build_string> <hardware_platform> <operating system>
kernel_version = 3.2.0-4-amd64
kernel_build_string = #1 SMP Debian 3.2.68-1+deb7u1
hardware_platform = x86_64
operating_system = GNU/Linux

# SSH Version as printed by "ssh -V" in shell emulation
ssh_version = OpenSSH_7.9p1, OpenSSL 1.1.1a  20 Nov 2018


# ============================================================================
# SSH Specific Options
# ============================================================================
[ssh]

# Enable SSH support
# (default: true)
enabled = true


# Public and private SSH key files. If these don't exist, they are created
# automatically.
rsa_public_key = ${honeypot:state_path}/ssh_host_rsa_key.pub
rsa_private_key = ${honeypot:state_path}/ssh_host_rsa_key
dsa_public_key = ${honeypot:state_path}/ssh_host_dsa_key.pub
dsa_private_key = ${honeypot:state_path}/ssh_host_dsa_key
ecdsa_public_key = ${honeypot:state_path}/ssh_host_ecdsa_key.pub
ecdsa_private_key = ${honeypot:state_path}/ssh_host_ecdsa_key
ed25519_public_key = ${honeypot:state_path}/ssh_host_ed25519_key.pub
ed25519_private_key = ${honeypot:state_path}/ssh_host_ed25519_key

# Public keys supported are: ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, ssh-ed25519
public_key_auth = ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

# SSH version string as present to the client.
#
# Version string MUST start with SSH-2.0- or SSH-1.99-
#
# Use these to disguise your honeypot from a simple SSH version scan
# Examples:
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-1.99-OpenSSH_4.3
# SSH-1.99-OpenSSH_4.7
# SSH-1.99-Sun_SSH_1.1
# SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1
# SSH-2.0-OpenSSH_4.3
# SSH-2.0-OpenSSH_4.6
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
# SSH-2.0-OpenSSH_5.5p1 Debian-6
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
# SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
# SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
# SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
# SSH-2.0-OpenSSH_5.9
#
# (default: "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2")
version = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2

# Cipher encryption algorithms to be used.
#
# MUST be supplied as a comma-separated string without
# any spaces or newlines.
#
# Use ciphers to limit to more secure algorithms only
# any spaces.
# Supported ciphers:
#
# aes128-ctr
# aes192-ctr
# aes256-ctr
# aes256-cbc
# aes192-cbc
# aes128-cbc
# 3des-cbc
# blowfish-cbc
# cast128-cbc
ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc


# MAC Algorithm to be used.
#
# MUST be supplied as a comma-separated string without
# any spaces or newlines.
#
# hmac-sha1 and hmac-md5 are considered insecure now, and
# instead MACs with higher number of bits should be used.
#
# Supported HMACs:
# hmac-sha2-512
# hmac-sha2-384
# hmac-sha2-256
# hmac-sha1
# hmac-md5
macs = hmac-sha2-512,hmac-sha2-384,hmac-sha2-256,hmac-sha1,hmac-md5


# Compression Method to be used.
#
# MUST be supplied as a comma-separated string without
# any spaces or newlines.
#
# Supported Compression Methods:
# zlib@openssh.com
# zlib
# none
compression = zlib@openssh.com,zlib,none

# Endpoint to listen on for incoming SSH connections.
# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers
# (default: listen_endpoints = tcp:2222:interface=0.0.0.0)
# (use systemd: endpoint for systemd activation)
# listen_endpoints = systemd:domain=INET:index=0
# For both IPv4 and IPv6: listen_endpoints = tcp6:2222:interface=\:\:
# Listening on multiple endpoints is supported with a single space seperator
# e.g listen_endpoints = "tcp:2222:interface=0.0.0.0 tcp:1022:interface=0.0.0.0" will result listening both on ports 2222 and 1022
# use authbind for port numbers under 1024

listen_endpoints = tcp:22:interface=0.0.0.0

# Enable the SFTP subsystem
# (default: true)
sftp_enabled = true


# Enable SSH direct-tcpip forwarding
# (default: true)
forwarding = true


# This enables redirecting forwarding requests to another address
# Useful for forwarding protocols to other honeypots
# (default: false)
forward_redirect = false


