Difference between revisions of "Installing Dionaea honeypot on Ubuntu Server 14.04"
From Zam Wiki
Line 19: | Line 19: | ||
= Install required packages from repo = | = Install required packages from repo = | ||
− | apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libgc-dev libgc1c2 sqlite3 python-geoip sqlite python-pip | + | sudo apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libgc-dev libgc1c2 sqlite3 python-geoip sqlite python-pip |
p/s : Some packages are provided by the apt-tree, so you don't have to install everything from source | p/s : Some packages are provided by the apt-tree, so you don't have to install everything from source | ||
Create /opt/dionaea/ directory | Create /opt/dionaea/ directory | ||
− | mkdir /opt/dionaea/ | + | sudo mkdir /opt/dionaea/ |
Create temp folder for installation | Create temp folder for installation | ||
Line 33: | Line 33: | ||
git clone git://git.carnivore.it/liblcfg.git liblcfg | git clone git://git.carnivore.it/liblcfg.git liblcfg | ||
cd liblcfg/code | cd liblcfg/code | ||
− | autoreconf -vi | + | sudo autoreconf -vi |
− | ./configure --prefix=/opt/dionaea | + | sudo ./configure --prefix=/opt/dionaea |
− | make install | + | sudo make install |
− | ldconfig | + | sudo ldconfig |
== Libemu == | == Libemu == | ||
− | apt-get install libemu-dev | + | sudo apt-get install libemu-dev |
== Libnl == | == Libnl == | ||
In case you use Ubuntu, libnl3 may be available in apt: | In case you use Ubuntu, libnl3 may be available in apt: | ||
− | apt-get install libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev | + | sudo apt-get install libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev |
== Libev == | == Libev == | ||
Line 50: | Line 50: | ||
tar xfz libev-4.19.tar.gz | tar xfz libev-4.19.tar.gz | ||
cd libev-4.19 | cd libev-4.19 | ||
− | ./configure --prefix=/opt/dionaea | + | sudo ./configure --prefix=/opt/dionaea |
− | make install | + | sudo make install |
− | ldconfig | + | sudo ldconfig |
== Python 3.2 == | == Python 3.2 == | ||
Line 67: | Line 67: | ||
tar xfz Python-3.2.2.tgz | tar xfz Python-3.2.2.tgz | ||
cd Python-3.2.2/ | cd Python-3.2.2/ | ||
− | ./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x86_64-linux-gnu/" | + | sudo ./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x86_64-linux-gnu/" |
− | make | + | sudo make |
− | make install | + | sudo make install |
− | ldconfig | + | sudo ldconfig |
== Cython == | == Cython == | ||
Line 78: | Line 78: | ||
tar xfz Cython-0.21rc1.tar.gz | tar xfz Cython-0.21rc1.tar.gz | ||
cd Cython-0.21rc1 | cd Cython-0.21rc1 | ||
− | /opt/dionaea/bin/python3 setup.py install | + | sudo /opt/dionaea/bin/python3 setup.py install |
− | ldconfig | + | sudo ldconfig |
+ | |||
+ | Be patient as this may takes some times to finish. :) | ||
== Libcurl == | == Libcurl == | ||
Line 90: | Line 92: | ||
tar xfz libpcap-1.6.2.tar.gz | tar xfz libpcap-1.6.2.tar.gz | ||
cd libpcap-1.6.2 | cd libpcap-1.6.2 | ||
− | ./configure --prefix=/opt/dionaea | + | sudo ./configure --prefix=/opt/dionaea |
− | make | + | sudo make |
− | make install | + | sudo make install |
− | ldconfig | + | sudo ldconfig |
= Fingerprinting with p0f = | = Fingerprinting with p0f = | ||
For more information about attackers and their operating systems and versions, you should install the fingerprinting library "'''p0f'''": | For more information about attackers and their operating systems and versions, you should install the fingerprinting library "'''p0f'''": | ||
− | apt-get install p0f -y | + | sudo apt-get install p0f -y |
cd / | cd / | ||
Line 125: | Line 127: | ||
Edit file configure | Edit file configure | ||
cd ~/src/dionaea | cd ~/src/dionaea | ||
− | autoreconf -vi | + | sudo autoreconf -vi |
nano +13785 configure | nano +13785 configure | ||
Line 135: | Line 137: | ||
Proceed for installation | Proceed for installation | ||
− | ./configure --with-lcfg-include=/opt/dionaea/include/ \ | + | sudo ./configure --with-lcfg-include=/opt/dionaea/include/ \ |
--with-lcfg-lib=/opt/dionaea/lib/ \ | --with-lcfg-lib=/opt/dionaea/lib/ \ | ||
--with-python=/opt/dionaea/bin/python3.2 \ | --with-python=/opt/dionaea/bin/python3.2 \ | ||
