This repository has been archived by the owner on Jan 2, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 71
/
honssh.cfg.default
737 lines (626 loc) · 16.5 KB
/
honssh.cfg.default
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
#
# HonSSH configuration file (honssh.cfg)
#
#----------------------------------------------#
# GENERAL SETUP #
#----------------------------------------------#
#-----------------------#
# HONEYPOT #
#-----------------------#
[honeypot]
# IP addresses to listen for incoming SSH connections.
#
# input: IP Address
# required: YES
ssh_addr =
# Port to listen for incoming SSH connections.
#
# input: Number
# required: YES
# default: 2222
ssh_port = 2222
# IP addresses to send outgoing SSH connections.
# 0.0.0.0 for all interfaces
#
# input: IP Address
# required: YES
client_addr =
# Public and private SSH key files.
#
# input: Text
# required: YES
# default: id_rsa.pub
# default: id_rsa
# default: id_dsa.pub
# default: id_dsa
public_key = id_rsa.pub
private_key = id_rsa
public_key_dsa = id_dsa.pub
private_key_dsa = id_dsa
# SSH banner to send to clients
# If not specified, HonSSH will try and obtain it by connecting to
# honey_addr:honey_port
#
# input: text
# required: No
# default:
ssh_banner =
# connection_timeout: connection timeout for pre and post auth handlers
# required: YES
# default: 10
connection_timeout = 10
#-----------------------#
# HONEYPOT STATIC #
#-----------------------#
[honeypot-static]
# Documentation to come, stick with these options and ignore honeypot-* unless you know what you are doing or fancy a challenge
enabled = true
# Should HonSSH use this plugin to get the honeypot details (before authentication)
pre-auth = true
# Should HonSSH use this plugin to get the honeypot details (after authentication)
post-auth = true
# This name will be used when logging to any of the output mechanisms.
# Please ensure it is meaningful.
#
# input: Text
# required: YES
sensor_name =
# IP addresses of the honeypot.
#
# input: IP Address
# required: YES
honey_ip =
# SSH port of the honeypot.
#
# input: Number
# required: YES
# default: 22
honey_port =
#-----------------------#
# HONEYPOT SCRIPT #
#-----------------------#
[honeypot-script]
# Documentation to come
enabled = false
# Should HonSSH use this plugin to get the honeypot details (before authentication)
pre-auth = false
# Should HonSSH use this plugin to get the honeypot details (after authentication)
post-auth = false
# ./script IP LOCALIP PORT LOCALPORT
pre-auth-script =
# ./script IP LOCALIP PORT LOCALPORT USERNAME PASSWORD
post-auth-script =
#-----------------------#
# HONEYPOT DOCKER #
#-----------------------#
[honeypot-docker]
