Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #
- # HonSSH configuration file (honssh.cfg)
- #
- [devmode]
- enabled=true
- #----------------------------------------------#
- # GENERAL SETUP #
- #----------------------------------------------#
- #-----------------------#
- # HONEYPOT #
- #-----------------------#
- [honeypot]
- # IP addresses to listen for incoming SSH connections.
- #
- # input: IP Address
- # required: YES
- ssh_addr = 192.168.100.215
- # Port to listen for incoming SSH connections.
- #
- # input: Number
- # required: YES
- # default: 2222
- ssh_port = 2222
- # IP addresses to send outgoing SSH connections.
- # 0.0.0.0 for all interfaces
- #
- # input: IP Address
- # required: YES
- client_addr = 0.0.0.0
- # Public and private SSH key files.
- #
- # input: Text
- # required: YES
- # default: id_rsa.pub
- # default: id_rsa
- # default: id_dsa.pub
- # default: id_dsa
- public_key = id_rsa.pub
- private_key = id_rsa
- public_key_dsa = id_dsa.pub
- private_key_dsa = id_dsa
- # SSH banner to send to clients
- # If not specified, HonSSH will try and obtain it by connecting to
- # honey_addr:honey_port
- #
- # input: text
- # required: No
- # default:
- ssh_banner = SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
- # connection_timeout: connection timeout for pre and post auth handlers
- # required: YES
- # default: 10
- connection_timeout = 10
- #-----------------------#
- # HONEYPOT STATIC #
- #-----------------------#
- [honeypot-static]
- # Documentation to come, stick with these options and ignore honeypot-* unless you know what you are doing or fancy a challenge
- enabled = false
- # Should HonSSH use this plugin to get the honeypot details (before authentication)
- pre-auth = true
- # Should HonSSH use this plugin to get the honeypot details (after authentication)
- post-auth = false
- # This name will be used when logging to any of the output mechanisms.
- # Please ensure it is meaningful.
- #
- # input: Text
- # required: YES
- sensor_name = hon1
- # IP addresses of the honeypot.
- #
- # input: IP Address
- # required: YES
- honey_ip = 172.17.0.6
- # SSH port of the honeypot.
- #
- # input: Number
- # required: YES
- # default: 22
- honey_port = 22
- #-----------------------#
- # HONEYPOT SCRIPT #
- #-----------------------#
- [honeypot-script]
- # Documentation to come
- enabled = false
- # Should HonSSH use this plugin to get the honeypot details (before authentication)
- pre-auth = false
- # Should HonSSH use this plugin to get the honeypot details (after authentication)
- post-auth = false
- # ./script IP LOCALIP PORT LOCALPORT
- pre-auth-script =
- # ./script IP LOCALIP PORT LOCALPORT USERNAME PASSWORD
- post-auth-script =
- #-----------------------#
- # HONEYPOT DOCKER #
- #-----------------------#
- [honeypot-docker]
- # Documentation to come
- enabled = true
- # Should HonSSH use this plugin to get the honeypot details (before authentication)
- pre-auth = true
- # Should HonSSH use this plugin to get the honeypot details (after authentication)
- post-auth = true
- # image: image id/name to use for honeypot container
- # required: if enabled = true
- image = rastasheep/ubuntu-sshd:14.04
- # uri: socket to interact with container daemon
- # required: if enabled = true
- # default: unix://var/run/docker.sock
- uri = unix://var/run/docker.sock
- # honey_hostname: the hostname for the container
- # required: if enabled = true
- hostname = lime
- # launch_cmd: command to run when container is first launched
- # required: if enabled = true
- # default = service ssh start
- launch_cmd = service ssh start
- # SSH port of the honeypot.