Line 153: | Line 155: | ||
--with-ssl-lib=/usr/lib/x86_64-linux-gnu/ \ | --with-ssl-lib=/usr/lib/x86_64-linux-gnu/ \ | ||
--disable-werror | --disable-werror | ||
− | make | + | sudo make |
− | make install | + | sudo make install |
− | ldconfig | + | sudo ldconfig |
= Set file permission = | = Set file permission = | ||
Line 170: | Line 172: | ||
= Start Dionaea = | = Start Dionaea = | ||
− | /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D | + | sudo /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D |
You can check if the dionaea is properly up & run: | You can check if the dionaea is properly up & run: | ||
* Check the process: | * Check the process: | ||
− | ps -ef | grep dionaea | + | sudo ps -ef | grep dionaea |
nobody 2356 1 0 May21 ? 00:00:16 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D | nobody 2356 1 0 May21 ? 00:00:16 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D | ||
Line 180: | Line 182: | ||
* Check the network status: | * Check the network status: | ||
− | netstat -tnlp | grep dionaea | + | sudo netstat -tnlp | grep dionaea |
tcp 0 0 :::5060 :::* LISTEN 11445/dionaea | tcp 0 0 :::5060 :::* LISTEN 11445/dionaea |
Latest revision as of 18:14, 13 November 2014
Contents
Introduction
Dionaea initial development was funded by the Honeynet Project as part of the Honeynets Summer of Code during 2009. The development process is as open as possible; you can browse the source online and subscribe to RSS updates and submit bugs or patches. You also can browse through Github to see the code and submit code for enhancement or what so ever.
Requirements
- libev >=4.04, schmorp.de
- libglib >=2.20
- libssl, openssl.org
- liblcfg, liblcfg.carnivore.it
- libemu, libemu.carnivore.it
- python >=3.2, python.org
- sqlite >=3.3.6 sqlite.org
- readline >=3 cnswww.cns.cwru.edu
- cython >0.14.1, cython.org
- libudns, corpit.ru
- libcurl >=7.18, curl.haxx.se
- libpcap >=1.1.1, tcpdump.org
- libnl from git, infradead.org (optional)
- libgc >=6.8, hp.com (optional)
Install required packages from repo
sudo apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libgc-dev libgc1c2 sqlite3 python-geoip sqlite python-pip
p/s : Some packages are provided by the apt-tree, so you don't have to install everything from source
Create /opt/dionaea/ directory
sudo mkdir /opt/dionaea/
Create temp folder for installation
mkdir ~/src
Install required packages
Liblcfg
cd ~/src git clone git://git.carnivore.it/liblcfg.git liblcfg cd liblcfg/code sudo autoreconf -vi sudo ./configure --prefix=/opt/dionaea sudo make install sudo ldconfig
Libemu
sudo apt-get install libemu-dev
Libnl
In case you use Ubuntu, libnl3 may be available in apt:
sudo apt-get install libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev
Libev
cd ~/src wget http://dist.schmorp.de/libev/libev-4.19.tar.gz tar xfz libev-4.19.tar.gz cd libev-4.19 sudo ./configure --prefix=/opt/dionaea sudo make install sudo ldconfig
Python 3.2
Before installing Python, we will install required dependencies:
- readline
Should be available for every distribution.
- sqlite > 3.3
Should be available for every distribution. If your distributions sqlite version is < 3.3 and does not support triggers, you are doomed, please let me know, I'll write about how broken pythons build scripts are, and document how to to compile it with a user- provided - more recent - sqlite version.
- Python
cd ~/src wget http://www.python.org/ftp/python/3.2.2/Python-3.2.2.tgz tar xfz Python-3.2.2.tgz cd Python-3.2.2/ sudo ./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x86_64-linux-gnu/" sudo make sudo make install sudo ldconfig
Cython
We have to use cython >= 0.15 as previous releases do not support Python3.2 __hash__'s Py_Hash_type for x86.
cd ~/src wget http://cython.org/release/Cython-0.21rc1.tar.gz tar xfz Cython-0.21rc1.tar.gz cd Cython-0.21rc1 sudo /opt/dionaea/bin/python3 setup.py install sudo ldconfig
Be patient as this may takes some times to finish. :)
Libcurl
Grabbing curl from your distributions maintainer should work, if you run a decent distribution. If not consider upgrading your operating system.
