Notice: Trying to access array offset on value of type null in /var/www/wiki/includes/profiler/SectionProfiler.php on line 99

Notice: Trying to access array offset on value of type null in /var/www/wiki/includes/profiler/SectionProfiler.php on line 99

Notice: Trying to access array offset on value of type null in /var/www/wiki/includes/profiler/SectionProfiler.php on line 100

Notice: Trying to access array offset on value of type null in /var/www/wiki/includes/profiler/SectionProfiler.php on line 100

Notice: Trying to access array offset on value of type null in /var/www/wiki/includes/profiler/SectionProfiler.php on line 101

Notice: Trying to access array offset on value of type null in /var/www/wiki/includes/profiler/SectionProfiler.php on line 101
Installing Dionaea honeypot on Ubuntu Server 12.04 - Zam Wiki

Installing Dionaea honeypot on Ubuntu Server 12.04

From Zam Wiki

Revision as of 22:33, 9 September 2014 by Zam (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Dionaea initial development was funded by the Honeynet Project as part of the Honeynets Summer of Code during 2009. The development process is as open as possible; you can browse the source online and subscribe to RSS updates and submit bugs or patches. You also can browse through Github to see the code and submit code for enhancement or what so ever.


  • libev >=4.04,
  • libglib >=2.20
  • libssl,
  • liblcfg,
  • libemu,
  • python >=3.2,
    • sqlite >=3.3.6
    • readline >=3
  • cython >0.14.1,
  • libudns,
  • libcurl >=7.18,
  • libpcap >=1.1.1,
  • libnl from git, (optional)
  • libgc >=6.8, (optional)

Install required packages from repo

apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libgc-dev libgc1c2 sqlite3 python-geoip sqlite python-pip

p/s : Some packages are provided by the apt-tree, so you don't have to install everything from source

Create /opt/dionaea/ directory

mkdir /opt/dionaea/

Create temp folder for installation

mkdir ~/src

Install required packages


cd ~/src
git clone git:// liblcfg
cd liblcfg/code
autoreconf -vi
./configure --prefix=/opt/dionaea
make install


cd ~/src
git clone git:// libemu
cd libemu
autoreconf -vi
./configure --prefix=/opt/dionaea
make install


In case you use Ubuntu, libnl3 may be available in apt:

apt-get install libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev

or else install it from git

cd ~/src
git clone git://
cd libnl
autoreconf -vi
export LDFLAGS=-Wl,-rpath,/opt/dionaea/lib
./configure --prefix=/opt/dionaea
make install


cd ~/src
tar xfz libev-4.18.tar.gz
cd libev-4.18
./configure --prefix=/opt/dionaea
make install

Python 3.2

Before installing Python, we will install required dependencies:

  • readline

Should be available for every distribution.

  • sqlite > 3.3

Should be available for every distribution. If your distributions sqlite version is < 3.3 and does not support triggers, you are doomed, please let me know, I'll write about how broken pythons build scripts are, and document how to to compile it with a user- provided - more recent - sqlite version.

  • Python
cd ~/src
tar xfz Python-3.2.2.tgz
cd Python-3.2.2/
./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x86_64-linux-gnu/"
make install


We have to use cython >= 0.15 as previous releases do not support Python3.2 __hash__'s Py_Hash_type for x86.

cd ~/src
tar xfz Cython-0.21rc1.tar.gz
cd Cython-0.21rc1
/opt/dionaea/bin/python3 install


Grabbing curl from your distributions maintainer should work, if you run a decent distribution. If not consider upgrading your operating system.


To honor the effort, we rely on libpcap 1.1.1. Most distros ship older versions, therefore it is likely you have to install it from source.

cd ~/src
tar xfz libpcap-1.6.2.tar.gz
cd libpcap-1.6.2
./configure --prefix=/opt/dionaea
make install

Fingerprinting with p0f

For more information about attackers and their operating systems and versions, you should install the fingerprinting library "p0f":

apt-get install p0f -y
cd /
mkdir nonexistent
chown -R nobody:nogroup nonexistent
mkdir /var/p0f

Dionaea has P0f integrated into the stream analysis. However P0f must be pre-authorized and launched separately:

p0f -i venet0:0 -u nobody -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log
chown nobody:nogroup /tmp/p0f.sock

Test whether the p0f process running before configuring the associated socket / tmp/p0f.sock later Dionaea:

ps -ef | grep p0f

nobody     460     1  0 May17 ?        00:00:01 /usr/sbin/p0f -u nobody -i venet0:0 -Q /tmp/p0f.sock -q -l -d -o /var/p0f/p0f.log

Clone Dionaea from github

cd ~/src
git clone git:// dionaea

Compiling dionaea

cd ~/src/dionaea
autoreconf -vi
./configure --with-lcfg-include=/opt/dionaea/include/ \
     --with-lcfg-lib=/opt/dionaea/lib/ \
     --with-python=/opt/dionaea/bin/python3.2 \
     --with-cython-dir=/opt/dionaea/bin \
     --with-udns-include=/opt/dionaea/include/ \
     --with-udns-lib=/opt/dionaea/lib/ \
     --with-emu-include=/opt/dionaea/include/ \
     --with-emu-lib=/opt/dionaea/lib/ \
     --with-gc-include=/usr/include/gc \
     --with-ev-include=/opt/dionaea/include \
     --with-ev-lib=/opt/dionaea/lib \
     --with-nl-include=/opt/dionaea/include \
     --with-nl-lib=/opt/dionaea/lib/ \
     --with-curl-config=/usr/bin/ \
     --with-pcap-include=/opt/dionaea/include \
make install

Set file permission

sudo chown -R nobody:nogroup /opt/dionaea/var/dionaea
sudo chown -R nobody:nogroup /opt/dionaea/var/log

Update Dionaea

git pull;
make clean install

But, you always want to make sure your config file is up to date, you can use

cd /opt/dionaea/etc/dionaea
diff dionaea.conf dionaea.conf.dist

Start Dionaea

/opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/ -D

You can check if the dionaea is properly up & run:

  • Check the process:
ps -ef | grep dionaea

nobody    2356     1  0 May21 ?        00:00:16 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/ -D
root      2357  2356  0 May21 ?        00:00:00 /opt/dionaea/bin/dionaea -u nobody -g nogroup -c /opt/dionaea/etc/dionaea/dionaea.conf -w /opt/dionaea -p /opt/dionaea/var/ -D
  • Check the network status:
netstat -tnlp | grep dionaea

tcp        0      0 :::5060                 :::*               LISTEN      11445/dionaea
tcp        0      0 ::::5061                :::*               LISTEN      11445/dionaea
tcp        0      0 ::::135                 :::*               LISTEN      11445/dionaea
tcp        0      0 ::::3306                :::*               LISTEN      11445/dionaea
tcp        0      0 ::::42                  :::*               LISTEN      11445/dionaea
tcp        0      0 ::::21                  :::*               LISTEN      11445/dionaea
tcp        0      0 ::::1433                :::*               LISTEN      11445/dionaea
tcp        0      0 ::::443                 :::*               LISTEN      11445/dionaea
tcp        0      0 ::::445                 :::*               LISTEN      11445/dionaea

If you are curious in the meantime, it is worth looking into the following directories and files: The dionaea log file is located at here:


And the content is:


The dionaea captured file & log is located at here:


An the content:


blog comments powered by Disqus