cowrie/etc/cowrie.cfg.dist

# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# cowrie.cfg
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.

# ============================================================================
# General Cowrie Options
# ============================================================================
[honeypot]

# Sensor name is used to identify this Cowrie instance. Used by the database
# logging modules such as mysql.
#
# If not specified, the logging modules will instead use the IP address of the
# server as the sensor name.
#
# (default: not specified)
#sensor_name=myhostname

# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment
#
# (default: svr04)
hostname = svr04


# Directory where to save log files in.
#
# (default: log)
log_path = var/log/cowrie


# Directory where to save downloaded artifacts in.
#
# (default: downloads)
download_path = ${honeypot:state_path}/downloads


# Directory for static data files
#
# (default: src/cowrie/cowrie)
data_path = src/cowrie/data


# Directory for variable state files
#
# (default: var/lib/cowrie)
state_path = var/lib/cowrie


# Directory for config files
#
# (default: etc)
etc_path = etc


# Directory where virtual file contents are kept in.
#
# This is only used by commands like 'cat' to display the contents of files.
# Adding files here is not enough for them to appear in the honeypot - the
# actual virtual filesystem is kept in filesystem_file (see below)
#
# (default: honeyfs)
contents_path = honeyfs


# Directory for creating simple commands that only output text.
#
# The command must be placed under this directory with the proper path, such
# as:
#   txtcmds/usr/bin/vi
# The contents of the file will be the output of the command when run inside
# the honeypot.
#
# In addition to this, the file must exist in the virtual filesystem
#
# (default: txtcmds)
txtcmds_path = txtcmds


# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'.
# A value of 0 means no limit. If the file size is known to be too big from the start,
# the file will not be stored on disk at all.
#
# (default: 0)
#download_limit_size = 10485760

# TTY logging will log a transcript of the complete terminal interaction in UML
# compatible format.
# (default: true)
ttylog = true

# Default directory for TTY logs.
# (default: ttylog_path = %(state_path)s/tty)
ttylog_path = ${honeypot:state_path}/tty

# Interactive timeout determines when logged in sessions are
# terminated for being idle. In seconds.
# (default: 180)
interactive_timeout = 180

# Authentication Timeout
# The server disconnects after this time if the user has not successfully logged in.
# The default is 120 seconds.
authentication_timeout = 120

# EXPERIMENTAL: back-end to user for Cowrie, options: proxy or shell
# (default: shell)
backend = shell

# Logging Type
# Valid options are `rotating` and `plain`.
# Without a config file, the default is `plain`.
#
# Use `rotating` and Cowrie will log to `cowrie.log` and at midnight
# rotate to `cowrie.log-<year>-<month>-<date>.log` and continue writing
# to (a new) `cowrie.log`.
# `plain` will write to `cowrie.log` and will not rotate. Use `plain`
# if you want to use external log rotation solutions like `logrotate`
logtype = rotating

# Timezone Cowrie uses for logging
# This can be any valid timezone for the TZ environment variable
# The special value `system` will let Cowrie use the system time zone
# `system` is not recommended because you will need to deal with daylight
# savings time and other special cases yourself when analysing the logs.
timezone = UTC

# Custom prompt
# By default, Cowrie creates a shell prompt like: root@svr03:~#
# If you want something totally custom, uncomment the option below and set your prompt
# Beware that the path won't be included in your prompt any longer
# prompt = hello>


# ============================================================================
# Network Specific Options
# ============================================================================


# IP address to bind to when opening outgoing connections. Used by wget and
# curl commands.
#
# (default: not specified)
#out_addr = 0.0.0.0


# Fake address displayed as the address of the incoming connection.
# This doesn't affect logging, and is only used by honeypot commands such as
# 'w' and 'last'
#
# If not specified, the actual IP address is displayed instead (default
# behaviour).
#
# (default: not specified)
#fake_addr = 192.168.66.254


# The IP address on which this machine is reachable on from the internet.
# Useful if you use portforwarding or other mechanisms. If empty, Cowrie
# will determine by itself. Used in 'netstat' output
#
#internet_facing_ip = 9.9.9.9



# ============================================================================
# Authentication Specific Options
# ============================================================================


# Class that implements the checklogin() method.
#
# Class must be defined in cowrie/core/auth.py
# Default is the 'UserDB' class which uses the password database.
#
# Alternatively the 'AuthRandom' class can be used, which will let
# a user login after a random number of attempts.
# It will also cache username/password combinations that allow login.
#
auth_class = UserDB

# When AuthRandom is used also set the
#  auth_class_parameters: <min try>, <max try>, <maxcache>
#  for example: 2, 5, 10 = allows access after randint(2,5) attempts
#  and cache 10 combinations.
#
#auth_class = AuthRandom
#auth_class_parameters = 2, 5, 10


