Installing Dionaea honeypot on Ubuntu Server 14.04

From Zam Wiki

Revision as of 18:14, 13 November 2014 by Zam (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Introduction

Dionaea initial development was funded by the Honeynet Project as part of the Honeynets Summer of Code during 2009. The development process is as open as possible; you can browse the source online and subscribe to RSS updates and submit bugs or patches. You also can browse through Github to see the code and submit code for enhancement or what so ever.

Requirements

  • libev >=4.04, schmorp.de
  • libglib >=2.20
  • libssl, openssl.org
  • liblcfg, liblcfg.carnivore.it
  • libemu, libemu.carnivore.it
  • python >=3.2, python.org
    • sqlite >=3.3.6 sqlite.org
    • readline >=3 cnswww.cns.cwru.edu
  • cython >0.14.1, cython.org
  • libudns, corpit.ru
  • libcurl >=7.18, curl.haxx.se
  • libpcap >=1.1.1, tcpdump.org
  • libnl from git, infradead.org (optional)
  • libgc >=6.8, hp.com (optional)

Install required packages from repo

sudo apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libgc-dev libgc1c2 sqlite3 python-geoip sqlite python-pip

p/s : Some packages are provided by the apt-tree, so you don't have to install everything from source

Create /opt/dionaea/ directory

sudo mkdir /opt/dionaea/

Create temp folder for installation

mkdir ~/src

Install required packages

Liblcfg

cd ~/src
git clone git://git.carnivore.it/liblcfg.git liblcfg
cd liblcfg/code
sudo autoreconf -vi
sudo ./configure --prefix=/opt/dionaea
sudo make install
sudo ldconfig

Libemu

sudo apt-get install libemu-dev

Libnl

In case you use Ubuntu, libnl3 may be available in apt:

sudo apt-get install libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev

Libev

cd ~/src
wget http://dist.schmorp.de/libev/libev-4.19.tar.gz
tar xfz libev-4.19.tar.gz
cd libev-4.19
sudo ./configure --prefix=/opt/dionaea
sudo make install
sudo ldconfig

Python 3.2

Before installing Python, we will install required dependencies:

  • readline

Should be available for every distribution.

  • sqlite > 3.3

Should be available for every distribution. If your distributions sqlite version is < 3.3 and does not support triggers, you are doomed, please let me know, I'll write about how broken pythons build scripts are, and document how to to compile it with a user- provided - more recent - sqlite version.

  • Python
cd ~/src
wget http://www.python.org/ftp/python/3.2.2/Python-3.2.2.tgz
tar xfz Python-3.2.2.tgz
cd Python-3.2.2/
sudo ./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x86_64-linux-gnu/"
sudo make
sudo make install
sudo ldconfig

Cython

We have to use cython >= 0.15 as previous releases do not support Python3.2 __hash__'s Py_Hash_type for x86.

cd ~/src
wget http://cython.org/release/Cython-0.21rc1.tar.gz
tar xfz Cython-0.21rc1.tar.gz
cd Cython-0.21rc1
sudo /opt/dionaea/bin/python3 setup.py install
sudo ldconfig

Be patient as this may takes some times to finish. :)

Libcurl

Grabbing curl from your distributions maintainer should work, if you run a decent distribution. If not consider upgrading your operating system.

Libpcap

To honor the effort, we rely on libpcap 1.1.1. Most distros ship older versions, therefore it is likely you have to install it from source.

cd ~/src
wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz
tar xfz libpcap-1.6.2.tar.gz
cd libpcap-1.6.2
sudo ./configure --prefix=/opt/dionaea
sudo make
sudo make install
sudo ldconfig

Fingerprinting with p0f

For more information about attackers and their operating systems and versions, you should install the fingerprinting library "p0f":

sudo apt-get install p0f -y
cd /
sudo mkdir nonexistent
sudo chown -R nobody:nogroup nonexistent
sudo mkdir /var/p0f

