Correct SSH version in cowrie.cfg by neon-ninja · Pull Request #1661 · telekom-security/tpotce

neon-ninja · 2024-09-27T04:53:30Z

Hi,

Thanks for making this open source. This PR adjusts the reported Cowrie SSH version to match what is sent by a real Ubuntu 22.04LTS system. This reduces the ease of fingerprinting this as a honeypot. Currently, this string is unique to tpot, so it's easy to see all running honeypots worldwide (that have updated since 025ab2d) on https://www.shodan.io/search?query=product%3A%22OpenSSH%22+version%3A%228.9p1+Ubuntu+2ubuntu0.10%22 (840). Compare this against https://www.shodan.io/search?query=product%3A%22OpenSSH%22+version%3A%228.9p1+Ubuntu+3ubuntu0.10%22 (2,841,601).

Additionally, this makes the honeypot not read as vulnerable to CVE-2024-6387 (regreSSHion) by scanners such as https://github.com/xaitax/CVE-2024-6387_Check/tree/main

Cheers,
Nick

t3chn0m4g3 · 2024-09-28T13:08:15Z

t3chn0m4g3 · 2024-09-28T13:35:09Z

@neon-ninja Images haven been built and pushed.

Correct SSH version in cowrie.cfg

dd741e9

t3chn0m4g3 self-assigned this Sep 28, 2024

t3chn0m4g3 added the Great catch and fix 🎉 label Sep 28, 2024

t3chn0m4g3 added this to the 24.04.1 milestone Sep 28, 2024

t3chn0m4g3 merged commit 34eb7d6 into telekom-security:master Sep 28, 2024

Provide feedback