[backend_pool]
# ============================================================================
# Backend Pool Configurations
# only used on the cowrie instance that runs the pool
# ============================================================================

# enable this to solely run the pool, regardless of other configurations (disables SSH and Telnet)
pool_only = false

# time between full VM recycling (cleans older VMs and boots newer ones) - involves some downtime between cycles
# -1 to disable in seconds
recycle_period = 1500

# change interface below to allow connections from outside (e.g. remote pool)
listen_endpoints = tcp:6415:interface=127.0.0.1

# guest snapshots
save_snapshots = false
snapshot_path = ${honeypot:state_path}/snapshots

# pool xml configs
config_files_path = ${honeypot:data_path}/pool_configs

network_config = default_network.xml
nw_filter_config = default_filter.xml

# libvirt URI, common settings are qemu:///system or qemu:///session
libvirt_uri = qemu:///system
# Use this syntax to directly connect to the UNIX socket
# libvirt_uri = qemu+unix:///session?socket=/home/cowrie/.cache/libvirt/libvirt-sock

# =====================================
# Guest details (for a generic x86-64 guest, like Ubuntu)
#
# Used to provide configuration details to save snapshots, identify
# running guests, and provide other details to Cowrie.
#   - SSH and Telnet ports: which ports are listening for these services in the guest OS;
#     if you're not using one of them omit the config or set to 0
#   - Guest private key: used by the pool to control the guest's state via SSH; guest must
#     have the corresponding pubkey in root's authorized_keys (not implemented)
# =====================================
guest_config = default_guest.xml
guest_privkey = ${honeypot:state_path}/ubuntu18.04-guest
guest_tag = ubuntu18.04
guest_ssh_port = 22
guest_telnet_port = 23

# Configs below are used on default XMLs provided.
# If you provide your own XML in guest_config you don't need these configs.
#
# Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM,
# which is more performant than the qemu software-based emulation. Guest arch
# must match your machine's. If it's older or you're unsure, set it to 'qemu'.
#
# Memory size is in MB.
#
# Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM
# If you get a "unsupported machine type" exception when VMs are loading, change
# it to a compatible machine listed by the command: 'qemu-system-x86_64 -machine help'
guest_image_path = /home/cowrie/cowrie-imgs/ubuntu18.04-minimal.qcow2
guest_hypervisor = kvm
guest_memory = 512
guest_qemu_machine = pc-q35-bionic

# =====================================
# Guest details (for OpenWRT with ARM architecture)
#
# Used to provide configuration details to save snapshots, identify running guests,
# and provide other details to Cowrie.
# =====================================
#guest_config = wrt_arm_guest.xml
#guest_tag = wrt
#guest_ssh_port = 22
#guest_telnet_port = 23

# Configs below are used on default XMLs provided.
# If you provide your own XML in guest_config you don't need these configs.
#
# Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM,
# which is more performant than the qemu software-based emulation. Guest arch
# must match your machine's.
#
# Memory size is in MB.
#
# Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM
# If you get a "unsupported machine type" exception when VMs are loading, change
# it to a compatible machine listed by the command: 'qemu-system-arm -machine help'
#guest_image_path = /home/cowrie/cowrie-imgs/root.qcow2
#guest_hypervisor = qemu
#guest_memory = 256
#guest_kernel_image = /home/cowrie/cowrie-imgs/zImage
#guest_qemu_machine = virt-2.9

# =====================================
# Other configs
# =====================================
# Use NAT (for remote pool)
#
# Guests exist in a local interface created by libvirt; NAT functionality creates a port in the host,
# exposed to a public interface, and forwards TCP data to and from the libvirt private interface.
# Cowrie's proxy receives the public information instead of the local IP of guests.
use_nat = true
nat_public_ip = 192.168.1.40


# ============================================================================
# Proxy Options
# ============================================================================
[proxy]

# type of backend:
#   - simple: backend machine deployed by you (CAREFUL WITH SECURITY ASPECTS!!), specify hosts and ports below
#   - pool: cowrie-managed pool of virtual machines, configure below
backend = pool

# =====================================
# Simple Backend Configuration
# =====================================
backend_ssh_host = localhost
backend_ssh_port = 2022

backend_telnet_host = localhost
backend_telnet_port = 2023

# =====================================
# Pool Backend Configuration
# =====================================

# generic pool configurable settings
pool_max_vms = 5
pool_vm_unused_timeout = 600

# allow sharing guests between different attackers if no new VMs are available
pool_share_guests = true

# Where to deploy the backend pool (only if backend = pool)
#   - "local": same machine as the proxy
#   - "remote": set host and port of the pool below
pool = local

# Remote pool configurations (used with pool=remote)
pool_host = 192.168.1.40
pool_port = 6415

# =====================================
# Proxy Configurations
# =====================================

# real credentials to log into backend
backend_user = root
backend_pass = root

# Telnet prompt detection
#
# To detect authentication prompts (and spoof auth details to the ones the backend accepts) we need to capture
# login and password prompts, and spoof data to the backend in order to successfully authenticate. If disabled,
# attackers can only use the real user credentials of the backend.
telnet_spoof_authentication = true

# These regex were made using Ubuntu 18.04; you have to adapt these for the prompts
# from your backend. You can enable raw logging above to analyse data passing through
# and identify the format of the prompts you need.
# You should generally include ".*" at the beginning and end of prompts, since Telnet messages can contain
# more data than the prompt.

