This is a fork for the qrassh SSH and Telnet Honeypot effort that allows to run it with docker compose. The docker-compose service will listen on the public system interface on port 22 for live usage.
Software required:
- Python 2.7+, (Python 3 not yet supported due to Twisted dependencies)
- python-virtualenv
- docker
- docker-compose
For Python dependencies, see requirements.txt
src/qrassh/qrassh.cfg.dist- Cowrie's configuration file. Default values can be found incowrie.cfg.distsrc/qrassh/data/fs.pickle- fake filesystemsrc/qrassh/ata/userdb.txt- credentials allowed or disallowed to access the honeypotsrc/qrassh/dl/- files transferred from the attacker to the honeypot are stored heresrc/qrassh/honeyfs/- file contents for the fake filesystem - feel free to copy a real system here or usesrc/bin/fsctlqrassh/log/qrassh.json- transaction output in JSON formatqrassh/log/qrassh.log- log/debug outputqrassh/log/tty/*.log- session logsqrassh/txtcmds/- file contents for the fake commandsqrassh/bin/createfs- used to create the fake filesystemqrassh/bin/playlog- utility to replay session logsDockerfile- Docker configuration for the Debian container that will run qrasshdocker-compose.yml- Docker compose is used to launch both the mysql and Debian containers. The mysql one is used straight from a mysql official image, and it's initialization file is located in mysql/init/irassh.sql, which creates the database
-
Simply clone the repo on an operating system and launch the "docker-compose up" command.
-
Connect to the honeypot as an attacker:
ssh root@localhost, input any pwd.
Currently, the logs are stored within the Debian container. Access it with a shell. There:
- Run playlog:
bin/playlog log/tty/[file_name]
The mysql configuration located in qrassh.cfg.dist line 416 has been modified. Hostname now is mysql (internal docker-compose configuration)
- log
- log/tty
- Consolidate log files in a single repository
- Add action mysql log
- Move all functions from rassh to qrassh