Difference between revisions of "Installing Dionaea honeypot on Ubuntu Server 14.04"
From Zam Wiki
Line 106: | Line 106: | ||
Dionaea has P0f integrated into the stream analysis. However P0f must be pre-authorized and launched separately: | Dionaea has P0f integrated into the stream analysis. However P0f must be pre-authorized and launched separately: | ||
− | sudo p0f -i venet0:0 -u nobody -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log | + | sudo p0f -i '''venet0:0''' -u nobody -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log |
− | * Please change your network interface (venet0:0 in example above) to your proper network interface e.g. eth0, p32p1. | + | * Please change your network interface ('''venet0:0''' in example above) to your proper network interface e.g. eth0, p32p1. |
* You can check this by issuing command ifconfig to see your interfaces. | * You can check this by issuing command ifconfig to see your interfaces. | ||
Revision as of 18:10, 13 November 2014
Contents
Introduction
Dionaea initial development was funded by the Honeynet Project as part of the Honeynets Summer of Code during 2009. The development process is as open as possible; you can browse the source online and subscribe to RSS updates and submit bugs or patches. You also can browse through Github to see the code and submit code for enhancement or what so ever.
Requirements
- libev >=4.04, schmorp.de
- libglib >=2.20
- libssl, openssl.org
- liblcfg, liblcfg.carnivore.it
- libemu, libemu.carnivore.it
- python >=3.2, python.org
- sqlite >=3.3.6 sqlite.org
- readline >=3 cnswww.cns.cwru.edu
- cython >0.14.1, cython.org
- libudns, corpit.ru
- libcurl >=7.18, curl.haxx.se
- libpcap >=1.1.1, tcpdump.org
- libnl from git, infradead.org (optional)
- libgc >=6.8, hp.com (optional)
Install required packages from repo
apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libgc-dev libgc1c2 sqlite3 python-geoip sqlite python-pip
p/s : Some packages are provided by the apt-tree, so you don't have to install everything from source
Create /opt/dionaea/ directory
mkdir /opt/dionaea/
Create temp folder for installation
mkdir ~/src
Install required packages
Liblcfg
cd ~/src git clone git://git.carnivore.it/liblcfg.git liblcfg cd liblcfg/code autoreconf -vi ./configure --prefix=/opt/dionaea make install ldconfig
Libemu
apt-get install libemu-dev
Libnl
In case you use Ubuntu, libnl3 may be available in apt:
apt-get install libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev
Libev
cd ~/src wget http://dist.schmorp.de/libev/libev-4.19.tar.gz tar xfz libev-4.19.tar.gz cd libev-4.19 ./configure --prefix=/opt/dionaea make install ldconfig
Python 3.2
Before installing Python, we will install required dependencies:
- readline
Should be available for every distribution.
- sqlite > 3.3
Should be available for every distribution. If your distributions sqlite version is < 3.3 and does not support triggers, you are doomed, please let me know, I'll write about how broken pythons build scripts are, and document how to to compile it with a user- provided - more recent - sqlite version.
- Python
cd ~/src wget http://www.python.org/ftp/python/3.2.2/Python-3.2.2.tgz tar xfz Python-3.2.2.tgz cd Python-3.2.2/ ./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x86_64-linux-gnu/" make make install ldconfig
Cython
We have to use cython >= 0.15 as previous releases do not support Python3.2 __hash__'s Py_Hash_type for x86.
cd ~/src wget http://cython.org/release/Cython-0.21rc1.tar.gz tar xfz Cython-0.21rc1.tar.gz cd Cython-0.21rc1 /opt/dionaea/bin/python3 setup.py install ldconfig
Libcurl
Grabbing curl from your distributions maintainer should work, if you run a decent distribution. If not consider upgrading your operating system.