# For login it is usually <hostname> login:
telnet_username_prompt_regex = (\n|^)ubuntu login: .*

# Password prompt is usually only the word Password
telnet_password_prompt_regex = .*Password: .*

# This data is sent by clients at the beginning of negotiation (before the password prompt), and contains the username
# that is trying to log in. We replace that username with the one in "backend_user" to allow the chance of a successful
# login after the first password prompt. We are only able to check if credentials are allowed after the password is
# inserted. If they are, then a correct username was already sent and authentication succeeds; if not, we send a fake
# password to force authentication to fail.
telnet_username_in_negotiation_regex = (.*\xff\xfa.*USER\x01)(.*?)(\xff.*)

# Other configs #
# log raw TCP packets in SSh and Telnet
log_raw = false


# ============================================================================
# Shell Options
# Options around Cowrie's Shell Emulation
# ============================================================================

[shell]

# File in the Python pickle format containing the virtual filesystem.
#
# This includes the filenames, paths, permissions for the Cowrie filesystem,
# but not the file contents. This is created by the bin/createfs utility from
# a real template linux installation.
#
# (default: fs.pickle)
filesystem = ${honeypot:data_path}/fs.pickle


# File that contains output for the `ps` command.
#
# (default: ${honeypot_data_path}/cmdoutput.json)
processes = ${honeypot:data_path}/cmdoutput.json


# Fake architectures/OS
# When Cowrie receive a command like /bin/cat XXXX (where XXXX is an executable)
# it replies with the content of a dummy executable (located in data_path/arch)
# compiled for an architecture/OS/endian_mode
# arch can be a comma separated list. When there are multiple elements, a random
# is chosen at login time.
# (default: linux-x64-lsb)

