Hi @mkgvt_gitlab ! Thanks for the interest in the project!
This is one that often gives folks pause; cowrie’s default behavior is to let attackers “log in” and then record the commands that are attempted by the attacker. If cowrie recognizes an attempt to pull down a file (such as "wget badsite.com/malware”), cowrie will go fetch the file, hash it, and store the file in the local filesystem (in this case, inside the container).
docker-compose exec chnserver grep DEPLOY_KEY /opt/config.py
@d90 : One (underused) option that may help in this case (unsure since I’m not sure what NMap is keying on; chodonne’s answer may be what’s needed) is to use the personalities option for the honeypot:
Routing 10.0.10.0/24 to an anyip host with a “real/management” interface on 10.0.20.5 is just dandy.
But if you tried to send a default route of 10.0.0.0/16 at the anyip interface, your management interface traffic will end up sucked into the honeypot as well, which is of course not ideal. :-/