Libpcap
To honor the effort, we rely on libpcap 1.1.1. Most distros ship older versions, therefore it is likely you have to install it from source.
cd ~/src wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz tar xfz libpcap-1.6.2.tar.gz cd libpcap-1.6.2 ./configure --prefix=/opt/dionaea make make install ldconfig
Fingerprinting with p0f
For more information about attackers and their operating systems and versions, you should install the fingerprinting library "p0f":
apt-get install p0f -y
cd / sudo mkdir nonexistent sudo chown -R nobody:nogroup nonexistent
sudo mkdir /var/p0f
Dionaea has P0f integrated into the stream analysis. However P0f must be pre-authorized and launched separately:
sudo p0f -i venet0:0 -u nobody -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log
- Please change your network interface (venet0:0 in example above) to your proper network interface e.g. eth0, p32p1.
- You can check this by issuing command ifconfig to see your interfaces.
sudo chown nobody:nogroup /tmp/p0f.sock
Test whether the p0f process running before configuring the associated socket / tmp/p0f.sock later Dionaea:
sudo ps -ef | grep p0f nobody 460 1 0 May17 ? 00:00:01 /usr/sbin/p0f -u nobody -i venet0:0 -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log
Clone Dionaea from github
cd ~/src git clone git://git.carnivore.it/dionaea.git dionaea
Compiling dionaea
Edit file configure
cd ~/src/dionaea autoreconf -vi nano +13785 configure
Change from this line:
LIB_SSL_LIBS="-L$ssl_lib -lssl"
To this:
LIB_SSL_LIBS="-L$ssl_lib -lssl -lcrypto"
Proceed for installation
./configure --with-lcfg-include=/opt/dionaea/include/ \ --with-lcfg-lib=/opt/dionaea/lib/ \ --with-python=/opt/dionaea/bin/python3.2 \ --with-cython-dir=/opt/dionaea/bin \ --with-udns-include=/opt/dionaea/include/ \ --with-udns-lib=/opt/dionaea/lib/ \ --with-emu-include=/opt/dionaea/include/ \ --with-emu-lib=/opt/dionaea/lib/ \ --with-gc-include=/usr/include/gc \ --with-ev-include=/opt/dionaea/include \ --with-ev-lib=/opt/dionaea/lib \ --with-nl-include=/opt/dionaea/include \ --with-nl-lib=/opt/dionaea/lib/ \ --with-curl-config=/usr/bin/ \ --with-pcap-include=/opt/dionaea/include \ --with-pcap-lib=/opt/dionaea/lib/ \ --with-ssl-lib=/usr/lib/x86_64-linux-gnu/ \ --disable-werror make make install ldconfig
Set file permission
sudo chown -R nobody:nogroup /opt/dionaea/var/dionaea sudo chown -R nobody:nogroup /opt/dionaea/var/log
Update Dionaea
git pull; make clean install
But, you always want to make sure your config file is up to date, you can use
cd /opt/dionaea/etc/dionaea diff dionaea.conf dionaea.conf.dist
Start Dionaea
/opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D
You can check if the dionaea is properly up & run:
- Check the process:
ps -ef | grep dionaea nobody 2356 1 0 May21 ? 00:00:16 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D root 2357 2356 0 May21 ? 00:00:00 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D
- Check the network status:
netstat -tnlp | grep dionaea tcp 0 0 :::5060 :::* LISTEN 11445/dionaea tcp 0 0 ::::5061 :::* LISTEN 11445/dionaea tcp 0 0 ::::135 :::* LISTEN 11445/dionaea tcp 0 0 ::::3306 :::* LISTEN 11445/dionaea tcp 0 0 ::::42 :::* LISTEN 11445/dionaea tcp 0 0 ::::21 :::* LISTEN 11445/dionaea tcp 0 0 ::::1433 :::* LISTEN 11445/dionaea tcp 0 0 ::::443 :::* LISTEN 11445/dionaea tcp 0 0 ::::445 :::* LISTEN 11445/dionaea
If you are curious in the meantime, it is worth looking into the following directories and files: The dionaea log file is located at here:
/opt/dionaea/var/log
And the content is:
dionaea-errors.log dionaea.log
The dionaea captured file & log is located at here:
/opt/dionaea/var/dionaea
An the content:
binaries bistreams logsql.sqlite sipaccounts.sqlite vtcache.sqlite wwwroot