# Configure where to forward the data to.
# forward_redirect_<portnumber> = <redirect ip>:<redirect port>

# Redirect http/https
# forward_redirect_80 = 127.0.0.1:8000
# forward_redirect_443 = 127.0.0.1:8443

# To record SMTP traffic, install an SMTP honeypoint.
# (e.g https://github.com/awhitehatter/mailoney), run
# python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525
# forward_redirect_25 = 127.0.0.1:12525
# forward_redirect_587 = 127.0.0.1:12525


# This enables tunneling forwarding requests to another address
# Useful for forwarding protocols to a proxy like Squid
# (default: false)
forward_tunnel = false


# Configure where to tunnel the data to.
# forward_tunnel_<portnumber> = <tunnel ip>:<tunnel port>

# Tunnel http/https
# forward_tunnel_80 = 127.0.0.1:3128
# forward_tunnel_443 = 127.0.0.1:3128


# No authentication checking at all
# enabling 'auth_none' will enable the ssh2 'auth_none' authentication method
# this allows the requested user in without any verification at all
#
# (default: false)
#auth_none_enabled = false


# Configure keyboard-interactive login
auth_keyboard_interactive_enabled = false

# ============================================================================
# Telnet Specific Options
# ============================================================================
[telnet]

# Enable Telnet support, disabled by default (enable, careful of the earlier telnet options may need
# editing)
enabled = true

# Endpoint to listen on for incoming Telnet connections.
# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers
# (default: listen_endpoints = tcp:2223:interface=0.0.0.0)
# (use systemd: endpoint for systemd activation)
# listen_endpoints = systemd:domain=INET:index=0
# For IPv4 and IPv6: listen_endpoints = tcp6:2223:interface=\:\: tcp:2223:interface=0.0.0.0
# Listening on multiple endpoints is supported with a single space seperator
# e.g "listen_endpoints = tcp:2223:interface=0.0.0.0 tcp:2323:interface=0.0.0.0" will result listening both on ports 2223 and 2323
# use authbind for port numbers under 1024

listen_endpoints = tcp:23:interface=0.0.0.0


# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie)
# reported_port = 23



# ============================================================================
# Database logging Specific Options
# ============================================================================

# XMPP Logging
# Log to an xmpp server.
#
#[database_xmpp]
#server = sensors.carnivore.it
#user = anonymous@sensors.carnivore.it
#password = anonymous
#muc = dionaea.sensors.carnivore.it
#signal_createsession = cowrie-events
#signal_connectionlost = cowrie-events
#signal_loginfailed = cowrie-events
#signal_loginsucceeded = cowrie-events
#signal_command = cowrie-events
#signal_clientversion = cowrie-events
#debug=true




# ============================================================================
# Output Plugins
# These provide an extensible mechanism to send audit log entries to third
# parties. The audit entries contain information on clients connecting to
# the honeypot.
#
# Output entries need to start with 'output_' and have the 'enabled' entry.
# ============================================================================

[output_xmpp]
enabled=false
server = conference.cowrie.local
user = cowrie@cowrie.local
password = cowrie
muc = hacker_room

# JSON based logging module
#
[output_jsonlog]
enabled = true
logfile = ${honeypot:log_path}/cowrie.json
epoch_timestamp = false

