Setting up a Dionaea Honeypot

Setting up a Dionaea Honeypot

If you are looking to set up a honeypot to collect malware for analysis you’ve come across the Dionaea Honeypot. While the project does not seem to be in active development it does appear to be being maintained with fixes and documentation updates. Regardless, here is how I went about installing and setting up Dionaea.

Step 1 – Select a hosting provider (and host OS)

Our first step is to find a hosting provider. While you could run a honeypot on your home lab/network, I would caution against it as it is going to be accepting active exploits/malware. Personally I dont see the need to tempt fate. I went with Digital Ocean’s cheapest/smallest droplet at $5/month. If you use this referral link you (and I) can get a $10 credit. But any of the hosting providers out there will work.  When you are setting up your host select Ubuntu 14.04 x32. Why? It is the only version/architecture that I have been able to get Dionaea to work 100% on. If you are using Digital Ocean I recommend following their initial server setup guide.

Step 2 – Install Dionaea

So you’ve got your host all installed and you’ve logged in. Lets start by installing Dionaea. We are also going to update curl based on recommendations from the issues posted on github for the project.

(All of the commands that follow in this post are going to assume that you are root. )

apt-get update
apt-get dist-upgrade
apt-get install software-properties-common
add-apt-repository ppa:honeynet/nightly
apt-get update
apt-get install dionaea
apt-get -y build-dep curl
mkdir ~/curl
cd ~/curl
wget http://curl.haxx.se/download/curl-7.50.2.tar.bz2
tar -xvjf curl-7.50.2.tar.bz2
cd curl-7.50.2
./configure --prefix=/usr
make
make install
ldconfig

Step 3 – Update the Dionaea config

Now that we have Dionaea installed before we start it up we need to make some configuration changes. Dionaea has some issues with IPv6 and also is extremely verbose in its logging with the default config so edit the config file.

vi /opt/dionaea/etc/dionaea/dionaea.cfg

And change the red in the following lines.

listen.mode=manual
listen.addresses=<ip address of the host>

default.levels=warning,error

errors.levels=warning,error

Hint: To exit and save in vi press ESC and then wq and Enter.

Step 4 – Disable unneeded services and configure smb

The default install of Dionaea has number of services set to run by default. I like to only run the smb service; so to disable the other services I use the below commands.

cd /opt/dionaea/etc/dionaea/services-enabled
rm *
ln -s ../services-available/smb.yaml smb.yaml

Next we want to edit the config for the smb service help evade identification as a honey pot. In the smb config we will change the os type to 4, and uncomment the Windows 7 and Additional config sections.

cd /opt/dionaea/etc/dionaea/services-available/
vi smb.yaml

Here is what mine looks like after the edits. Change the domain and server names to whatever you would like.

- name: smb
  config:

    ## Generic setting ##

    # 1:"Windows XP Service Pack 0/1",
    # 2:"Windows XP Service Pack 2",
    # 3:"Windows XP Service Pack 3",
    # 4:"Windows 7 Service Pack 1",
    # 5:"Linux Samba 4.3.11"
    os_type: 4

     # Additional config
    primary_domain: Dev
    oem_domain_name: Dev
    server_name: Dev-PC

     ## Windows 7 ##
    native_os: Windows 7 Professional 7600
    native_lan_manager: Windows 7 Professional 6.1
    shares:
      ADMIN$:
        comment: Remote Admin
        path: C:\\Windows
        type: disktree
      C$:
        coment: Default Share
        path: C:\\
        type:
          - disktree
          - special
      IPC$:
        comment: Remote IPC
        type: ipc
      Printer:
        comment: Microsoft XPS Document Writer
        type: printq

     ## Samba ##
#    native_os: Windows 6.1
#    native_lan_manager: Samba 4.3.11
#    shares:
#      admin:
#        comment: Remote Admin
#        path: \\home\\admin
#        type: disktree
#      share:
#        coment: Default Share
#        path: \\share
#        type: disktree
#      IPC$:
#        comment: Remote IPC
#        path: IPC Service
#        type: ipc
#      Printer:
#        comment: Printer Drivers
#        type: printq

Step 5 – Enable and install p0f (and sqlite)

I like to enable the p0f handler so I can collect some additional information on the systems that are attacking my honeypot. This is pretty easy to do.

cd /opt/dionaea/etc/dionaea/ihandlers-enabled/
ln -s ../ihandlers-available/p0f.yaml p0f.yaml

We also need to make sure to install p0f and I like to also install sqlite at the same time so it’s available to read the sql logs that Dionaea will generate.

apt-get install sqlite3 p0f

Step 6 – Setup rotation for logs and bistreams

Remember how I mentioned earlier that that Dionaea is very verbose in it’s logging? Well, to prevent logs from filling up the disk space we need to set up log rotation.

cd /etc/logrotate.d/
vi dionaea

In this file paste the following and save.

/opt/dionaea/var/dionaea/dionaea*.log {
        notifempty
        missingok
        rotate 7
        daily
        delaycompress
        compress
        create 660 root root
        dateext
        postrotate
                service dionaea restart
        endscript
}

Dionaea also collects the bistreams for connections and these were completely filling up the disk on my host. To address this I created a small script to compress and delete the bistreams and then added a cron job to run it regularly.

cd ~
vi bistream_rotate

In this files paste the following and save.

#!/bin/bash

# Compress bistream files older than 1 hour
find /opt/dionaea/var/dionaea/bistreams/* -type f --mmin +60 -exec gzip {} \;

# Clear bistream logs from dionaea every 6 hours
find /opt/dionaea/var/dionaea/bistreams/* -type f -mmin +360 -exec rm {} \;
find /opt/dionaea/var/dionaea/bistreams/* -type d -empty -delete

Now make the script executable

chmod +x bistream_rotate

Now add a cron job.

crontab -e

and adding the following line to call the script we just created.

0 * * * * /root/bistream_rotate

Step 7 – Start Dionaea

We are ready to start Dionaea now.

First start p0f.

p0f -i any -u dionaea -Q /tmp/p0f.sock -q -l -d -o /var/log/p0f.log

And then start Dionaea.

service dionaea start

You’ll probably see your first malware within a few minutes (it will likely be a WannaCry variant).

Handy Notes

Captured binaries will be stored in the folder

/opt/dionaea/var/dionaea/binaries/

you can access the sqlite database with the following command

sqlite3 /opt/dionaea/var/dionaea/dionaea.sqlite

Dionaea’s log files are

/opt/dionaea/var/dionaea/dionaea.log
/opt/dionaea/var/dionaea/dionaea-error.log

And bistreams (as you may have deduced from above) are stored in

/opt/dionaea/var/dionaea/bistreams/YYYY-MM-DD

Enjoy!