Difference between revisions of "Installing Dionaea honeypot on Ubuntu Server 12.04"

From Zam Wiki

 
(5 intermediate revisions by the same user not shown)
Line 19: Line 19:
  
 
= Install required packages from repo =
 
= Install required packages from repo =
<syntaxhighlight lang=text>
+
apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libgc-dev libgc1c2 sqlite3 python-geoip sqlite python-pip
apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libgc-dev libgc1c2 sqlite3 python-geoip sqlite python-pip
 
</syntaxhighlight>
 
 
p/s : Some packages are provided by the apt-tree, so you don't have to install everything from source
 
p/s : Some packages are provided by the apt-tree, so you don't have to install everything from source
  
Line 38: Line 36:
 
  ./configure --prefix=/opt/dionaea
 
  ./configure --prefix=/opt/dionaea
 
  make install
 
  make install
 +
ldconfig
  
 
== Libemu ==
 
== Libemu ==
Line 46: Line 45:
 
  ./configure --prefix=/opt/dionaea
 
  ./configure --prefix=/opt/dionaea
 
  make install
 
  make install
 +
ldconfig
  
 
== Libnl ==
 
== Libnl ==
Line 60: Line 60:
 
  make
 
  make
 
  make install
 
  make install
 +
ldconfig
  
 
== Libev ==
 
== Libev ==
 
  cd ~/src
 
  cd ~/src
  wget http://dist.schmorp.de/libev/libev-4.15.tar.gz
+
  wget http://dist.schmorp.de/libev/libev-4.18.tar.gz
  tar xfz libev-4.15.tar.gz
+
  tar xfz libev-4.18.tar.gz
  cd libev-4.15/
+
  cd libev-4.18
 
  ./configure --prefix=/opt/dionaea
 
  ./configure --prefix=/opt/dionaea
 
  make install
 
  make install
 +
ldconfig
  
 
== Python 3.2 ==
 
== Python 3.2 ==
Line 85: Line 87:
 
  make
 
  make
 
  make install
 
  make install
 +
ldconfig
  
 
== Cython ==
 
== Cython ==
 
We have to use cython >= 0.15 as previous releases do not support Python3.2 __hash__'s Py_Hash_type for x86.
 
We have to use cython >= 0.15 as previous releases do not support Python3.2 __hash__'s Py_Hash_type for x86.
 
  cd ~/src
 
  cd ~/src
  wget http://cython.org/release/Cython-0.19.2.tar.gz
+
  wget http://cython.org/release/Cython-0.21rc1.tar.gz
  tar xfz Cython-0.19.2.tar.gz
+
  tar xfz Cython-0.21rc1.tar.gz
  cd Cython-0.19.2
+
  cd Cython-0.21rc1
 
  /opt/dionaea/bin/python3 setup.py install
 
  /opt/dionaea/bin/python3 setup.py install
 +
ldconfig
  
 
== Libcurl ==
 
== Libcurl ==
Line 100: Line 104:
 
To honor the effort, we rely on libpcap 1.1.1. Most distros ship older versions, therefore it is likely you have to install it from source.
 
To honor the effort, we rely on libpcap 1.1.1. Most distros ship older versions, therefore it is likely you have to install it from source.
 
  cd ~/src
 
  cd ~/src
  wget http://www.tcpdump.org/release/libpcap-1.2.1.tar.gz
+
  wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz
  tar xfz libpcap-1.2.1.tar.gz
+
  tar xfz libpcap-1.6.2.tar.gz
  cd libpcap-1.2.1
+
  cd libpcap-1.6.2
 
  ./configure --prefix=/opt/dionaea
 
  ./configure --prefix=/opt/dionaea
 
  make
 
  make
 
  make install
 
  make install
 +
ldconfig
  
 
= Fingerprinting with p0f =
 
= Fingerprinting with p0f =
Line 152: Line 157:
 
  make
 
  make
 
  make install
 
  make install
 +
ldconfig
  
 
= Set file permission =
 
= Set file permission =

Latest revision as of 22:33, 9 September 2014

Introduction

Dionaea initial development was funded by the Honeynet Project as part of the Honeynets Summer of Code during 2009. The development process is as open as possible; you can browse the source online and subscribe to RSS updates and submit bugs or patches. You also can browse through Github to see the code and submit code for enhancement or what so ever.

Requirements

  • libev >=4.04, schmorp.de
  • libglib >=2.20
  • libssl, openssl.org
  • liblcfg, liblcfg.carnivore.it
  • libemu, libemu.carnivore.it
  • python >=3.2, python.org
    • sqlite >=3.3.6 sqlite.org
    • readline >=3 cnswww.cns.cwru.edu
  • cython >0.14.1, cython.org
  • libudns, corpit.ru
  • libcurl >=7.18, curl.haxx.se
  • libpcap >=1.1.1, tcpdump.org
  • libnl from git, infradead.org (optional)
  • libgc >=6.8, hp.com (optional)

Install required packages from repo

apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libgc-dev libgc1c2 sqlite3 python-geoip sqlite python-pip

p/s : Some packages are provided by the apt-tree, so you don't have to install everything from source

Create /opt/dionaea/ directory

mkdir /opt/dionaea/

Create temp folder for installation

mkdir ~/src

Install required packages

Liblcfg

cd ~/src
git clone git://git.carnivore.it/liblcfg.git liblcfg
cd liblcfg/code
autoreconf -vi
./configure --prefix=/opt/dionaea
make install
ldconfig

Libemu

cd ~/src
git clone git://git.carnivore.it/libemu.git libemu
cd libemu
autoreconf -vi
./configure --prefix=/opt/dionaea
make install
ldconfig

Libnl

In case you use Ubuntu, libnl3 may be available in apt:

apt-get install libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev

or else install it from git

cd ~/src
git clone git://git.infradead.org/users/tgr/libnl.git
cd libnl
autoreconf -vi
export LDFLAGS=-Wl,-rpath,/opt/dionaea/lib
./configure --prefix=/opt/dionaea
make
make install
ldconfig

Libev

cd ~/src
wget http://dist.schmorp.de/libev/libev-4.18.tar.gz
tar xfz libev-4.18.tar.gz
cd libev-4.18
./configure --prefix=/opt/dionaea
make install
ldconfig

Python 3.2

Before installing Python, we will install required dependencies:

  • readline

Should be available for every distribution.

