Initial commit: DECNET honeypot/deception network framework

Core CLI, service plugins (SSH/SMB/FTP/HTTP/RDP), Docker Compose orchestration, MACVLAN networking, and Logstash log forwarding. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-03 18:56:25 -03:00
commit 3e98c71ca4
37 changed files with 1822 additions and 0 deletions
--- a/templates/cowrie/Dockerfile
+++ b/templates/cowrie/Dockerfile
@@ -0,0 +1,32 @@
+FROM debian:bookworm-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    python3 python3-pip python3-venv \
+    libssl-dev libffi-dev \
+    git authbind \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN useradd -m -s /bin/bash cowrie
+
+WORKDIR /home/cowrie
+RUN python3 -m venv cowrie-env \
+    && cowrie-env/bin/pip install --no-cache-dir cowrie jinja2
+
+# Authbind to bind port 22 as non-root
+RUN touch /etc/authbind/byport/22 /etc/authbind/byport/2222 \
+    && chmod 500 /etc/authbind/byport/22 /etc/authbind/byport/2222 \
+    && chown cowrie /etc/authbind/byport/22 /etc/authbind/byport/2222
+
+RUN mkdir -p /home/cowrie/cowrie-env/etc \
+             /home/cowrie/cowrie-env/var/log/cowrie \
+             /home/cowrie/cowrie-env/var/run \
+    && chown -R cowrie /home/cowrie/cowrie-env/etc \
+                       /home/cowrie/cowrie-env/var
+
+COPY cowrie.cfg.j2 /home/cowrie/cowrie.cfg.j2
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+USER cowrie
+EXPOSE 22 2222
+ENTRYPOINT ["/entrypoint.sh"]
--- a/templates/cowrie/cowrie.cfg.j2
+++ b/templates/cowrie/cowrie.cfg.j2
@@ -0,0 +1,26 @@
+[honeypot]
+hostname = {{ COWRIE_HOSTNAME | default('svr01') }}
+listen_endpoints = tcp:2222:interface=0.0.0.0
+
+[ssh]
+enabled = true
+listen_endpoints = tcp:2222:interface=0.0.0.0
+
+{% if COWRIE_LOG_HOST is defined and COWRIE_LOG_HOST %}
+[output_jsonlog]
+enabled = true
+logfile = cowrie.json
+
+[output_localsocket]
+enabled = false
+
+# Forward JSON events to SIEM/aggregator
+[output_tcp]
+enabled = true
+host = {{ COWRIE_LOG_HOST }}
+port = {{ COWRIE_LOG_PORT | default('5140') }}
+{% else %}
+[output_jsonlog]
+enabled = true
+logfile = cowrie.json
+{% endif %}
--- a/templates/cowrie/entrypoint.sh
+++ b/templates/cowrie/entrypoint.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e
+
+# Render Jinja2 template using the venv's python (has jinja2)
+/home/cowrie/cowrie-env/bin/python3 - <<'EOF'
+import os
+from jinja2 import Template
+
+with open("/home/cowrie/cowrie.cfg.j2") as f:
+    tpl = Template(f.read())
+
+rendered = tpl.render(**os.environ)
+
+with open("/home/cowrie/cowrie-env/etc/cowrie.cfg", "w") as f:
+    f.write(rendered)
+EOF
+
+exec authbind --deep /home/cowrie/cowrie-env/bin/twistd -n --pidfile= cowrie