arch = linux-x64-lsb

# Here the list of supported OS-ARCH-ENDIANESS executables
# bsd-aarch64-lsb:	    64-bit	LSB	ARM aarch64 version 1 (SYSV)
# bsd-aarch64-msb:	    64-bit	MSB	ARM aarch64 version 1 (SYSV)
# bsd-bfin-msb:		    32-bit	MSB	Analog Devices Blackfin	version	1 (SYSV)
# bsd-mips64-lsb:		64-bit	LSB	MIPS MIPS-III version 1	(SYSV)
# bsd-mips64-msb:		64-bit	MSB	MIPS MIPS-III version 1	(SYSV)
# bsd-mips-lsb:		    32-bit	LSB	MIPS MIPS-I version 1 (FreeBSD)
# bsd-mips-msb:		    32-bit	MSB	MIPS MIPS-I version 1 (FreeBSD)
# bsd-powepc64-lsb:	    64-bit	MSB	64-bit PowerPC or cisco	7500 version 1 (FreeBSD)
# bsd-powepc-msb:		32-bit	MSB	PowerPC	or cisco 4500 version 1	(FreeBSD)
# bsd-riscv64-lsb:	    64-bit	LSB	UCB RISC-V version 1 (SYSV)
# bsd-sparc64-msb:	    64-bit	MSB	SPARC V9 relaxed memory	ordering version 1 (FreeBSD)
# bsd-sparc-msb:		32-bit	MSB	SPARC version 1	(SYSV) statically
# bsd-x32-lsb:		    32-bit	LSB	Intel 80386 version 1 (FreeBSD)
# bsd-x64-lsb:		    64-bit	LSB	x86-64 version 1 (FreeBSD)
# linux-aarch64-lsb:	64-bit	LSB	ARM aarch64 version 1 (SYSV)
# linux-aarch64-msb:	64-bit	MSB	ARM aarch64 version 1 (SYSV)
# linux-alpha-lsb:	    64-bit	LSB	Alpha (unofficial) version 1 (SYSV)
# linux-am33-lsb:		32-bit	LSB	Matsushita MN10300 version 1 (SYSV)
# linux-arc-lsb:		32-bit	LSB	ARC Cores Tangent-A5 version 1 (SYSV)
# linux-arc-msb:		32-bit	MSB	ARC Cores Tangent-A5 version 1 (SYSV)
# linux-arm-lsb:		32-bit	LSB	ARM EABI5 version 1 (SYSV)
# linux-arm-msb:		32-bit	MSB	ARM EABI5 version 1 (SYSV)
# linux-avr32-lsb:	    32-bit	LSB	Atmel AVR 8-bit	version 1 (SYSV)
# linux-bfin-lsb:		32-bit	LSB	Analog Devices Blackfin version	1 (SYSV)
# linux-c6x-lsb:		32-bit	LSB	TI TMS320C6000 DSP family version 1
# linux-c6x-msb:		32-bit	MSB	TI TMS320C6000 DSP family version 1
# linux-cris-lsb:		32-bit	LSB	Axis cris version 1 (SYSV)
# linux-frv-msb:		32-bit	MSB	Cygnus FRV (unofficial) version	1 (SYSV)
# linux-h8300-msb:	    32-bit	MSB	Renesas	H8/300 version 1 (SYSV)
# linux-hppa64-msb:	    64-bit	MSB	PA-RISC	02.00.00 (LP64) version	1
# linux-hppa-msb:		32-bit	MSB	PA-RISC	*unknown arch 0xf* version 1 (GNU/Linux)
# linux-ia64-lsb:		64-bit	LSB	IA-64 version 1	(SYSV)
# linux-m32r-msb:		32-bit	MSB	Renesas	M32R version 1 (SYSV)
# linux-m68k-msb:		32-bit	MSB	Motorola m68k 68020 version 1 (SYSV)
# linux-microblaze-msb:	32-bit	MSB	Xilinx MicroBlaze 32-bit RISC version 1	(SYSV)
# linux-mips64-lsb:	    64-bit	LSB	MIPS MIPS-III version 1	(SYSV)
# linux-mips64-msb:	    64-bit	MSB	MIPS MIPS-III version 1	(SYSV)
# linux-mips-lsb:		32-bit	LSB	MIPS MIPS-I version 1 (SYSV)
# linux-mips-msb:		32-bit	MSB	MIPS MIPS-I version 1 (SYSV)
# linux-mn10300-lsb:	32-bit	LSB	Matsushita MN10300 version 1 (SYSV)
# linux-nios-lsb:		32-bit	LSB	Altera Nios II version 1 (SYSV)
# linux-nios-msb:		32-bit	MSB	Altera Nios II version 1 (SYSV)
# linux-powerpc64-lsb:	64-bit	LSB	64-bit PowerPC or cisco	7500 version 1 (SYSV)
# linux-powerpc64-msb:	64-bit	MSB	64-bit PowerPC or cisco	7500 version 1 (SYSV)
# linux-powerpc-lsb:	32-bit	LSB	PowerPC	or cisco 4500 version 1 (SYSV)
# linux-powerpc-msb:	32-bit	MSB	PowerPC	or cisco 4500 version 1 (SYSV)
# linux-riscv64-lsb:  	64-bit	LSB	UCB RISC-V version 1 (SYSV)
# linux-s390x-msb:    	64-bit	MSB	IBM S/390 version 1 (SYSV)
# linux-sh-lsb:	    	32-bit	LSB	Renesas	SH version 1 (SYSV)
# linux-sh-msb:	    	32-bit	MSB	Renesas	SH version 1 (SYSV)
# linux-sparc64-msb:  	64-bit	MSB	SPARC V9 relaxed memory	ordering version 1 (SYSV)
# linux-sparc-msb:    	32-bit	MSB	SPARC version 1	(SYSV)
# linux-tilegx64-lsb:	64-bit	LSB	Tilera TILE-Gx version 1 (SYSV)
# linux-tilegx64-msb: 	64-bit	MSB	Tilera TILE-Gx version 1 (SYSV)
# linux-tilegx-lsb:   	32-bit	LSB	Tilera TILE-Gx version 1 (SYSV)
# linux-tilegx-msb:   	32-bit	MSB	Tilera TILE-Gx version 1 (SYSV)
# linux-x64-lsb:	    64-bit	LSB	x86-64 version 1 (SYSV)
# linux-x86-lsb:	    32-bit	LSB	Intel 80386 version 1 (SYSV)
# linux-xtensa-msb:   	32-bit	MSB	Tensilica Xtensa version 1 (SYSV)
# osx-x32-lsb:	    	32-bit	LSB Intel 80386
# osx-x64-lsb:	    	64-bit	LSB	x86-64

