Difference between revisions of "Installing Dionaea honeypot on Ubuntu Server 12.04"
From Zam Wiki
(8 intermediate revisions by the same user not shown) | |||
Line 19: | Line 19: | ||
= Install required packages from repo = | = Install required packages from repo = | ||
− | + | apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libgc-dev libgc1c2 sqlite3 python-geoip sqlite python-pip | |
− | apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libgc-dev libgc1c2 sqlite3 python-geoip sqlite python-pip | ||
− | |||
p/s : Some packages are provided by the apt-tree, so you don't have to install everything from source | p/s : Some packages are provided by the apt-tree, so you don't have to install everything from source | ||
Line 38: | Line 36: | ||
./configure --prefix=/opt/dionaea | ./configure --prefix=/opt/dionaea | ||
make install | make install | ||
+ | ldconfig | ||
== Libemu == | == Libemu == | ||
Line 46: | Line 45: | ||
./configure --prefix=/opt/dionaea | ./configure --prefix=/opt/dionaea | ||
make install | make install | ||
+ | ldconfig | ||
== Libnl == | == Libnl == | ||
Line 60: | Line 60: | ||
make | make | ||
make install | make install | ||
+ | ldconfig | ||
== Libev == | == Libev == | ||
cd ~/src | cd ~/src | ||
− | wget http://dist.schmorp.de/libev/libev-4. | + | wget http://dist.schmorp.de/libev/libev-4.18.tar.gz |
− | tar xfz libev-4. | + | tar xfz libev-4.18.tar.gz |
− | cd libev-4. | + | cd libev-4.18 |
./configure --prefix=/opt/dionaea | ./configure --prefix=/opt/dionaea | ||
make install | make install | ||
+ | ldconfig | ||
== Python 3.2 == | == Python 3.2 == | ||
Line 85: | Line 87: | ||
make | make | ||
make install | make install | ||
+ | ldconfig | ||
== Cython == | == Cython == | ||
We have to use cython >= 0.15 as previous releases do not support Python3.2 __hash__'s Py_Hash_type for x86. | We have to use cython >= 0.15 as previous releases do not support Python3.2 __hash__'s Py_Hash_type for x86. | ||
cd ~/src | cd ~/src | ||
− | wget http://cython.org/release/Cython-0. | + | wget http://cython.org/release/Cython-0.21rc1.tar.gz |
− | tar xfz Cython-0. | + | tar xfz Cython-0.21rc1.tar.gz |
− | cd Cython-0. | + | cd Cython-0.21rc1 |
/opt/dionaea/bin/python3 setup.py install | /opt/dionaea/bin/python3 setup.py install | ||
+ | ldconfig | ||
== Libcurl == | == Libcurl == | ||
Line 100: | Line 104: | ||
To honor the effort, we rely on libpcap 1.1.1. Most distros ship older versions, therefore it is likely you have to install it from source. | To honor the effort, we rely on libpcap 1.1.1. Most distros ship older versions, therefore it is likely you have to install it from source. | ||
cd ~/src | cd ~/src | ||
− | wget http://www.tcpdump.org/release/libpcap-1.2 | + | wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz |
− | tar xfz libpcap-1.2 | + | tar xfz libpcap-1.6.2.tar.gz |
− | cd libpcap-1.2 | + | cd libpcap-1.6.2 |
./configure --prefix=/opt/dionaea | ./configure --prefix=/opt/dionaea | ||
make | make | ||
make install | make install | ||
− | + | ldconfig | |
= Fingerprinting with p0f = | = Fingerprinting with p0f = | ||
Line 124: | Line 128: | ||
Test whether the p0f process running before configuring the associated socket / tmp/p0f.sock later Dionaea: | Test whether the p0f process running before configuring the associated socket / tmp/p0f.sock later Dionaea: | ||
− | + | ps -ef | grep p0f | |
− | ps -ef | grep p0f | + | |
− | + | nobody 460 1 0 May17 ? 00:00:01 /usr/sbin/p0f -u nobody -i venet0:0 -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log | |
− | nobody 460 1 0 May17 ? 00:00:01 /usr/sbin/p0f -u nobody -i venet0:0 -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log | ||
− | |||
= Clone Dionaea from github = | = Clone Dionaea from github = | ||
Line 155: | Line 157: | ||
make | make | ||
make install | make install | ||
+ | ldconfig | ||
= Set file permission = | = Set file permission = | ||
Line 169: | Line 172: | ||
= Start Dionaea = | = Start Dionaea = | ||
− | |||
/opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D | /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D | ||
− | |||
You can check if the dionaea is properly up & run: | You can check if the dionaea is properly up & run: | ||
* Check the process: | * Check the process: | ||
− | + | ps -ef | grep dionaea | |
− | ps -ef | grep dionaea | + | |
− | + | nobody 2356 1 0 May21 ? 00:00:16 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D | |
− | + | root 2357 2356 0 May21 ? 00:00:00 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D | |
− | |||
− | |||
− | nobody 2356 1 0 May21 ? 00:00:16 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D | ||
− | root 2357 2356 0 May21 ? 00:00:00 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D | ||
− | |||
* Check the network status: | * Check the network status: | ||
netstat -tnlp | grep dionaea | netstat -tnlp | grep dionaea | ||
− | + | ||
− | + | tcp 0 0 :::5060 :::* LISTEN 11445/dionaea | |
− | + | tcp 0 0 ::::5061 :::* LISTEN 11445/dionaea | |
− | + | tcp 0 0 ::::135 :::* LISTEN 11445/dionaea | |
− | + | tcp 0 0 ::::3306 :::* LISTEN 11445/dionaea | |
− | + | tcp 0 0 ::::42 :::* LISTEN 11445/dionaea | |
− | + | tcp 0 0 ::::21 :::* LISTEN 11445/dionaea | |
− | + | tcp 0 0 ::::1433 :::* LISTEN 11445/dionaea | |
+ | tcp 0 0 ::::443 :::* LISTEN 11445/dionaea | ||
+ | tcp 0 0 ::::445 :::* LISTEN 11445/dionaea | ||
If you are curious in the meantime, it is worth looking into the following directories and files: | If you are curious in the meantime, it is worth looking into the following directories and files: |
Latest revision as of 22:33, 9 September 2014
Contents
Introduction
Dionaea initial development was funded by the Honeynet Project as part of the Honeynets Summer of Code during 2009. The development process is as open as possible; you can browse the source online and subscribe to RSS updates and submit bugs or patches. You also can browse through Github to see the code and submit code for enhancement or what so ever.
Requirements
- libev >=4.04, schmorp.de
- libglib >=2.20
- libssl, openssl.org
- liblcfg, liblcfg.carnivore.it
- libemu, libemu.carnivore.it
- python >=3.2, python.org
- sqlite >=3.3.6 sqlite.org
- readline >=3 cnswww.cns.cwru.edu
- cython >0.14.1, cython.org
- libudns, corpit.ru
- libcurl >=7.18, curl.haxx.se
- libpcap >=1.1.1, tcpdump.org
- libnl from git, infradead.org (optional)
- libgc >=6.8, hp.com (optional)
Install required packages from repo
apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libgc-dev libgc1c2 sqlite3 python-geoip sqlite python-pip
p/s : Some packages are provided by the apt-tree, so you don't have to install everything from source
Create /opt/dionaea/ directory
mkdir /opt/dionaea/
Create temp folder for installation
mkdir ~/src
Install required packages
Liblcfg
cd ~/src git clone git://git.carnivore.it/liblcfg.git liblcfg cd liblcfg/code autoreconf -vi ./configure --prefix=/opt/dionaea make install ldconfig
Libemu
cd ~/src git clone git://git.carnivore.it/libemu.git libemu cd libemu autoreconf -vi ./configure --prefix=/opt/dionaea make install ldconfig
Libnl
In case you use Ubuntu, libnl3 may be available in apt:
apt-get install libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev
or else install it from git
cd ~/src git clone git://git.infradead.org/users/tgr/libnl.git cd libnl autoreconf -vi export LDFLAGS=-Wl,-rpath,/opt/dionaea/lib ./configure --prefix=/opt/dionaea make make install ldconfig
Libev
cd ~/src wget http://dist.schmorp.de/libev/libev-4.18.tar.gz tar xfz libev-4.18.tar.gz cd libev-4.18 ./configure --prefix=/opt/dionaea make install ldconfig
Python 3.2
Before installing Python, we will install required dependencies:
- readline
Should be available for every distribution.
- sqlite > 3.3
Should be available for every distribution. If your distributions sqlite version is < 3.3 and does not support triggers, you are doomed, please let me know, I'll write about how broken pythons build scripts are, and document how to to compile it with a user- provided - more recent - sqlite version.
