Installing, configuring and hiding Dionaea from nmap scans.
Dionaea is a malware capturing honeypot, which also features a VoIP module (of interest to me). It was originally developed under The Honeynet Project’s 2009 Google Summer of Code (GSoC).
My servers were running on Ubuntu 14.04, and it appeared most guides haven’t been updated since 12.04 came out. With thorough research, I found out that setting it up has become a lot easier, so much easier that I first doubted it was actually working, and tried to adapt the 12.04 guides. I believe there’s a lot of ambiguity surrounding it, as I can only access the original site (as I understand it) through the wayback machine.
So this is how I set it up:
Brian has been a life saver with his guide, which simply tells you how to get it up and running:
sudo apt-get install software-properties-common python-software-properties -y
sudo add-apt-repository ppa:honeynet/nightly -y
sudo apt-get update -y
sudo apt-get install dionaea-phibo -y
sudo service dionaea-phibo start
So yes, that’s really how easy it is now to get it started. However, that’s only the default configuration. He does tell you that you need to have a look at /etc/dionaea/dionaea.conf which is the configuration file for dionaea.
At this point I obviously had no idea how to configure it, so I kept searching for something that might explain it, and I found this . It’s quite a good basic configuration to make it into a VoIP honeypot (you definitely don’t want the http service running when dionaea is live). My only change is that I commented out the default submit section (sorry!). I didn’t find the first part useful as the script also installs kippo, and I found myself locked out from my ssh connection, sometimes even before the script finished installing (not to mention I didn’t want kippo).
Once I tried to scan it with nmap I realised it could easily tell it’s a honeypot, so I looked for a way to hide it. I found this other useful guide by José Manuel Fernández which tells you straightforward, and nicely explains, what values should be modified to avoid identification.
The only problem left then was the ssh service; it would easily identify it as an ubuntu machine. Therefore, I made the service listen to 127.0.0.1 in its config file /etc/ssh/sshd_config (ListenAddress, uncommented). As far as I can understand, you cannot change the way it recognises your machine as it’s hard coded, and is required in order to properly interact with other machines. Thus, the only option then was to get rid of it entirely. Don’t forget to restart the service!
service ssh restart
I got p0f to work by using this other guide, if you’re interested in it working for you.
At this point I realise there’s an awful lot of guides I used to get it up and running, none my original work, but since they were all so spread out, I thought it could be useful to have them all in one place!
It took me days to find the “right combo” but now it’s really easy to set-up a Dionaea honeypot – average 30 minutes set-up time. I’ve tried to extend it as well, but I couldn’t make any sense of the MySQL configuration (got everything else running), so if anyone could help me with that, I would highly appreciate it!
Bonus : You can get $50 credit for digitalocean using the github Student Developer Pack to set up your own servers! And another $10 if you use my referral link! 🙂