# arch = bsd-aarch64-lsb, bsd-aarch64-msb, bsd-bfin-msb, bsd-mips-lsb, bsd-mips-msb, bsd-mips64-lsb, bsd-mips64-msb, bsd-powepc-msb, bsd-powepc64-lsb, bsd-riscv64-lsb, bsd-sparc-msb, bsd-sparc64-msb, bsd-x32-lsb, bsd-x64-lsb, linux-aarch64-lsb, linux-aarch64-msb, linux-alpha-lsb, linux-am33-lsb, linux-arc-lsb, linux-arc-msb, linux-arm-lsb, linux-arm-msb, linux-avr32-lsb, linux-bfin-lsb, linux-c6x-lsb, linux-c6x-msb, linux-cris-lsb, linux-frv-msb, linux-h8300-msb, linux-hppa-msb, linux-hppa64-msb, linux-ia64-lsb, linux-m32r-msb, linux-m68k-msb, linux-microblaze-msb, linux-mips-lsb, linux-mips-msb, linux-mips64-lsb, linux-mips64-msb, linux-mn10300-lsb, linux-nios-lsb, linux-nios-msb, linux-powerpc-lsb, linux-powerpc-msb, linux-powerpc64-lsb, linux-powerpc64-msb, linux-riscv64-lsb, linux-s390x-msb, linux-sh-lsb, linux-sh-msb, linux-sparc-msb, linux-sparc64-msb, linux-tilegx-lsb, linux-tilegx-msb, linux-tilegx64-lsb, linux-tilegx64-msb, linux-x64-lsb, linux-x86-lsb, linux-xtensa-msb, osx-x32-lsb, osx-x64-lsb

# Modify the response of '/bin/uname'
# Default (uname -a): Linux <hostname> <kernel_version> <kernel_build_string> <hardware_platform> <operating system>
kernel_version = 3.2.0-4-amd64
kernel_build_string = #1 SMP Debian 3.2.68-1+deb7u1
hardware_platform = x86_64
operating_system = GNU/Linux

# SSH Version as printed by "ssh -V" in shell emulation
ssh_version = OpenSSH_7.9p1, OpenSSL 1.1.1a  20 Nov 2018


# ============================================================================
# SSH Specific Options
# ============================================================================
[ssh]

# Enable SSH support
# (default: true)
enabled = true


# Public and private SSH key files. If these don't exist, they are created
# automatically.
rsa_public_key = ${honeypot:state_path}/ssh_host_rsa_key.pub
rsa_private_key = ${honeypot:state_path}/ssh_host_rsa_key
dsa_public_key = ${honeypot:state_path}/ssh_host_dsa_key.pub
dsa_private_key = ${honeypot:state_path}/ssh_host_dsa_key
ecdsa_public_key = ${honeypot:state_path}/ssh_host_ecdsa_key.pub
ecdsa_private_key = ${honeypot:state_path}/ssh_host_ecdsa_key
ed25519_public_key = ${honeypot:state_path}/ssh_host_ed25519_key.pub
ed25519_private_key = ${honeypot:state_path}/ssh_host_ed25519_key

# Public keys supported are: ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, ssh-ed25519
public_key_auth = ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

# SSH version string as present to the client.
#
# Version string MUST start with SSH-2.0- or SSH-1.99-
#
# Use these to disguise your honeypot from a simple SSH version scan
# Examples:
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-1.99-OpenSSH_4.3
# SSH-1.99-OpenSSH_4.7
# SSH-1.99-Sun_SSH_1.1
# SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1
# SSH-2.0-OpenSSH_4.3
# SSH-2.0-OpenSSH_4.6
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
# SSH-2.0-OpenSSH_5.5p1 Debian-6
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
# SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
# SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
# SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
# SSH-2.0-OpenSSH_5.9
#
# (default: "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2")
version = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2

# Cipher encryption algorithms to be used.
#
# MUST be supplied as a comma-separated string without
# any spaces or newlines.
#
# Use ciphers to limit to more secure algorithms only
# any spaces.
# Supported ciphers:
#
# aes128-ctr
# aes192-ctr
# aes256-ctr
# aes256-cbc
# aes192-cbc
# aes128-cbc
# 3des-cbc
# cast128-cbc
ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,cast128-cbc


# MAC Algorithm to be used.
#
# MUST be supplied as a comma-separated string without
# any spaces or newlines.
#
# hmac-sha1 and hmac-md5 are considered insecure now, and
# instead MACs with higher number of bits should be used.
#
# Supported HMACs:
# hmac-sha2-512
# hmac-sha2-384
# hmac-sha2-256
# hmac-sha1
# hmac-md5
macs = hmac-sha2-512,hmac-sha2-384,hmac-sha2-256,hmac-sha1,hmac-md5


# Compression Method to be used.
#
# MUST be supplied as a comma-separated string without
# any spaces or newlines.
#
# Supported Compression Methods:
# zlib@openssh.com
# zlib
# none
compression = zlib@openssh.com,zlib,none

# Endpoint to listen on for incoming SSH connections.
# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers
# (default: listen_endpoints = tcp:2222:interface=0.0.0.0)
# (use systemd: endpoint for systemd activation)
# listen_endpoints = systemd:domain=INET:index=0
# For both IPv4 and IPv6: listen_endpoints = tcp6:2222:interface=\:\:
# Listening on multiple endpoints is supported with a single space seperator
# e.g listen_endpoints = "tcp:2222:interface=0.0.0.0 tcp:1022:interface=0.0.0.0" will result listening both on ports 2222 and 1022
# use authbind for port numbers under 1024

listen_endpoints = tcp:2222:interface=0.0.0.0

# Enable the SFTP subsystem
# (default: true)
sftp_enabled = true


# Enable SSH direct-tcpip forwarding
# (default: true)
forwarding = true


# This enables redirecting forwarding requests to another address
# Useful for forwarding protocols to other honeypots
# (default: false)
forward_redirect = false