  • sqlite > 3.3

Should be available for every distribution. If your distributions sqlite version is < 3.3 and does not support triggers, you are doomed, please let me know, I'll write about how broken pythons build scripts are, and document how to to compile it with a user- provided - more recent - sqlite version.

  • Python
cd ~/src
wget http://www.python.org/ftp/python/3.2.2/Python-3.2.2.tgz
tar xfz Python-3.2.2.tgz
cd Python-3.2.2/
./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x86_64-linux-gnu/"
make
make install
ldconfig

Cython

We have to use cython >= 0.15 as previous releases do not support Python3.2 __hash__'s Py_Hash_type for x86.

cd ~/src
wget http://cython.org/release/Cython-0.21rc1.tar.gz
tar xfz Cython-0.21rc1.tar.gz
cd Cython-0.21rc1
/opt/dionaea/bin/python3 setup.py install
ldconfig

Libcurl

Grabbing curl from your distributions maintainer should work, if you run a decent distribution. If not consider upgrading your operating system.

Libpcap

To honor the effort, we rely on libpcap 1.1.1. Most distros ship older versions, therefore it is likely you have to install it from source.

cd ~/src
wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz
tar xfz libpcap-1.6.2.tar.gz
cd libpcap-1.6.2
./configure --prefix=/opt/dionaea
make
make install
ldconfig

Fingerprinting with p0f

For more information about attackers and their operating systems and versions, you should install the fingerprinting library "p0f":

apt-get install p0f -y
cd /
mkdir nonexistent
chown -R nobody:nogroup nonexistent
mkdir /var/p0f

Dionaea has P0f integrated into the stream analysis. However P0f must be pre-authorized and launched separately:

p0f -i venet0:0 -u nobody -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log
chown nobody:nogroup /tmp/p0f.sock

Test whether the p0f process running before configuring the associated socket / tmp/p0f.sock later Dionaea:

ps -ef | grep p0f

nobody     460     1  0 May17 ?        00:00:01 /usr/sbin/p0f -u nobody -i venet0:0 -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log

Clone Dionaea from github

cd ~/src
git clone git://git.carnivore.it/dionaea.git dionaea

Compiling dionaea

cd ~/src/dionaea
autoreconf -vi
./configure --with-lcfg-include=/opt/dionaea/include/ \
     --with-lcfg-lib=/opt/dionaea/lib/ \
     --with-python=/opt/dionaea/bin/python3.2 \
     --with-cython-dir=/opt/dionaea/bin \
     --with-udns-include=/opt/dionaea/include/ \
     --with-udns-lib=/opt/dionaea/lib/ \
     --with-emu-include=/opt/dionaea/include/ \
     --with-emu-lib=/opt/dionaea/lib/ \
     --with-gc-include=/usr/include/gc \
     --with-ev-include=/opt/dionaea/include \
     --with-ev-lib=/opt/dionaea/lib \
     --with-nl-include=/opt/dionaea/include \
     --with-nl-lib=/opt/dionaea/lib/ \
     --with-curl-config=/usr/bin/ \
     --with-pcap-include=/opt/dionaea/include \
     --with-pcap-lib=/opt/dionaea/lib/ 
make
make install
ldconfig

Set file permission

sudo chown -R nobody:nogroup /opt/dionaea/var/dionaea
sudo chown -R nobody:nogroup /opt/dionaea/var/log

Update Dionaea

git pull;
make clean install

But, you always want to make sure your config file is up to date, you can use

cd /opt/dionaea/etc/dionaea
diff dionaea.conf dionaea.conf.dist

Start Dionaea

/opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D

You can check if the dionaea is properly up & run:

  • Check the process:
ps -ef | grep dionaea

nobody    2356     1  0 May21 ?        00:00:16 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D
root      2357  2356  0 May21 ?        00:00:00 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -D
  • Check the network status:
netstat -tnlp | grep dionaea

tcp        0      0 :::5060                 :::*               LISTEN      11445/dionaea
tcp        0      0 ::::5061                :::*               LISTEN      11445/dionaea
tcp        0      0 ::::135                 :::*               LISTEN      11445/dionaea
tcp        0      0 ::::3306                :::*               LISTEN      11445/dionaea
tcp        0      0 ::::42                  :::*               LISTEN      11445/dionaea
tcp        0      0 ::::21                  :::*               LISTEN      11445/dionaea
tcp        0      0 ::::1433                :::*               LISTEN      11445/dionaea
tcp        0      0 ::::443                 :::*               LISTEN      11445/dionaea
tcp        0      0 ::::445                 :::*               LISTEN      11445/dionaea

If you are curious in the meantime, it is worth looking into the following directories and files: The dionaea log file is located at here:

/opt/dionaea/var/log

And the content is:

dionaea-errors.log
dionaea.log

The dionaea captured file & log is located at here:

/opt/dionaea/var/dionaea

An the content:

binaries
bistreams
logsql.sqlite
sipaccounts.sqlite
vtcache.sqlite
wwwroot

blog comments powered by Disqus