- #
- # input: Number
- # required: YES
- # default: 22
- honey_port = 22
- # Pid limit of the honeypot (-1 for unlimited)
- #
- # input: Number
- # required: NO
- # default: -1
- pids_limit =
- # Memory limit of the honeypot
- # Example: 1G
- #
- # required: NO
- mem_limit =
- # Swap limit of the honeypot
- # Example: 1G
- #
- # required: NO
- memswap_limit =
- # Shm size limit of the honeypot
- # Example: 1G
- #
- # required: NO
- shm_size =
- # Microseconds of CPU time that the container can get in a CPU period of the honeypot
- #
- # input: Number
- # required: NO
- cpu_period =
- # CPU shares (relative weight) of the honeypot
- # Example: Percentage * value of cat /sys/fs/cgroup/cpu/docker/cpu.shares
- #
- # required: NO
- cpu_shares =
- # CPUs in which to allow execution of the honeypot
- # Example: 0-3, 0,1
- #
- # required: NO
- cpuset_cpus =
- #-----------------------#
- # HONEYPOT RESTRICTIONS #
- #-----------------------#
- [hp-restrict]
- # When enabled, HonSSH will restrict connections to password only and decline any public keys.
- # HonSSH will not work with public keys - this should always be true.
- #
- # input: true/false
- # required: YES
- # default: true
- disable_publicKey = true
- # When enabled, HonSSH will block any attempts to start an X11 session.
- # You can allow X11 but HonSSH will not log the session.
- #
- # input: true/false
- # required: YES
- # default: true
- disable_x11 = true
- # When enabled, HonSSH will block any attempts to start an SFTP session.
- # HonSSH will log SFTP traffic and capture downloaded files.
- #
- # input: true/false
- # required: YES
- # default: false
- disable_sftp = false
- # When enabled, HonSSH will block any attempts to start an EXEC session.
- # HonSSH will log all EXEC sessions, including SCP transfers.
- #
- # input: true/false
- # required: YES
- # default: false
- disable_exec = true
- # When enabled, HonSSH will block any attempts to start running port forwarding over SSH.
- # You can allow port forwarding but HonSSH will not log the session - Yet! (log to PCAP?)
- #
- # input: true/false
- # required: YES
- # default: true
- disable_port_forwarding = true
- #-----------------------#
- # OUTPUT DIRECTORIES #
- #-----------------------#
- [folders]
- # Directory where log files will be saved in.
- #
- # input: Text
- # required: YES
- # default: logs
- log_path = logs
- # Directory where session files will be saved in.
- #
- # input: Text
- # required: YES
- # default: sessions
- session_path = sessions
- #-----------------------#
- # ADVANCED NETWORKING #
- #-----------------------#
- [advNet]
- # To enable this HonSSH must be ran as root or an account allowed to run
- # iptables and ip link/addr commands.
- #
- # With this disabled, the honeypot will always see connections coming from
- # honey_addr. With this enabled, connections will look as if the connections
- # are coming from the attacker.
- # See the Wiki page for more details.
- # https://github.com/tnich/honssh/wiki/Advanced-Networking
- #
- # input: true/false
- # required: YES
- # default: false
- enabled = true
- #-----------------------#
- # LIVE INTERACTION #
- #-----------------------#
- [interact]
- # Session management interface.
- #
- # This is a TCP based service that can be used to interact with active
- # sessions. Disabled by default.
- #
- # Use honsshInteraction.py to interact with this interface.
- #
- # input: true/false
- # required: YES
- # default: false
- enabled = false
- # Interface to create the interaction on - 0.0.0.0 for all.
- #
- # input: IP Address
- # required: if interact_enabled = true
- # default: 127.0.0.1
- interface = 127.0.0.1
- # Port to create the interaction on
- #
- # input: Number
- # required: if interact_enabled = true
- # default: 5123
- port = 5123
- #-----------------------#
- # PASSWORD SPOOFING #
- #-----------------------#
- [spoof]
- # Enabling this will allow HonSSH to spoof an incorrect password with the real password.
- # A list of users and passwords must be defined in the users.cfg file.
- #
- # Passwords to spoof can either be a fixed list or a random chance.
- #
- # See the Wiki page for more details.