# Configure where to forward the data to.
# forward_redirect_<portnumber> = <redirect ip>:<redirect port>

# Redirect http/https
# forward_redirect_80 = 127.0.0.1:8000
# forward_redirect_443 = 127.0.0.1:8443

# To record SMTP traffic, install an SMTP honeypoint.
# (e.g https://github.com/awhitehatter/mailoney), run
# python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525
# forward_redirect_25 = 127.0.0.1:12525
# forward_redirect_587 = 127.0.0.1:12525


# This enables tunneling forwarding requests to another address
# Useful for forwarding protocols to a proxy like Squid
# (default: false)
forward_tunnel = false


# Configure where to tunnel the data to.
# forward_tunnel_<portnumber> = <tunnel ip>:<tunnel port>

# Tunnel http/https
# forward_tunnel_80 = 127.0.0.1:3128
# forward_tunnel_443 = 127.0.0.1:3128


# No authentication checking at all
# enabling 'auth_none' will enable the ssh2 'auth_none' authentication method
# this allows the requested user in without any verification at all
#
# (default: false)
#auth_none_enabled = false

# Public key authentication
# This is an all or nothing switch that will allow none or any public key certificate to login
#
# (default: false)
auth_publickey_allow_any = false

# Configure keyboard-interactive login
auth_keyboard_interactive_enabled = false


# ============================================================================
# Telnet Specific Options
# ============================================================================
[telnet]

# Enable Telnet support, disabled by default
enabled = false

# Endpoint to listen on for incoming Telnet connections.
# See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers
# (default: listen_endpoints = tcp:2223:interface=0.0.0.0)
# (use systemd: endpoint for systemd activation)
# listen_endpoints = systemd:domain=INET:index=0
# For IPv4 and IPv6: listen_endpoints = tcp6:2223:interface=\:\: tcp:2223:interface=0.0.0.0
# Listening on multiple endpoints is supported with a single space seperator
# e.g "listen_endpoints = tcp:2223:interface=0.0.0.0 tcp:2323:interface=0.0.0.0" will result listening both on ports 2223 and 2323
# use authbind for port numbers under 1024

listen_endpoints = tcp:2223:interface=0.0.0.0


# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie)
#reported_port = 23



# ============================================================================
# Database logging Specific Options
# ============================================================================

# XMPP Logging
# Log to an xmpp server.
#
#[database_xmpp]
#server = sensors.carnivore.it
#user = anonymous@sensors.carnivore.it
#password = anonymous
#muc = dionaea.sensors.carnivore.it
#signal_createsession = cowrie-events
#signal_connectionlost = cowrie-events
#signal_loginfailed = cowrie-events
#signal_loginsucceeded = cowrie-events
#signal_command = cowrie-events
#signal_clientversion = cowrie-events
#debug=true




# ============================================================================
# Output Plugins
# These provide an extensible mechanism to send audit log entries to third
# parties. The audit entries contain information on clients connecting to
# the honeypot.
#
# Output entries need to start with 'output_' and have the 'enabled' entry.
# ============================================================================

[output_xmpp]
enabled=false
server = conference.cowrie.local
user = cowrie@cowrie.local
password = cowrie
muc = hacker_room

# JSON based logging module
#
[output_jsonlog]
enabled = true
logfile = ${honeypot:log_path}/cowrie.json
epoch_timestamp = false

# Supports logging to Elasticsearch
# This is a simple early release
#
[output_elasticsearch]
enabled = false
host = localhost
port = 9200
index = cowrie
# type has been deprecated since ES 6.0.0
# use _doc which is the default type. See
# https://stackoverflow.com/a/53688626 for
# more information
#type = _doc
# set pipeline = geoip to map src_ip to
# geo location data. You can use a custom
# pipeline but you must ensure it exists
# in elasticsearch.
#pipeline = geoip
#
# Authentication. When x-pack.security is enabled
# in ES, default users have been created and requests
# must be authenticated.
#
# Credentials
#username = elastic
#password =
#
# TLS encryption. Communications between the client (cowrie)
# and the ES server should naturally be protected by encryption
# if requests are authenticated (to prevent from man-in-the-middle
# attacks). The following options are then paramount
# if username and password are provided.
#
# use ssl/tls
#ssl = true
# Path to trusted CA certs on disk
#ca_certs = /cowrie/cowrie-git/etc/elastic_ca.crt
# verify SSL certificates
#verify_certs = true