# Documentation to come
enabled = false
# Should HonSSH use this plugin to get the honeypot details (before authentication)
pre-auth = false
# Should HonSSH use this plugin to get the honeypot details (after authentication)
post-auth = false
# image: image id/name to use for honeypot container
# required: if enabled = true
image =
# uri: socket to interact with container daemon
# required: if enabled = true
# default: unix://var/run/docker.sock
uri = unix://var/run/docker.sock
# honey_hostname: the hostname for the container
# required: if enabled = true
hostname = test-box
# launch_cmd: command to run when container is first launched
# required: if enabled = true
# default = service ssh start
launch_cmd = service ssh start
# SSH port of the honeypot.
#
# input: Number
# required: YES
# default: 22
honey_port =
# overlay_folder: Save all changes made to the docker container filesystem into given session
# subdirectory. This includes changes made by the attacker and by the system itself!
# Make sure to apply quotas.
# This feature does *NOT* work with remote docker hosts.
#
# Nothing is saved if left empty.
#
# Supported storage drivers:
# - aufs
# - btrfs
# - overlay
# - overlay2
#
# Warning:
# - This delays the connection until all watches are added
# - This may have a performance impact (depends on the amount of running containers and your hardware)
#
# required: NO
overlay_folder =
# overlay_max_filesize: maximum filesize (kb) to copy.
# Use 0 for unlimited size. Please consider using quotas on your filesystem.
#
# required: NO
# default: 51200 (50 MB)
overlay_max_filesize =
# overlay_use_revisions:
# If 'false' the same file will be overwritten on subsequent modifications.
# If 'true' every file modification will create a new file with running counter appended.
#
# Be careful!! In conjunction with a large overlay_max_filesize or set to 0 this
# can fill your filesystem quite fast. Please consider using quotas on your filesystem.
#
# required: NO
# default: false
overlay_use_revisions =
# reuse_container: If activated containers will be linked to the attackers IP address
# and restarted on subsequent connects from the same IP address.
#
# required: YES
reuse_container = false
# reuse_ttl: Defines how long a stopped container should be retained for reuse.
# The amount is measured in minutes.
# Use '0' for no cleanup.
# reuse_container has to be activated.
#
# required = NO
# default = 1440 (24 h)
reuse_ttl =
# reuse_ttl_check_interval: Defines in which interval the ttl should be checked.
# The amount is measured in minutes.
#
# required = NO
# default = 30
reuse_ttl_check_interval =
# Pid limit of the honeypot (-1 for unlimited)
#
# input: Number
# required: NO
# default: -1
pids_limit =
# Memory limit of the honeypot
# Example: 1G
#
# required: NO
mem_limit =
# Swap limit of the honeypot
# Example: 1G
#
# required: NO
memswap_limit =
# Shm size limit of the honeypot
# Example: 1G
#
# required: NO
shm_size =
# Microseconds of CPU time that the container can get in a CPU period of the honeypot
#
# input: Number
# required: NO
cpu_period =
# CPU shares (relative weight) of the honeypot
# Example: Percentage * value of cat /sys/fs/cgroup/cpu/docker/cpu.shares
#
# required: NO
cpu_shares =
# CPUs in which to allow execution of the honeypot
# Example: 0-3, 0,1
#
# required: NO
cpuset_cpus =
#-----------------------#
# HONEYPOT RESTRICTIONS #
#-----------------------#
[hp-restrict]
# When enabled, HonSSH will restrict connections to password only and decline any public keys.
# HonSSH will not work with public keys - this should always be true.
#
# input: true/false
# required: YES
# default: true
disable_publicKey = true
# When enabled, HonSSH will block any attempts to start an X11 session.
# You can allow X11 but HonSSH will not log the session.
#
# input: true/false
# required: YES
# default: true
disable_x11 = true
# When enabled, HonSSH will block any attempts to start an SFTP session.
# HonSSH will log SFTP traffic and capture downloaded files.
#
# input: true/false
# required: YES
# default: false
disable_sftp = false
# When enabled, HonSSH will block any attempts to start an EXEC session.
# HonSSH will log all EXEC sessions, including SCP transfers.
#
# input: true/false
# required: YES
# default: false
disable_exec = false
# When enabled, HonSSH will block any attempts to start running port forwarding over SSH.
# You can allow port forwarding but HonSSH will not log the session - Yet! (log to PCAP?)
#
# input: true/false
# required: YES
# default: true
disable_port_forwarding = true
#-----------------------#
# OUTPUT DIRECTORIES #
#-----------------------#
[folders]
# Directory where log files will be saved in.
#
# input: Text
# required: YES
# default: logs
log_path = logs
# Directory where session files will be saved in.
#
# input: Text
# required: YES
# default: sessions
session_path = sessions
#-----------------------#
# ADVANCED NETWORKING #
#-----------------------#
[advNet]
# To enable this HonSSH must be ran as root or an account allowed to run
# iptables and ip link/addr commands.
#
# With this disabled, the honeypot will always see connections coming from
# honey_addr. With this enabled, connections will look as if the connections
# are coming from the attacker.
# See the Wiki page for more details.
# https://github.com/tnich/honssh/wiki/Advanced-Networking
#
# input: true/false
# required: YES
# default: false
enabled = false
#-----------------------#
# LIVE INTERACTION #
#-----------------------#
[interact]
