cowrie
Multi Arc Cowrie Honeypot - Fork from cowrie/cowrie
2.9K
This Docker image provides a ready-to-run Cowrie medium-interaction SSH and Telnet honeypot. Cowrie is designed to log brute-force attacks and the shell interaction performed by the attacker.
This image is built directly from the official Cowrie GitHub repository, offering a lightweight and easily deployable way to observe and log malicious activity on your network.
cowrie.cfg file.docker run or docker-compose commands to get started in seconds.Get a Cowrie instance up and running instantly with default settings:
docker run -d \
--name cowrie-honeypot \
-p 2222:2222 \
-p 2223:2223 \
garfieldwtf/cowrie:latest
This command will:
cowrie-honeypot in the background (-d).2222 to the container's port 2222 (SSH).2223 to the container's port 2223 (Telnet).Test the honeypot:
ssh -p 2222 root@localhost
# Password: 123456 (or any password, it's a honeypot!)
docker run, volumes, and environment variables is helpful.Cowrie is highly configurable. There are two primary ways to configure this image:
The image supports overriding common settings via environment variables. This is the simplest method for basic changes.
| Environment Variable | Description | Default Value |
|---|---|---|
COWRIE_HOSTNAME | The hostname shown to attackers. | srv |
COWRIE_SSH_PORT | Port for the SSH service inside the container. | 2222 |
COWRIE_TELNET_PORT | Port for the Telnet service inside the container. | 2223 |
COWRIE_AUTH_CLASS | Authentication class (e.g., UserDB, Fake) | UserDB |
COWRIE_OUTPUT_JSONLOG | Enable JSON log output (true/false) | true |
Example with environment variables:
docker run -d \
--name cowrie-honeypot \
-e COWRIE_HOSTNAME="webserver" \
-e COWRIE_SSH_PORT=2222 \
-p 2222:2222 \
-p 2223:2223 \
garfieldwtf/cowrie:latest
cowrie.cfg FileFor advanced configuration (e.g., enabling MySQL output, changing download handling), mount your own configuration file.
cowrie.cfg from the Cowrie project and modify it as needed. Save it, for example, as /path/to/your/cowrie.cfg.docker run -d \
--name cowrie-honeypot \
-v /path/to/your/cowrie.cfg:/cowrie/cowrie-git/etc/cowrie.cfg \
-p 2222:2222 \
-p 2223:2223 \
garfieldwtf/cowrie:latest
To prevent data loss when the container is removed, mount volumes for important directories.
/cowrie/cowrie-git/var/log/cowrie//cowrie/cowrie-git/var/lib/cowrie/downloads//cowrie/cowrie-git/etc/userdb.txtExample with persistent volumes:
docker run -d \
--name cowrie-honeypot \
-v /host/path/cowrie/log:/cowrie/cowrie-git/var/log/cowrie \
-v /host/path/cowrie/downloads:/cowrie/cowrie-git/var/lib/cowrie/downloads \
-p 2222:2222 \
-p 2223:2223 \
garfieldwtf/cowrie:latest
For a more manageable setup, especially with custom configs and volumes, use docker-compose.yml.
Create a docker-compose.yml file:
version: '3.8'
services:
cowrie:
image: garfieldwtf/cowrie:latest
container_name: cowrie-honeypot
restart: unless-stopped
ports:
- "2222:2222"
- "2223:2223"
environment:
- COWRIE_HOSTNAME=honeypot
# - COWRIE_OUTPUT_JSONLOG=true # Add other env vars as needed
volumes:
# Mount custom config (optional)
# - ./cowrie.cfg:/cowrie/cowrie-git/etc/cowrie.cfg
# Persist logs and downloads
- ./cowrie/log:/cowrie/cowrie-git/var/log/cowrie
- ./cowrie/downloads:/cowrie/cowrie-git/var/lib/cowrie/downloads
# Uncomment to run as a specific user/group (e.g., UID 1000)
# user: "1000:1000"
Then run:
docker-compose up -d
python:3.11-slim-bookworm]/cowrie/cowrie-git2222 (SSH)2223 (Telnet)docker-entrypoint.sh (Handles initial setup and config overrides)cowrie) for security.View live logs from your honeypot:
docker logs -f cowrie-honeypot
Access the main Cowrie log file inside the persistent volume:
tail -f /host/path/cowrie/log/cowrie.json
2222 and 2223 will be attacked immediately. Ensure your host firewall is configured appropriately.docker pull garfieldwtf/cowrie:latest) and recreate your container to get the latest Cowrie updates and security fixes.If you encounter issues or have suggestions for this Docker image, please feel free to open an issue or pull request on the GitHub repository for this image (Note: You'll need to create this repo if it doesn't exist).
For issues specific to Cowrie itself, please refer to the official Cowrie GitHub repository.
This Docker image packaging is provided under the MIT License. Cowrie itself is licensed under the Hippocratic License - please review its terms on the official project page.
Content type
Image
Digest
sha256:41956cb4f…
Size
112.4 MB
Last updated
about 1 month ago
docker pull garfieldwtf/cowrie:amd64