# Send login attemp information to SANS DShield
# See https://isc.sans.edu/ssh.html
# You must signup for an api key.
# Once registered, find your details at: https://isc.sans.edu/myaccount.html
#
[output_dshield]
enabled = false
userid = userid_here
auth_key = auth_key_here
batch_size = 100
#
# Graylog logging module for GELF http input
[output_graylog]
enabled = false
url = http://graylog.example.com:122011/gelf
#
# Local Syslog output module
#
# This sends log messages to the local syslog daemon.
# Facility can be:
# KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7.
#
# Format can be:
# text, cef
#
[output_localsyslog]
enabled = false
facility = USER
format = text


# Text output
# This writes audit log entries to a text file
#
# Format can be:
# text, cef
#
[output_textlog]
enabled = false
logfile = ${honeypot:log_path}/audit.log
format = text


# MySQL logging module
# Database structure for this module is supplied in docs/sql/mysql.sql
#
# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev
# MySQL logging requires an extra Python module: pip install mysql-python
#
[output_mysql]
enabled = false
host = localhost
database = cowrie
username = cowrie
password = secret
port = 3306
debug = false

# Rethinkdb output module
# Rethinkdb output module requires extra Python module: pip install rethinkdb

[output_rethinkdblog]
enabled = false
host = 127.0.0.1
port = 28015
table = output
password =
db = cowrie

# SQLite3 logging module
#
# Logging to SQLite3 database. To init the database, use the script
# docs/sql/sqlite3.sql:
#     sqlite3 <db_file> < docs/sql/sqlite3.sql
#
[output_sqlite]
enabled = false
db_file = cowrie.db

# MongoDB logging module
#
# MongoDB logging requires an extra Python module: pip install pymongo
#
[output_mongodb]
enabled = false
connection_string = mongodb://username:password@host:port/database
database = dbname


# Splunk HTTP Event Collector (HEC) output module
# sends JSON directly to Splunk over HTTP or HTTPS
# Use 'https' if your HEC is encrypted, else 'http'
# mandatory fields: url, token
# optional fields: index, source, sourcetype, host
#
[output_splunk]
enabled = false
url = https://localhost:8088/services/collector/event
token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8
index = cowrie
sourcetype = cowrie
source = cowrie


# HPFeeds3
# Python3 implementation of HPFeeds
[output_hpfeeds3]
enabled = false
server = hpfeeds.mysite.org
port = 10000
identifier = abc123
secret = secret
debug=false


# VirusTotal output module
# You must signup for an api key.
#
[output_virustotal]
enabled = false
api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
upload = True
debug = False
scan_file = True
scan_url = False


# Cuckoo output module
[output_cuckoo]
enabled = false
# no slash at the end
url_base = http://127.0.0.1:8090
user = user
passwd = passwd
# force will upload duplicated files to cuckoo
force = 0

# upload to MalShare
# Register at https://malshare.com/register.php to get your API key
[output_malshare]
api_key = 130928309823098
enabled = false

# This will produce a _lot_ of messages - you have been warned....
[output_slack]
enabled = false
channel = channel_that_events_should_be_posted_in
token = slack_token_for_your_bot
debug = false


# https://csirtg.io
# You must signup for an api key.
#
[output_csirtg]
enabled = false
username = wes
feed = scanners
description = random scanning activity
token = a1b2c3d4
debug = false


[output_socketlog]
enabled = false
address = 127.0.0.1:9000
timeout = 5

# Upload files that cowrie has captured to an S3 (or compatible bucket)
# Files are stored with a name that is the SHA of their contents
#
[output_s3]
enabled = false
#
# The AWS credentials to use.
# Leave these blank to use botocore's credential discovery e.g .aws/config or ENV variables.
# As per https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L50-L65
access_key_id = AKIDEXAMPLE
secret_access_key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY
#
# The bucket to store the files in. The bucket must already exist.
bucket = my-cowrie-bucket
#
# The region the bucket is in
region = eu-west-1
#
# An alternate endpoint URL. If you self host a pithos instance you can set
# this to its URL (e.g. https://s3.mydomain.com) - can otherwise be blank
#endpoint =
#
# Whether or not to validate the S3 certificate. Set this to 'no' to turn this
# off. Do not do this for real AWS. It's only needed for self-hosted S3 clone
# where you don't yet have real certificates.
#verify = no

[output_influx]
enabled = false
host = 127.0.0.1
port = 8086
database_name = cowrie
retention_policy_duration = 12w

[output_kafka]
enabled = false
host = 127.0.0.1
port = 9092
topic = cowrie


[output_redis]
enabled = false
host = 127.0.0.1
port = 6379
# DB of the redis server. Defaults to 0
db = 0
# Password of the redis server. Defaults to None
# password = secret
# Name of the list to push to or the channel to publish to. Required
keyname = cowrie
# Method to use when sending data to redis.
# Can be one of [lpush, rpush, publish]. Defaults to lpush
send_method = lpush