Libpcap
To honor the effort, we rely on libpcap 1.1.1. Most distros ship older versions, therefore it is likely you have to install it from source.
cd ~/src wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz tar xfz libpcap-1.6.2.tar.gz cd libpcap-1.6.2 sudo ./configure --prefix=/opt/dionaea sudo make sudo make install sudo ldconfig
Fingerprinting with p0f
For more information about attackers and their operating systems and versions, you should install the fingerprinting library "p0f":
sudo apt-get install p0f -y
cd / sudo mkdir nonexistent sudo chown -R nobody:nogroup nonexistent
sudo mkdir /var/p0f
Dionaea has P0f integrated into the stream analysis. However P0f must be pre-authorized and launched separately:
sudo p0f -i venet0:0 -u nobody -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log
- Please change your network interface (venet0:0 in example above) to your proper network interface e.g. eth0, p32p1.
- You can check this by issuing command ifconfig to see your interfaces in your terminal.
sudo chown nobody:nogroup /tmp/p0f.sock
Test whether the p0f process running before configuring the associated socket / tmp/p0f.sock later Dionaea:
sudo ps -ef | grep p0f nobody 460 1 0 May17 ? 00:00:01 /usr/sbin/p0f -u nobody -i venet0:0 -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log
Clone Dionaea from github
cd ~/src git clone git://git.carnivore.it/dionaea.git dionaea
Compiling dionaea
Edit file configure
cd ~/src/dionaea sudo autoreconf -vi nano +13785 configure
Change from this line:
LIB_SSL_LIBS="-L$ssl_lib -lssl"
To this:
LIB_SSL_LIBS="-L$ssl_lib -lssl -lcrypto"
Proceed for installation
sudo ./configure --with-lcfg-include=/opt/dionaea/include/ \ --with-lcfg-lib=/opt/dionaea/lib/ \ --with-python=/opt/dionaea/bin/python3.2 \ --with-cython-dir=/opt/dionaea/bin \ --with-udns-include=/opt/dionaea/include/ \ --with-udns-lib=/opt/dionaea/lib/ \ --with-emu-include=/opt/dionaea/include/ \ --with-emu-lib=/opt/dionaea/lib/ \ --with-gc-include=/usr/include/gc \ --with-ev-include=/opt/dionaea/include \ --with-ev-lib=/opt/dionaea/lib \ --with-nl-include=/opt/dionaea/include \ --with-nl-lib=/opt/dionaea/lib/ \ --with-curl-config=/usr/bin/ \ --with-pcap-include=/opt/dionaea/include \ --with-pcap-lib=/opt/dionaea/lib/ \ --with-ssl-lib=/usr/lib/x86_64-linux-gnu/ \ --disable-werror sudo make sudo make install sudo ldconfig
Set file permission
sudo chown -R nobody:nogroup /opt/dionaea/var/dionaea sudo chown -R nobody:nogroup /opt/dionaea/var/log
Update Dionaea
git pull; make clean install
But, you always want to make sure your config file is up to date, you can use
cd /opt/dionaea/etc/dionaea diff dionaea.conf dionaea.conf.dist
Start Dionaea
sudo /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D
You can check if the dionaea is properly up & run:
- Check the process:
sudo ps -ef | grep dionaea nobody 2356 1 0 May21 ? 00:00:16 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D root 2357 2356 0 May21 ? 00:00:00 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D
- Check the network status:
sudo netstat -tnlp | grep dionaea tcp 0 0 :::5060 :::* LISTEN 11445/dionaea tcp 0 0 ::::5061 :::* LISTEN 11445/dionaea tcp 0 0 ::::135 :::* LISTEN 11445/dionaea tcp 0 0 ::::3306 :::* LISTEN 11445/dionaea tcp 0 0 ::::42 :::* LISTEN 11445/dionaea tcp 0 0 ::::21 :::* LISTEN 11445/dionaea tcp 0 0 ::::1433 :::* LISTEN 11445/dionaea tcp 0 0 ::::443 :::* LISTEN 11445/dionaea tcp 0 0 ::::445 :::* LISTEN 11445/dionaea
If you are curious in the meantime, it is worth looking into the following directories and files: The dionaea log file is located at here:
/opt/dionaea/var/log
And the content is:
dionaea-errors.log dionaea.log
The dionaea captured file & log is located at here:
/opt/dionaea/var/dionaea
An the content:
binaries bistreams logsql.sqlite sipaccounts.sqlite vtcache.sqlite wwwroot