- # https://github.com/tnich/honssh/wiki/Password-Spoofing
- #
- # input: true/false
- # required: YES
- # default: false
- enabled = true
- # Location of the users.cfg file
- #
- # input: text
- # required: if enabled is true
- # default: users.cfg
- users_conf = users.cfg
- #----------------------------------------------#
- # LOGGING AND OUTPUTS #
- #----------------------------------------------#
- #-----------------------#
- # FILE DOWNLOADING #
- #-----------------------#
- [download]
- # File Download
- #
- # HonSSH will attempt to download all scp and sftp files to a local store if this is true
- #
- # input: true/false
- # required: YES
- # default: false
- passive = true
- # HonSSH wil attempt to download all wget files to a local store.
- #
- # I believe another tool should be used to passively capture all http(s) connections on all ports - maybe the next project?
- # Until then HonSSH will use a 'best effort' approach to capture files when the wget commands is detected.
- # It will not be able to capture commands such as:
- # url=www.test.url; wget $url
- #
- # input: true/false
- # required: YES
- # default: false
- active = true
- #-----------------------#
- # TEXT LOGGING #
- #-----------------------#
- [output-txtlog]
- # All activity will be logged to text files
- # A log of entry attempts will be kept in log_path/
- # A log of session activity will be kept in session_path/
- #
- # input: true/false
- # required: YES
- # default: true
- enabled = true
- #-----------------------#
- # MYSQL LOGGING #
- #-----------------------#
- [output-mysql]
- # All activity will be logged to a MYSQL Database
- # Database structure for this module is supplied in utils/honssh.sql
- #
- # input: true/false
- # required: yes
- # default: false
- enabled = true
- # IP address of the database
- #
- # input: IP Address
- # required: if enabled = true
- # default: localhost
- host = localhost
- # Port to connect to the database on
- #
- # input: Number
- # required: NO
- # default: 3306
- port = 3306
- # Name of the database
- #
- # input: Text
- # required: if enabled = true
- database = cowrie
- # Username to authenticate with the database
- #
- # input: Text
- # required: if enabled = true
- username = cowrie
- # Password to authenticate with the database
- #
- # input: Text
- # required: if enabled = true
- password = cowrie
- #-----------------------#
- # EMAIL LOGGING #
- #-----------------------#
- [output-email]
- # Enable email output plugin
- #
- # dependency: txtlog MUST be enabled
- # input: true/false
- # required: YES
- # default: false
- enabled = false
- # Send an email upon hacker connect
- #
- # dependency: txtlog MUST be enabled
- # input: true/false
- # required: YES
- # default: false
- login = false
- # Send an email upon hacker disconnect - Will attach the tty log file
- #
- # dependency: txtlog MUST be enabled
- # input: true/false
- # required: YES
- # default: false
- attack = false
- # Your SMTP Host
- #
- # input: Text
- # required: if login or attack = true
- host =
- # Your SMTP Port
- #
- # input: Number
- # required: if login or attack = true
- port =
- # Use SSL/TLS to connect to the SMTP provider?
- #
- # input: true/false
- # required: if login or attack = true
- # default: true
- use_tls = true
- # Does your SMTP provider require a login?
- #
- # input: true/false
- # required: if login or attack = true
- # default: true
- use_smtpauth = true
- # Your SMTP login username
- #
- # input: Text
- # required: if use_smtpauth = true
- username =
- # Your SMTP login password
- #
- # input: Text
- # required: if use_smtpauth = true
- password =
- # The address the email is sent from
- #
- # input: Email Address
- # required: if login or attack = true
- from =
- # The address(es) the email is sent to
- #
- # input: Email Addresses in a comma seperated list spaces without
- # required: if login or attack = true
- to =
- #-----------------------#
- # HP FEEDS #
- #-----------------------#
- [output-hpfeeds]
- # All activity will be logged to a hpfeeds broker for dissemination
- # between the honeypot community.