# Supports logging to Elasticsearch
# This is a simple early release
#
[output_elasticsearch]
enabled = false
host = localhost
port = 9200
index = cowrie
# type has been deprecated since ES 6.0.0
# use _doc which is the default type. See
# https://stackoverflow.com/a/53688626 for
# more information
#type = _doc
# set pipeline = geoip to map src_ip to
# geo location data. You can use a custom
# pipeline but you must ensure it exists
# in elasticsearch.
#pipeline = geoip
#
# Authentication. When x-pack.security is enabled
# in ES, default users have been created and requests
# must be authenticated.
#
# Credentials
#username = elastic
#password =
#
# TLS encryption. Communications between the client (cowrie)
# and the ES server should naturally be protected by encryption
# if requests are authenticated (to prevent from man-in-the-middle
# attacks). The following options are then paramount
# if username and password are provided.
#
# use ssl/tls
#ssl = true
# Path to trusted CA certs on disk
#ca_certs = /cowrie/cowrie-git/etc/elastic_ca.crt
# verify SSL certificates
#verify_certs = true

# Send login attemp information to SANS DShield
# See https://isc.sans.edu/ssh.html
# You must signup for an api key.
# Once registered, find your details at: https://isc.sans.edu/myaccount.html
#
[output_dshield]
enabled = false
userid = userid_here
auth_key = auth_key_here
batch_size = 100
#
# Graylog logging module for GELF http input
[output_graylog]
enabled = false
url = http://graylog.example.com:122011/gelf
#
# Local Syslog output module
#
# This sends log messages to the local syslog daemon.
# Facility can be:
# KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7.
#
# Format can be:
# text, cef
#
[output_localsyslog]
enabled = false
facility = USER
format = text


# Text output
# This writes audit log entries to a text file
#
# Format can be:
# text, cef
#
[output_textlog]
enabled = false
logfile = ${honeypot:log_path}/audit.log
format = text


# MySQL logging module
# Database structure for this module is supplied in docs/sql/mysql.sql
#
# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev
# MySQL logging requires an extra Python module: pip install mysql-python
#
[output_mysql]
enabled = false
host = localhost
database = cowrie
username = cowrie
password = secret
port = 3306
debug = false

# Rethinkdb output module
# Rethinkdb output module requires extra Python module: pip install rethinkdb

[output_rethinkdblog]
enabled = false
host = 127.0.0.1
port = 28015
table = output
password =
db = cowrie

# SQLite3 logging module
#
# Logging to SQLite3 database. To init the database, use the script
# docs/sql/sqlite3.sql:
#     sqlite3 <db_file> < docs/sql/sqlite3.sql
#
[output_sqlite]
enabled = false
db_file = cowrie.db

# MongoDB logging module
#
# MongoDB logging requires an extra Python module: pip install pymongo
#
[output_mongodb]
enabled = false
connection_string = mongodb://username:password@host:port/database
database = dbname


# Splunk HTTP Event Collector (HEC) output module
# sends JSON directly to Splunk over HTTP or HTTPS
# Use 'https' if your HEC is encrypted, else 'http'
# mandatory fields: url, token
# optional fields: index, source, sourcetype, host
#
[output_splunk]
enabled = false
url = https://localhost:8088/services/collector/event
token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8
index = cowrie
sourcetype = cowrie
source = cowrie


# HPFeeds3
# Python3 implementation of HPFeeds
[output_hpfeeds3]
enabled = false
server = hpfeeds.mysite.org
port = 10000
identifier = abc123
secret = secret
debug=false


# VirusTotal output module
# You must signup for an api key.
#
[output_virustotal]
enabled = false
api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
upload = True
debug = False
scan_file = True
scan_url = False


# Cuckoo output module
[output_cuckoo]
enabled = false
# no slash at the end
url_base = http://127.0.0.1:8090
user = user
passwd = passwd
# force will upload duplicated files to cuckoo
force = 0

# upload to MalShare
# Register at https://malshare.com/register.php to get your API key
[output_malshare]
api_key = 130928309823098
enabled = false

# This will produce a _lot_ of messages - you have been warned....
[output_slack]
enabled = false
channel = channel_that_events_should_be_posted_in
token = slack_token_for_your_bot
debug = false


