Since Kippo is doing fine and there are some other interesting things out there apart from SSH dictionary attacks, I decided to run Dionaea as well in order to get a better understanding of malware distribution.
So, I found myself on the official Dionaea website ready to proceed. The amount of information there and the manual compilations made me think that I will surely run into much trouble but hopefully this was not the case. If you follow the instructions (and you deploy the honeypot on a Ubuntu machine) you will have no problem with the installation. I still encountered some problems later though.
My first and only trouble during install was with libnl which doesn’t seem to be located at git.kernel.org anymore as written on the guide but rather at: git://git.infradead.org/users/tgr/libnl.git. Another thing to note is that Ubuntu doesn’t need udns, so don’t install it and remove the two related parameters when running ./configure for Dionaea itself. Other than that installation was fine.
I started Dionaea with:
./dionaea -D -r /opt/dionaea -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -l all,-debug -L '*'
-D makes it run as a daemon in the background. Dionaea has a rather detailed configuration file and there are a lot of options to play with. I left the default values and just changed the logging function to automatically exclude debugging information (same with the -l all,-debug parameter above). I still need to make use of the privilege dropping feature for better security, if you have any tips on that let me know.
The honeypot was running and in only a matter of minutes I got my first connections! Dionaea keeps text-based logs but saves the data in a SQLite database as well (thank god). Roughly all of them were on port 445. One thing I noticed though was that connections were being dropped constantly by my system. Thanks to the #Nepenthes IRC channel where I had to resort, I realised that my system was not actually recheable and I had to change the listen configuration to manual mode and choose my “public” network interface as Dionaea was binding only on loopback addresses. Something like addrs = { eth0 = [“0.0.0.0”] } did the trick.
As always, I took a look at the related Infosanity’s posts for various updates and tips. I saw that Andrew has already written a script to generate some statistics. Here is what I got after ~4 hours:
python mimic-nepstats.py Statistics engine written by Andrew Waite - www.infosanity.co.uk Number of submissions: 20 Number of unique samples: 18 Number of unique source IPs: 18 First sample seen: 2012-01-04 22:50:12.268572 Last sample seen: 2012-01-05 02:51:15.270853 System Uptime: 4:01:03.002281 Most recent submissions: 2012-01-05 02:51:15.270853, 89.165.187.45, http://89.165.187.45:1115/entn, d987a9af709bfd188071aa3f5e027aac 2012-01-05 02:40:36.996795, 38.106.166.115, http://38.106.166.115:8927/tazhj, 628209663f62c35b996ca17850ed7862 2012-01-05 02:29:58.125629, 49.145.98.95, http://49.145.98.95:3250/rayflgug, a61bb611ab77e5bb2d3cab672392a928 2012-01-05 02:27:21.690987, 82.77.246.133, http://82.77.246.133:7825/mktyd, 1892721678e9b975c66a8cbb6ed1f340 2012-01-05 02:21:40.608644, 67.212.82.253, http://67.212.82.253:6604/ubophe, e1855fbe6cf64738bffb9dc195e38ed1
I don’t know what else to expect at this stage. For time being I will let the system run and collect some interesting (hopefully) data. I haven’t studied everything related to Dionaea yet, and I’m sure there are a lot of useful configurations and add-ons since it’s being actively developed as I’m told. If you know something that I can add to Dionaea or teach me something new about it let me know, I would appreciate it alot.
Pingback: Securing a server with Artillery » BruteForce Lab's Blog()
Pingback: Hack.lu 2012 Wrap-Up Day #2 | /dev/random()