什么是蜜罐:
蜜罐用于检测和记录攻击,当攻击者试图入侵系统时发挥作用。
这里我们讨论的蜜罐是一个 SSH 蜜罐。
前言
本文是在我之前发布的关于在实际环境中运行 SSH 蜜罐 30 天的文章之后发表的,那个文章引起了不小的关注,我收到了很多请求,想看我如何设置和配置这个 SSH 蜜罐。
上一篇文章:
Sofiane的博客 - 运行 SSH 蜜罐 30 天后的收获
要求
我们将在一个没有任何特定预配置的普通 VPS 上进行设置。
[!重要]
该设置仅用于研究和测试,请勿在您的本地网络或个人/工作网络中部署。
VPS
您可以根据自己的需求选择适合您的VPS 提供商。
Cowrie 蜜罐
有几种著名的 SSH 蜜罐,我们这里使用的是名为 Cowrie 的蜜罐。
它是著名的 Kippo 蜜罐的改进版本。
Docker
本次安装将使用 Cowrie 的 Docker 镜像。
因此,您需要在新 VPS 上安装 Docker,可以查阅官方 Docker 文档进行安装。
需要安装的软件包
- python3
- wget
配置
我通常会更改服务器或机器上的默认 SSH 端口。
我喜欢的方法是将真实的 SSH 端口设置为类似 2022 的端口,然后配置蜜罐监听默认的 SSH 端口 22。
安装
Cowrie 默认配置为监听端口 2222。我们将在 Docker 容器中将此端口映射到主机上的 22 端口。这样设置后,可以无缝地把所有扫描机器人和攻击者引导到蜜罐上。
创建、配置并使用 cowrie 用户:
> sudo adduser --disabled-password cowrie #添加用户
Adding user 'cowrie' ...
Adding new group 'cowrie' (1002) ...
Adding new user 'cowrie' (1002) with group 'cowrie' ...
Changing the user information for cowrie
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
> sudo usermod -aG docker cowrie #将 cowrie 用户添加到 docker 组
> sudo su - cowrie #切换到 cowrie 用户
继续之前,先在 VPS 目录内创建文件夹来存储所有日志,确保日志是直接可访问的,而非仅存在容器内。
此外,将 “cowrielog” 和 “cowrietty” 文件夹设置为所有用户可读写权限。
> mkdir cowrielog && mkdir cowrietty
> chmod -R a+rw cowrielog/ cowrietty/
启动 Cowrie 蜜罐:
> docker run --name cowrie -p 22:2222 -v /home/cowrie/cowrielog:/cowrie/cowrie-git/var/log/cowrie/ -v /home/cowrie/cowrietty:/cowrie/cowrie-git/var/lib/cowrie/tty cowrie/cowrie:latest
2024-06-17T14:47:28+0000 [-] Python Version 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0]
2024-06-17T14:47:28+0000 [-] Twisted Version 24.3.0
2024-06-17T14:47:28+0000 [-] Cowrie Version 2.5.0
2024-06-17T14:47:28+0000 [-] Loaded output engine: jsonlog
2024-06-17T14:47:28+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 24.3.0 (/cowrie/cowrie-env/bin/python3 3.11.2) starting up.
2024-06-17T14:47:28+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
2024-06-17T14:47:28+0000 [-] CowrieSSHFactory starting on 2222
2024-06-17T14:47:28+0000 [cowrie.ssh.factory.CowrieSSHFactory#info] Starting factory <cowrie.ssh.factory.CowrieSSHFactory object at 0x7c4c73951b10>
2024-06-17T14:47:28+0000 [-] Generating new RSA keypair...
2024-06-17T14:47:28+0000 [-] Generating new ECDSA keypair...
2024-06-17T14:47:28+0000 [-] Generating new ed25519 keypair...