# https://csirtg.io
# You must signup for an api key.
#
[output_csirtg]
enabled = false
username = wes
feed = scanners
description = random scanning activity
token = a1b2c3d4
debug = false


[output_socketlog]
enabled = false
address = 127.0.0.1:9000
timeout = 5

# Upload files that cowrie has captured to an S3 (or compatible bucket)
# Files are stored with a name that is the SHA of their contents
#
[output_s3]
enabled = false
#
# The AWS credentials to use.
# Leave these blank to use botocore's credential discovery e.g .aws/config or ENV variables.
# As per https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L50-L65
access_key_id = AKIDEXAMPLE
secret_access_key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY
#
# The bucket to store the files in. The bucket must already exist.
bucket = my-cowrie-bucket
#
# The region the bucket is in
region = eu-west-1
#
# An alternate endpoint URL. If you self host a pithos instance you can set
# this to its URL (e.g. https://s3.mydomain.com) - can otherwise be blank
#endpoint =
#
# Whether or not to validate the S3 certificate. Set this to 'no' to turn this
# off. Do not do this for real AWS. It's only needed for self-hosted S3 clone
# where you don't yet have real certificates.
#verify = no

[output_influx]
enabled = false
host = 127.0.0.1
port = 8086
database_name = cowrie
retention_policy_duration = 12w

[output_kafka]
enabled = false
host = 127.0.0.1
port = 9092
topic = cowrie


[output_redis]
enabled = false
host = 127.0.0.1
port = 6379
# DB of the redis server. Defaults to 0
db = 0
# Password of the redis server. Defaults to None
# password = secret
# Name of the list to push to or the channel to publish to. Required
keyname = cowrie
# Method to use when sending data to redis.
# Can be one of [lpush, rpush, publish]. Defaults to lpush
send_method = lpush


# Perform Reverse DNS lookup
[output_reversedns]
enabled = false
# Timeout in seconds
timeout = 3

[output_greynoise]
enabled = false
debug = false
# Name of the tags separated by comma, for which the IP has to be scanned for.
# Example "SHODAN,JBOSS_WORM,CPANEL_SCANNER_LOW"
# If there isn't any specific tag then just leave it "all"
tags = all
# It's optional to have API key, so if you don't want to but
# API key then leave this option commented
#api_key = 1234567890

# Upload all files to a MISP instance of your liking.
# The API key can be found under Event Actions -> Automation
[output_misp]
enabled = false
base_url = https://misp.somedomain.com
api_key = secret_key
verify_cert = true
publish_event = true
debug = false

# Send message using Telegram bot
# 1. Create a bot following https://core.telegram.org/bots#6-botfather to get token.
# 2. Send message to your bot, then use https://api.telegram.org/bot{bot_token}/getUpdates to find chat_id.
# N.b. bot will only send messages on cowrie.login.success, cowrie.command.input/.failed, and
# cowrie.session.file_download, to prevent spam.
[output_telegram]
enabled = false
bot_token = 123456789:AbCDEfGhiJkLmnOpQRstUVWxYZ
chat_id = 987654321

# The crashreporter sends data on Python exceptions to api.cowrie.org
# To disable set `enabled = false` in cowrie.cfg
[output_crashreporter]
enabled = false
debug = false

# Reports login attempts to AbuseIPDB. A short guide is in the original
# pull request on GitHub: https://github.com/cowrie/cowrie/pull/1346
[output_abuseipdb]
enabled = false
#api_key =
#rereport_after = 24
#tolerance_window is in minutes
#tolerance_window = 120
#tolerance_attempts = 10
# WARNING: A binary file is read from this directory on start-up. Do not
# change unless you understand the security implications!
#dump_path = ${honeypot:state_path}/abuseipdb