Dionaea has P0f integrated into the stream analysis. However P0f must be pre-authorized and launched separately:

sudo p0f -i venet0:0 -u nobody -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log
  • Please change your network interface (venet0:0 in example above) to your proper network interface e.g. eth0, p32p1.
  • You can check this by issuing command ifconfig to see your interfaces in your terminal.
sudo chown nobody:nogroup /tmp/p0f.sock

Test whether the p0f process running before configuring the associated socket / tmp/p0f.sock later Dionaea:

sudo ps -ef | grep p0f

nobody     460     1  0 May17 ?        00:00:01 /usr/sbin/p0f -u nobody -i venet0:0 -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log

Clone Dionaea from github

cd ~/src
git clone git://git.carnivore.it/dionaea.git dionaea

Compiling dionaea

Edit file configure

cd ~/src/dionaea
sudo autoreconf -vi
nano +13785 configure

Change from this line:

LIB_SSL_LIBS="-L$ssl_lib -lssl"

To this:

LIB_SSL_LIBS="-L$ssl_lib -lssl -lcrypto"

Proceed for installation

sudo ./configure --with-lcfg-include=/opt/dionaea/include/ \
     --with-lcfg-lib=/opt/dionaea/lib/ \
     --with-python=/opt/dionaea/bin/python3.2 \
     --with-cython-dir=/opt/dionaea/bin \
     --with-udns-include=/opt/dionaea/include/ \
     --with-udns-lib=/opt/dionaea/lib/ \
     --with-emu-include=/opt/dionaea/include/ \
     --with-emu-lib=/opt/dionaea/lib/ \
     --with-gc-include=/usr/include/gc \
     --with-ev-include=/opt/dionaea/include \
     --with-ev-lib=/opt/dionaea/lib \
     --with-nl-include=/opt/dionaea/include \
     --with-nl-lib=/opt/dionaea/lib/ \
     --with-curl-config=/usr/bin/ \
     --with-pcap-include=/opt/dionaea/include \
     --with-pcap-lib=/opt/dionaea/lib/ \
     --with-ssl-lib=/usr/lib/x86_64-linux-gnu/ \
     --disable-werror
sudo make
sudo make install
sudo ldconfig

Set file permission

sudo chown -R nobody:nogroup /opt/dionaea/var/dionaea
sudo chown -R nobody:nogroup /opt/dionaea/var/log

Update Dionaea

git pull;
make clean install

But, you always want to make sure your config file is up to date, you can use

cd /opt/dionaea/etc/dionaea
diff dionaea.conf dionaea.conf.dist

Start Dionaea

sudo /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D

You can check if the dionaea is properly up & run:

  • Check the process:
sudo ps -ef | grep dionaea

nobody    2356     1  0 May21 ?        00:00:16 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D
root      2357  2356  0 May21 ?        00:00:00 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D
  • Check the network status:
sudo netstat -tnlp | grep dionaea

tcp        0      0 :::5060                 :::*               LISTEN      11445/dionaea
tcp        0      0 ::::5061                :::*               LISTEN      11445/dionaea
tcp        0      0 ::::135                 :::*               LISTEN      11445/dionaea
tcp        0      0 ::::3306                :::*               LISTEN      11445/dionaea
tcp        0      0 ::::42                  :::*               LISTEN      11445/dionaea
tcp        0      0 ::::21                  :::*               LISTEN      11445/dionaea
tcp        0      0 ::::1433                :::*               LISTEN      11445/dionaea
tcp        0      0 ::::443                 :::*               LISTEN      11445/dionaea
tcp        0      0 ::::445                 :::*               LISTEN      11445/dionaea

If you are curious in the meantime, it is worth looking into the following directories and files: The dionaea log file is located at here:

/opt/dionaea/var/log

And the content is:

dionaea-errors.log
dionaea.log

The dionaea captured file & log is located at here:

/opt/dionaea/var/dionaea

An the content:

binaries
bistreams
logsql.sqlite
sipaccounts.sqlite
vtcache.sqlite
wwwroot

blog comments powered by Disqus