Wetftp is a high interaction FTP honeypot,designed to log brute force attacks and every action of attacker after login.
- Use docker to provide a real linux document system.
- Wetftp locate at the middle between ftpd container and attacker.
- Log all of attacker's action.
- Save a copy of files that attacker upload.
- Support ftps(ftp over ssl).
- Support ssl's session reuse.
- Kinds of ways to report to you when wetland is touching by hacker
- A linux system (tested on ubuntu)
- ftpd images in docker (e.g. bogem/ftp)
- python2.7
- pyOpenSSL
- requests
-
Copy wetftp.cfg.default to wetftp.cfg
-
Generate private key and sign the certificate
mkdir data && cd dataopenssl genrsa -out server.key 2048openssl req -new -key server.key -out server.csropenssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
- Install python requirements
pip install pyOpenSSl requests
- Install docker
- install docker with docs in www.docker.com
docker search ftpdordocker search ftpdocker run -d --name ftpd ftpd_image_namedocker inspect ftpd,then replace docker_addr in wetftp.cfg with ftpd's ip.- some ftpd container maybe need to do something else, please read docs of the image in hub.docker.com
- Configure the output plugins in wetftp.cfg
- enable or disable in [output] section
- Edit the url of incoming robots when using bearychat
- Edit user、pwd... when using email
- Configure ftps in wetftp.cfg if necessary
- first make sure your ftpd images support ftps, has been configured to work.
- enable it in [ftps] section.
- ssl session can be reused between control channel and data channel,so if your ftpd support it, enable reuse in [ftps] seciton.
- e.g. a configure file of vsftpd, it should enable ftps and reuse
rsa_cert_file=/var/server.crt
rsa_private_key_file=/var/server.key
ssl_enable=YES
# This determines ssl session reuse or not
require_ssl_reuse=YES- Run
nohup python main &
- Stop
netstat -autpn | grep 21kill pid_number
- View logs
cd logs && ls