# Perform Reverse DNS lookup
[output_reversedns]
enabled = false
# Timeout in seconds
timeout = 3

[output_greynoise]
enabled = false
debug = false
# Name of the tags separated by comma, for which the IP has to be scanned for.
# Example "SHODAN,JBOSS_WORM,CPANEL_SCANNER_LOW"
# If there isn't any specific tag then just leave it "all"
tags = all
# It's optional to have API key, so if you don't want to but
# API key then leave this option commented
#api_key = 1234567890

# Upload all files to a MISP instance of your liking.
# The API key can be found under Event Actions -> Automation
[output_misp]
enabled = false
base_url = https://misp.somedomain.com
api_key = secret_key
verify_cert = true
publish_event = true
debug = false

# Send message using Telegram bot
# 1. Create a bot following https://core.telegram.org/bots#6-botfather to get token.
# 2. Send message to your bot, then use https://api.telegram.org/bot{bot_token}/getUpdates to find chat_id.
# N.b. bot will only send messages on cowrie.login.success, cowrie.command.input/.failed, and
# cowrie.session.file_download, to prevent spam. 
[output_telegram]
enabled = false
bot_token = 123456789:AbCDEfGhiJkLmnOpQRstUVWxYZ
chat_id = 987654321

# The crashreporter sends data on Python exceptions to api.cowrie.org
# To disable set `enabled = false` in cowrie.cfg
[output_crashreporter]
enabled = false
debug = false

# Reports login attempts to AbuseIPDB. A short guide is in the original
# pull request on GitHub: https://github.com/cowrie/cowrie/pull/1346
[output_abuseipdb]
enabled = false
#api_key =
#rereport_after = 24
#tolerance_window is in minutes
#tolerance_window = 120
#tolerance_attempts = 10
# WARNING: A binary file is read from this directory on start-up. Do not
# change unless you understand the security implications!
#dump_path = ${honeypot:state_path}/abuseipdb

# Report login and session tracking attempts via the ThreatJammer.com Report API.
# ThreatJammer.com is a risk assessment tool <https://threatjammer.com>
# Read the docs for more information: https://docs.cowrie.org/en/latest/threatjammer/README.html
[output_threatjammer]
enabled = false
bearer_token = THREATJAMMER_API_TOKEN
#api_url=https://dublin.report.threatjammer.com/v1/ip
#track_login = true
#track_session = false
#ttl = 86400
#category = ABUSE
#tags = COWRIE,LOGIN,SESSION

# Send output to a Discord webhook
[output_discord]
enabled = false
url = https://discord.com/api/webhooks/id/token

# Datadog output module
# sends JSON directly to Datadog
# mandatory field: api_key
# optional fields (fallback configured in module): ddsource, ddtags, service
# For more information on fields https://docs.datadoghq.com/api/latest/logs/#send-logs
[output_datadog]
enabled = false
url = https://http-intake.logs.datadoghq.com/api/v2/logs
api_key = abcdef1234567890fedcba0987654321
ddsource = cowrie
ddtags = env:dev
service = honeypot

# Oracle Cloud custom logs output module
# sends JSON directly to Oracle Cloud custom logs
# mandatory field: authtype, log_ocid
# optional fields (to be set if user_principals is selected as authtype): user_ocid, fingerprint, tenancy_ocid, region, keyfile
# For more information on Oracle Cloud custom logs: https://docs.oracle.com/en-us/iaas/Content/Logging/Concepts/custom_logs.htm
# For more information on Oracle Cloud user principal authentication method: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm#five
# For more information on Oracle Cloud instance principal authentication method: https://blogs.oracle.com/developers/post/accessing-the-oracle-cloud-infrastructure-api-using-instance-principals
[output_oraclecloud]
enabled = false
# authtype must be set either to user_principals or to instance_principals
authtype = instance_principals
# following parameters must be set in case user_principals is used. keyfile is the absolute path to your API pem key file.
#log_ocid = ocid1.log.oc1.eu-stockholm-1.xxx
#user_ocid = ocid1.user.oc1..xxx
#fingerprint = 77:9c:4xxxxx
#tenancy_ocid = ocid1.tenancy.oc1..xxx
#region = eu-stockholm-1
#keyfile = /home/xx/key.pem

[output_remotesyslog]
enabled = false
host = 127.0.0.1
port = 514
# protocol options: udp or tcp
# (default: udp)
protocol = udp

[output_axiom]
enabled = false
api_token = fill_out_your_token_here
dataset = cowrie

# rabbitmq
[output_rmq]
enabled = false
host = 127.0.0.1
port = 5672
username = guest
password = guest
vhost = /
exchange = cowrie
exchange_type = topic