# Session management interface.
#
# This is a TCP based service that can be used to interact with active
# sessions. Disabled by default.
#
# Use honsshInteraction.py to interact with this interface.
#
# input: true/false
# required: YES
# default: false
enabled = false
# Interface to create the interaction on - 0.0.0.0 for all.
#
# input: IP Address
# required: if interact_enabled = true
# default: 127.0.0.1
interface = 127.0.0.1
# Port to create the interaction on
#
# input: Number
# required: if interact_enabled = true
# default: 5123
port = 5123
#-----------------------#
# PASSWORD SPOOFING #
#-----------------------#
[spoof]
# Enabling this will allow HonSSH to spoof an incorrect password with the real password.
# A list of users and passwords must be defined in the users.cfg file.
#
# Passwords to spoof can either be a fixed list or a random chance.
#
# See the Wiki page for more details.
# https://github.com/tnich/honssh/wiki/Password-Spoofing
#
# input: true/false
# required: YES
# default: false
enabled = false
# Location of the users.cfg file
#
# input: text
# required: if enabled is true
# default: users.cfg
users_conf = users.cfg
#----------------------------------------------#
# LOGGING AND OUTPUTS #
#----------------------------------------------#
#-----------------------#
# FILE DOWNLOADING #
#-----------------------#
[download]
# File Download
#
# HonSSH will attempt to download all scp and sftp files to a local store if this is true
#
# input: true/false
# required: YES
# default: false
passive = false
# HonSSH wil attempt to download all wget files to a local store.
#
# I believe another tool should be used to passively capture all http(s) connections on all ports - maybe the next project?
# Until then HonSSH will use a 'best effort' approach to capture files when the wget commands is detected.
# It will not be able to capture commands such as:
# url=www.test.url; wget $url
#
# input: true/false
# required: YES
# default: false
active = false
#-----------------------#
# TEXT LOGGING #
#-----------------------#
[output-txtlog]
# All activity will be logged to text files
# A log of entry attempts will be kept in log_path/
# A log of session activity will be kept in session_path/
#
# input: true/false
# required: YES
# default: true
enabled = true
#-----------------------#
# MYSQL LOGGING #
#-----------------------#
[output-mysql]
# All activity will be logged to a MYSQL Database
# Database structure for this module is supplied in utils/honssh.sql
#
# input: true/false
# required: yes
# default: false
enabled = false
# IP address of the database
#
# input: IP Address
# required: if enabled = true
# default: localhost
host =
# Port to connect to the database on
#
# input: Number
# required: NO
# default: 3306
port = 3306
# Name of the database
#
# input: Text
# required: if enabled = true
database =
# Username to authenticate with the database
#
# input: Text
# required: if enabled = true
username =
# Password to authenticate with the database
#
# input: Text
# required: if enabled = true
password =
#-----------------------#
# EMAIL LOGGING #
#-----------------------#
[output-email]
# Enable email output plugin
#
# dependency: txtlog MUST be enabled
# input: true/false
# required: YES
# default: false
enabled = false
# Send an email upon hacker connect
#
# dependency: txtlog MUST be enabled
# input: true/false
# required: YES
# default: false
login = false
# Send an email upon hacker disconnect - Will attach the tty log file
#
# dependency: txtlog MUST be enabled
# input: true/false
# required: YES
# default: false
attack = false
# Your SMTP Host
#
# input: Text
# required: if login or attack = true
host =
# Your SMTP Port
#
# input: Number
# required: if login or attack = true
port =
# Use SSL/TLS to connect to the SMTP provider?
#
# input: true/false
# required: if login or attack = true
# default: true
use_tls = true
# Does your SMTP provider require a login?
#
# input: true/false
# required: if login or attack = true
# default: true
use_smtpauth = true
# Your SMTP login username
#
# input: Text
# required: if use_smtpauth = true
username =
# Your SMTP login password
#
# input: Text
# required: if use_smtpauth = true
password =
# The address the email is sent from
#
# input: Email Address
# required: if login or attack = true
from =
# The address(es) the email is sent to
#
# input: Email Addresses in a comma seperated list spaces without
# required: if login or attack = true
to =
#-----------------------#
# HP FEEDS #
#-----------------------#
[output-hpfeeds]