# Report login and session tracking attempts via the ThreatJammer.com Report API.
# ThreatJammer.com is a risk assessment tool <https://threatjammer.com>
# Read the docs for more information: https://cowrie.readthedocs.io/en/latest/threatjammer/README.html
[output_threatjammer]
enabled = false
bearer_token = THREATJAMMER_API_TOKEN
#api_url=https://dublin.report.threatjammer.com/v1/ip
#track_login = true
#track_session = false
#ttl = 86400
#category = ABUSE
#tags = COWRIE,LOGIN,SESSION

# Send output to a Discord webhook
[output_discord]
enabled = false
url = https://discord.com/api/webhooks/id/token

# Datadog output module
# sends JSON directly to Datadog
# mandatory field: api_key
# optional fields (fallback configured in module): ddsource, ddtags, service
# For more information on fields https://docs.datadoghq.com/api/latest/logs/#send-logs
[output_datadog]
enabled = false
url = https://http-intake.logs.datadoghq.com/api/v2/logs
api_key = abcdef1234567890fedcba0987654321
ddsource = cowrie
ddtags = env:dev
service = honeypot

Extract from Logs

2023-08-03T07:29:30.775666Z [-] Guest cowrie-ubuntu18.04_3946a4ca6cc34540a830cd631405f3d7 has booted
2023-08-03T07:29:32.500061Z [-] Guest cowrie-ubuntu18.04_faf173ce56604f1690619c929cc14ffe has booted
2023-08-03T07:29:34.343394Z [-] Guest cowrie-ubuntu18.04_8c831da004774a6eba7b414a8cb130dd has booted
2023-08-03T07:31:28.430315Z [cowrie.ssh.factory.CowrieSSHFactory] New connection: 218.92.0.112:36113 (138.68.130.131:22) [session: 7ce5668617ed]
2023-08-03T07:31:28.432094Z [Uninitialized] Connected to backend pool
2023-08-03T07:31:28.432379Z [backend_pool.pool_server.PoolServerFactory] Received connection from 127.0.0.1:50430
2023-08-03T07:31:28.432859Z [PoolServer,866,127.0.0.1] Requesting a VM for attacker @ 218.92.0.112
2023-08-03T07:31:28.433031Z [PoolServer,866,127.0.0.1] No VM available, returning error code
2023-08-03T07:31:28.433341Z [PoolClient,client] Error in pool while requesting guest. Losing connection...
2023-08-03T07:31:28.433548Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#info] Disconnecting with error, code 10
        reason: b'user closed connection'
2023-08-03T07:31:28.433836Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#info] connection lost
2023-08-03T07:31:28.434033Z [FrontendSSHTransport,335,218.92.0.112] Unhandled Error
        Traceback (most recent call last):
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/application/app.py", line 304, in runReactorWithLogging
            reactor.run()
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/internet/base.py", line 1318, in run
            self.mainLoop()
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/internet/base.py", line 1331, in mainLoop
            reactorBaseSelf.doIteration(t)
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/internet/epollreactor.py", line 244, in doPoll
            log.callWithLogger(selectable, _drdw, selectable, fd, event)
        --- <exception caught here> ---
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/python/log.py", line 96, in callWithLogger
            return callWithContext({"system": lp}, func, *args, **kw)
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/python/log.py", line 80, in callWithContext
            return context.call({ILogContext: newCtx}, func, *args, **kw)
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/python/context.py", line 117, in callWithContext
            return self.currentContext().callWithContext(ctx, func, *args, **kw)
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/python/context.py", line 82, in callWithContext
            return func(*args, **kw)
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/internet/posixbase.py", line 500, in _doReadOrWrite
            self._disconnectSelectable(selectable, why, inRead)
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/internet/posixbase.py", line 104, in _disconnectSelectable
            selectable.connectionLost(f)
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/internet/tcp.py", line 326, in connectionLost
            protocol.connectionLost(reason)
          File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 368, in connectionLost
            if self.sshParse.client and self.sshParse.client.transport:
        builtins.AttributeError: 'SSH' object has no attribute 'client
        '``

[ralsei38]

an acutal nightmare same problem cannot figure it out