2024-06-17T14:47:28+0000 [-] Ready to accept SSH connections
分析日志
日志文件位于 ~/cowrielog,tty 重放日志则在 ~/cowrietty
使用 Linux 命令
使用 jq 命令可以过滤和组织输出。该工具允许您从 JSON 数据中精确提取所需信息。
JSON 格式日志在结构、可读性、处理、鲁棒性和观察性方面优势显著,是现代软件开发与运维日志的理想选择。
获取所有登录尝试:
> jq '.| select(.eventid | startswith("cowrie.login"))' cowrie.json
输出示例:
{
"eventid": "cowrie.login.failed",
"username": "tserver",
"password": "tserver",
"message": "login attempt [tserver/tserver] failed",
"sensor": "8caf2d7e4943",
"timestamp": "2024-06-17T14:56:07.547278Z",
"src_ip": "59.24.160.227",
"session": "6530ab02251d"
}
{
"eventid": "cowrie.login.failed",
"username": "student02",
"password": "student02",
"message": "login attempt [student02/student02] failed",
"sensor": "8caf2d7e4943",
"timestamp": "2024-06-17T14:56:12.223248Z",
"src_ip": "59.24.160.227",
"session": "56b69171281c"
}
{
"eventid": "cowrie.login.failed",
"username": "vyos",
"password": "vyos",
"message": "login attempt [vyos/vyos] failed",
"sensor": "8caf2d7e4943",
"timestamp": "2024-06-17T14:56:16.560385Z",
"src_ip": "59.24.160.227",
"session": "c0fcc16bedfc"
}
获取所有成功登录尝试:
> jq '. | select(.eventid == "cowrie.login.success")' cowrie.json
输出示例:
{
"eventid": "cowrie.login.success",
"username": "root",
"password": "Passw0rd",
"message": "login attempt [root/Passw0rd] succeeded",
"sensor": "8caf2d7e4943",
"timestamp": "2024-06-17T14:53:39.274245Z",
"src_ip": "141.98.10.106",
"session": "d5c5f7b97455"
}
获取所有失败登录尝试:
> jq '. | select(.eventid == "cowrie.login.failed")' cowrie.json
输出示例:
{
"eventid": "cowrie.login.failed",
"username": "vsftp",
"password": "vsftp",
"message": "login attempt [vsftp/vsftp] failed",
"sensor": "8caf2d7e4943",
"timestamp": "2024-06-17T14:55:55.663982Z",
"src_ip": "59.24.160.227",
"session": "164c6534c698"
}
{
"eventid": "cowrie.login.failed",
"username": "yangjie",
"password": "yangjie",
"message": "login attempt [yangjie/yangjie] failed",
"sensor": "8caf2d7e4943",
"timestamp": "2024-06-17T14:55:59.626399Z",
"src_ip": "59.24.160.227",
"session": "809749c9eba7"
}
{
"eventid": "cowrie.login.failed",
"username": "pedro",
"password": "pedro",
"message": "login attempt [pedro/pedro] failed",
"sensor": "8caf2d7e4943",
"timestamp": "2024-06-17T14:56:03.966702Z",
"src_ip": "59.24.160.227",
"session": "b9bee41ed3d2"
}
获取登录尝试次数:
> cat cowrie.json| grep "cowrie.login" | wc -l
12419
获取成功登录次数:
> cat cowrie.json| grep "cowrie.login.success" | wc -l
379
获取失败登录次数:
> cat cowrie.json| grep "cowrie.login.failed" | wc -l
12040
获取来源 IP 地址:
> jq '.src_ip' cowrie.json
"141.98.10.106"
"141.98.10.106"
"141.98.10.106"
"141.98.10.106"
"59.24.160.227"
"59.24.160.227"
"59.24.160.227"
"59.24.160.227"
"59.24.160.227"
"59.24.160.227"
检查执行的命令
过滤日志文件
> jq '. | select(.eventid == "cowrie.command.input")' cowrie.json
输出示例:
{
"eventid": "cowrie.command.input",
"input": "cd ~; chattr -ia .ssh; lockr -ia .ssh",
"message": "CMD: cd ~; chattr -ia .ssh; lockr -ia .ssh",
"sensor": "2c091cd328dc",
"timestamp": "2024-06-18T00:38:20.746663Z",
"src_ip": "121.156.118.253",
"session": "22e1e1e98a94"
}
{
"eventid": "cowrie.command.input",
"input": "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~",
"message": "CMD: cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~",
"sensor": "2c091cd328dc",
"timestamp": "2024-06-18T00:38:21.702641Z",
"src_ip": "121.156.118.253",
"session": "22e1e1e98a94"
}
...
使用 Cowrie playlog 重放会话日志
使用 playlog,您可以重放 tty 会话中执行的命令。
> cd ~/cowrietty && wget https://raw.githubusercontent.com/cowrie/cowrie/master/src/cowrie/scripts/playlog.py
> python3 playlog.py <SESSION ID>
示例输入输出:
> python3 playlog.py cc1eb03e9b5926d8076e25826664a04400de854bf5cc660fa35eb86cbdf7dc0f
cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
想更深入了解?
你可以将 Cowrie 配置为与日志监控工具集成,相关配置和安装可查阅官方 Cowrie 文档。
您可能还喜欢
HTB - Sorcery
<h2 id="key-highlights"><a class="toclink internal-link internal-link" href="#key-highlights" hreflang="en">Key Highlights</a></h2><ul><li>Learn how t...
HTB - DarkCorp
<h2 id="machine-info"><a class="toclink internal-link internal-link" href="#machine-info" hreflang="en">Machine info</a></h2><ul><li><strong>System</s...
The Growing Threat: The Dark side of AI and LLMs
Criminals exploit AI and large language models to automate attacks, craft convincing phishing, bypass defenses, and accelerate malware...
Tailscale 的魔力揭秘:安全便捷的网络新体验
通过 Tailscale 的零配置 VPN,安全访问你所有设备。它提供端到端加密、跨平台支持和无缝远程访问,无需暴露端口,非常适合安全管理分布式网络和云资产。
讨论
发表评论
访客评论在网站上显示前将被审核。
还没有评论。成为第一个开始讨论的人!