#docker-cowrie
This repo contains Dockerfile and Docker compose file that help you run Cowrie in Docker containers.
Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.
Please make sure you have Docker Engine and Docker Compose installed.
If not, see https://docs.docker.com/engine/installation/ and https://docs.docker.com/compose/install/.
cd /path/you/like
git clone https://github.com/vfreex/docker-cowrie.git && cd docker-cowrie
You can either build the Docker image from the Dockerfile in this repo, or pull the prebuilt image from Docker Hub:
Just build it using docker-compose build
.
The Dockerfile is located at cowrie/Dockerfile
. Edit it if necessary.
docker-compose build
If you don't want to build by yourself, just pull my prebuilt image from Docker Hub. The repo homepage is at https://hub.docker.com/r/rayson/cowrie/.
docker-compose pull
Before starting a Cowrie container, you may want to edit Cowrie's configuration
file. It is config/cowrie-config/cowrie.cfg
and will be mounted as
a Docker volume when you start the container.
# edit config/cowrie-config/conrie.cfg if necessary
# edit docker-compose.yml to change the port number you want to map
# run in the background
docker-compose up -d
# run in the foreground
# docker-compose up
To stop and destroy the container that runs in the background:
docker-compose down
# get container's name and port mapping
docker-compose ps
# get container's detailed information
docker inspect `docker-compose ps -q`
Cowrie's data
and log
directorires contain all data
that you are insterested in.
They are mounted as Docker named volumes.
Before inspecting files in those directories,
you should figure out the names of those volumes by running docker volume ls
:
$ docker volume ls
DRIVER VOLUME NAME
local cowrie_cowrie-log
local cowrie_cowrie-data
Then obtain the pysical path of your desired volume by ruuning
docker volume inspect <volume_name>
:
$ docker volume inspect cowrie_cowrie-log
[
{
"Name": "cowrie_cowrie-log",
"Driver": "local",
"Mountpoint": "/var/lib/docker/volumes/cowrie_cowrie-log/_data"
}
]
The "Mountpoint" above is the physical path of the volume. All files you need are just there.
If you don't want to use the Docker image anymore, you can delete the Docker image:
docker-compose down --rmi all # will not delete your data volumes
# Be careful: delete all the data volumes (the storage for cowrie logs and data) either
# docker-compose down -v --rmi all
ERROR: In file './docker-compose.yml' service 'version' doesn't have any configuration options. All top level keys in your docker-compose.yml must map to a dictionary of configuration options.
Solution
Upgrade your docker-compose to 1.6.0+:
# Make sure you have pip installed. If not, please install pip:
# apt install python-pip # Debian/Ubuntu
# dnf install python-pip # Fedora
# yum install python-pip # RHEL/CentOS with EPEL
$ pip install -U docker-compose