- Python
cd ~/src wget http://www.python.org/ftp/python/3.2.2/Python-3.2.2.tgz tar xfz Python-3.2.2.tgz cd Python-3.2.2/ ./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x86_64-linux-gnu/" make make install ldconfig
Cython
We have to use cython >= 0.15 as previous releases do not support Python3.2 __hash__'s Py_Hash_type for x86.
cd ~/src wget http://cython.org/release/Cython-0.21rc1.tar.gz tar xfz Cython-0.21rc1.tar.gz cd Cython-0.21rc1 /opt/dionaea/bin/python3 setup.py install ldconfig
Libcurl
Grabbing curl from your distributions maintainer should work, if you run a decent distribution. If not consider upgrading your operating system.
Libpcap
To honor the effort, we rely on libpcap 1.1.1. Most distros ship older versions, therefore it is likely you have to install it from source.
cd ~/src wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz tar xfz libpcap-1.6.2.tar.gz cd libpcap-1.6.2 ./configure --prefix=/opt/dionaea make make install ldconfig
Fingerprinting with p0f
For more information about attackers and their operating systems and versions, you should install the fingerprinting library "p0f":
apt-get install p0f -y
cd / mkdir nonexistent chown -R nobody:nogroup nonexistent
mkdir /var/p0f
Dionaea has P0f integrated into the stream analysis. However P0f must be pre-authorized and launched separately:
p0f -i venet0:0 -u nobody -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log
chown nobody:nogroup /tmp/p0f.sock
Test whether the p0f process running before configuring the associated socket / tmp/p0f.sock later Dionaea:
ps -ef | grep p0f nobody 460 1 0 May17 ? 00:00:01 /usr/sbin/p0f -u nobody -i venet0:0 -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log
Clone Dionaea from github
cd ~/src git clone git://git.carnivore.it/dionaea.git dionaea
Compiling dionaea
cd ~/src/dionaea autoreconf -vi ./configure --with-lcfg-include=/opt/dionaea/include/ \ --with-lcfg-lib=/opt/dionaea/lib/ \ --with-python=/opt/dionaea/bin/python3.2 \ --with-cython-dir=/opt/dionaea/bin \ --with-udns-include=/opt/dionaea/include/ \ --with-udns-lib=/opt/dionaea/lib/ \ --with-emu-include=/opt/dionaea/include/ \ --with-emu-lib=/opt/dionaea/lib/ \ --with-gc-include=/usr/include/gc \ --with-ev-include=/opt/dionaea/include \ --with-ev-lib=/opt/dionaea/lib \ --with-nl-include=/opt/dionaea/include \ --with-nl-lib=/opt/dionaea/lib/ \ --with-curl-config=/usr/bin/ \ --with-pcap-include=/opt/dionaea/include \ --with-pcap-lib=/opt/dionaea/lib/ make make install ldconfig
Set file permission
sudo chown -R nobody:nogroup /opt/dionaea/var/dionaea sudo chown -R nobody:nogroup /opt/dionaea/var/log
Update Dionaea
git pull; make clean install
But, you always want to make sure your config file is up to date, you can use
cd /opt/dionaea/etc/dionaea diff dionaea.conf dionaea.conf.dist
Start Dionaea
/opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D
You can check if the dionaea is properly up & run:
- Check the process:
ps -ef | grep dionaea nobody 2356 1 0 May21 ? 00:00:16 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D root 2357 2356 0 May21 ? 00:00:00 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D
- Check the network status:
netstat -tnlp | grep dionaea tcp 0 0 :::5060 :::* LISTEN 11445/dionaea tcp 0 0 ::::5061 :::* LISTEN 11445/dionaea tcp 0 0 ::::135 :::* LISTEN 11445/dionaea tcp 0 0 ::::3306 :::* LISTEN 11445/dionaea tcp 0 0 ::::42 :::* LISTEN 11445/dionaea tcp 0 0 ::::21 :::* LISTEN 11445/dionaea tcp 0 0 ::::1433 :::* LISTEN 11445/dionaea tcp 0 0 ::::443 :::* LISTEN 11445/dionaea tcp 0 0 ::::445 :::* LISTEN 11445/dionaea
If you are curious in the meantime, it is worth looking into the following directories and files: The dionaea log file is located at here:
/opt/dionaea/var/log
And the content is:
dionaea-errors.log dionaea.log
The dionaea captured file & log is located at here:
/opt/dionaea/var/dionaea
An the content:
binaries bistreams logsql.sqlite sipaccounts.sqlite vtcache.sqlite wwwroot