# All activity will be logged to a hpfeeds broker for dissemination
# between the honeypot community.
# Authentication attempts will be logged to honssh.auth
# Sessions will be logged to honssh.sessions
#
# input: true/false
# required: yes
# default: false
enabled = false
# The server address of the hpfeeds broker
#
# input: Text
# required: if enabled = true
server =
# The server port of the hpfeeds broker
#
# input: Number
# required: if enabled = true
port =
# Your hpfeed authe key identifier
#
# input: Text
# required: if enabled = true
identifier =
# Your hpfeed authe key secret
#
# input: Text
# required: if enabled = true
secret =
#-----------------------#
# APPLICATION HOOKS #
#-----------------------#
[output-app_hooks]
# Enable app_hooks output plugin
#
# input: true/false
# required: YES
# default: false
enabled = false
# If you want any other application hooks or arguments passing, raise an issue
# on the HonSSH code page.
# Calls the script when a connection is made with the following arguments
# ./script CONNECTION_MADE DATETIME IP PORT HONEYIP HONEYPORT SESSION_ID
#
# input: path of script to run
# required: NO
connection_made =
# Calls the script when a connection is lost with the following arguments
# ./script CONNECTION_LOST DATETIME IP PORT HONEYIP HONEYPORT SESSION_ID
#
# input: path of script to run
# required: NO
connection_lost =
# Calls the script when a login is successful with the following arguments
# ./script LOGIN_SUCCESSFUL DATETIME IP USERNAME PASSWORD
#
# input: path of script to run
# required: NO
login_successful =
# Calls the script when a login has failed with the following arguments
# ./script LOGIN_FAILED DATETIME IP USERNAME PASSWORD
#
# input: path of script to run
# required: NO
login_failed =
# Calls the script when a channel is opened with the following arguments
# ./script CHANNEL_OPENED DATETIME NAME CHANNEL_ID
#
# input: path of script to run
# required: NO
channel_opened =
# Calls the script when a channel is closed with the following arguments
# ./script CHANNEL_CLOSED DATETIME NAME CHANNEL_ID
#
# input: path of script to run
# required: NO
channel_closed =
# Calls the script when a command is entered with the following arguments
# ./script COMMAND_ENTERED DATETIME CHANNEL_ID COMMAND
#
# input: path of script to run
# required: NO
command_entered =
# Calls the script when a file download is started with the following arguments
# ./script DOWNLOAD_STARTED DATETIME CHANNEL_ID LINK FILE_PATH
#
# input: path of script to run
# required: NO
download_started =
# Calls the script when a file download is finished with the following arguments
# ./script DOWNLOAD_FININSHED DATETIME CHANNEL_ID LINK FILE_PATH
#
# input: path of script to run
# required: NO
download_finished =
# Calls the script when a ttylog file is closed with the following arguments
# ./script TTYLOG_CLOSED SENSOR_NAME TTYLOG_FILE
#
# input: path of script to run
# required: NO
ttylog_closed =
#-----------------------#
# PACKET LOGGING #
#-----------------------#
[packet_logging]
# Set to true to enable plugins to use the packet_logged function
#
# input: true/false
# required: YES
# default: false
enabled = false
[output-packets]
# Log all SSH Packets to text file (.log-adv)
#
# dependency: packet_logging MUST be enabled
# input: true/false
# required: YES
# default: false
enabled = false
#-----------------------#
# SLACK #
#-----------------------#
[output-slack]
# Set to true to enable outputting to a Slack channel
#
# input: true/false
# required: YES
# default: false
enabled = false
# The webhook URL for Slack
#
# input: Text
# required: if enabled = true
webhook-url =
#-----------------------#
# CONTRIBUTE #
#-----------------------#
[output-contribute]
# I created this project because I like watching what people do on honeypots.
# This plugin simply posts the data from each session to me (no private information, just data generated by HonSSH).
# Feel free to turn it off.
#
# input: true/false
# required: YES
# default: false
enabled = false