Skip to content

Latest commit

 

History

History
65 lines (48 loc) · 2.58 KB

README.md

File metadata and controls

65 lines (48 loc) · 2.58 KB

rm.cowrie

A role that sets up cowrie honeypot on a target system. This creates a new user, clones cowrie into its' homefolder and installs all needed dependencies in a venv in the cowrie homefolder.
Optionally, it can set up cowrie to log its events directly to a given Splunk installation.

Installation

To use this repo in your playbook and install it (and all its dependencies) to your roles folder, call:
ansible-galaxy install -p roles git+https://github.com/RoastingMalware/rm.cowrie

Requirements

The role assumes that the SSH server has been moved from port 22, as it is setting up iptables forwards for port 22 and 23. This behaviour can be disables by setting cowrie_redirect_ports: no - then cowrie will be reachable by port 2222 and 2223 only.

Role Variables

In general, the config can be edited in great detail. I would recommend that you change at least some vars to prevent fingerprinting. The ttylog, which records all entered commands of a session in UML, has been disabled to save disk space. This can be activated again.

  - cowrie_hostname -> Sets the displayed hostname
  - cowrie_version_string -> This version string is presented at the SSH banner
  - cowrie_ttylog -> Set to true to enable logging

Dependencies

rm.fail2ban-cowrie - This is defined as dependency and will automatically be installed by ansible-galaxy install.
If not, this role is publicy available on Github.

Example Playbook

If only the recommended vars are set, deploying cowrie is really easy.
For usage with splunk as logging target, setting host, port, enabled and token are mandatory.
(Splunk Server setup instructions: Splunk Docs ):

- hosts: servers
  roles:
    - role: rm.cowrie
      vars: 
        cowrie_hostname: serv04
        cowrie_version_string: SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
        cowrie_splunk_host: splunk.ip.or.fqdn
        cowrie_splunk_port: 8088
        cowrie_splunk_enabled: true
        cowrie_splunk_token: generated-splunk-token-here

If you want to change the default allowed users on your honeypot, modify templates/userdb.txt.

License

Apache License 2.0

Contributions

Contributions are more than welcome!
If you encounter a bug or want to extend the role, go ahead and open a GitHub Pull Request or Issue :)