- # Authentication attempts will be logged to honssh.auth
- # Sessions will be logged to honssh.sessions
- #
- # input: true/false
- # required: yes
- # default: false
- enabled = false
- # The server address of the hpfeeds broker
- #
- # input: Text
- # required: if enabled = true
- server =
- # The server port of the hpfeeds broker
- #
- # input: Number
- # required: if enabled = true
- port =
- # Your hpfeed authe key identifier
- #
- # input: Text
- # required: if enabled = true
- identifier =
- # Your hpfeed authe key secret
- #
- # input: Text
- # required: if enabled = true
- secret =
- #-----------------------#
- # APPLICATION HOOKS #
- #-----------------------#
- [output-app_hooks]
- # Enable app_hooks output plugin
- #
- # input: true/false
- # required: YES
- # default: false
- enabled = false
- # If you want any other application hooks or arguments passing, raise an issue
- # on the HonSSH code page.
- # Calls the script when a connection is made with the following arguments
- # ./script CONNECTION_MADE DATETIME IP PORT HONEYIP HONEYPORT SESSION_ID
- #
- # input: path of script to run
- # required: NO
- connection_made =
- # Calls the script when a connection is lost with the following arguments
- # ./script CONNECTION_LOST DATETIME IP PORT HONEYIP HONEYPORT SESSION_ID
- #
- # input: path of script to run
- # required: NO
- connection_lost =
- # Calls the script when a login is successful with the following arguments
- # ./script LOGIN_SUCCESSFUL DATETIME IP USERNAME PASSWORD
- #
- # input: path of script to run
- # required: NO
- login_successful =
- # Calls the script when a login has failed with the following arguments
- # ./script LOGIN_FAILED DATETIME IP USERNAME PASSWORD
- #
- # input: path of script to run
- # required: NO
- login_failed =
- # Calls the script when a channel is opened with the following arguments
- # ./script CHANNEL_OPENED DATETIME NAME CHANNEL_ID
- #
- # input: path of script to run
- # required: NO
- channel_opened =
- # Calls the script when a channel is closed with the following arguments
- # ./script CHANNEL_CLOSED DATETIME NAME CHANNEL_ID
- #
- # input: path of script to run
- # required: NO
- channel_closed =
- # Calls the script when a command is entered with the following arguments
- # ./script COMMAND_ENTERED DATETIME CHANNEL_ID COMMAND
- #
- # input: path of script to run
- # required: NO
- command_entered =
- # Calls the script when a file download is started with the following arguments
- # ./script DOWNLOAD_STARTED DATETIME CHANNEL_ID LINK FILE_PATH
- #
- # input: path of script to run
- # required: NO
- download_started =
- # Calls the script when a file download is finished with the following arguments
- # ./script DOWNLOAD_FININSHED DATETIME CHANNEL_ID LINK FILE_PATH
- #
- # input: path of script to run
- # required: NO
- download_finished =
- #-----------------------#
- # PACKET LOGGING #
- #-----------------------#
- [packet_logging]
- # Set to true to enable plugins to use the packet_logged function
- #
- # input: true/false
- # required: YES
- # default: false
- enabled = false
- [output-packets]
- # Log all SSH Packets to text file (.log-adv)
- #
- # dependency: packet_logging MUST be enabled
- # input: true/false
- # required: YES
- # default: false
- enabled = false
- #-----------------------#
- # SLACK #
- #-----------------------#
- [output-slack]
- # Set to true to enable outputting to a Slack channel
- #
- # input: true/false
- # required: YES
- # default: false
- enabled = false
- # The webhook URL for Slack
- #
- # input: Text
- # required: if enabled = true
- webhook-url =
- #-----------------------#
- # CONTRIBUTE #
- #-----------------------#
- [output-contribute]
- # I created this project because I like watching what people do on honeypots.
- # This plugin simply posts the data from each session to me (no private information, just data generated by HonSSH).
- # Feel free to turn it off.
- #
- # input: true/false
- # required: YES
- # default: true
- enabled = false
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement