OwnCloud + OpenVPN + Duo Security
August 24, 2014
Dionaea Honeypot Obfuscation
September 10, 2014

Install Dionaea on Ubuntu 14.04

 

Today I spent several hours attempting to install Dionaea on Ubuntu 14.04. I attempted to compile and install per the instructions on the website, but without any luck. Based on the success I had on the last project, I thought perhaps someone had already written a quick bash script to take the complexity out of this. I was able to find a few scripts, but none that worked out-of-the-box on 14.04. It seems as though no one has looked at this since 2012 since all the blogs, guides and scripts are written based on Ubuntu 11.10 or 12.04.

Andy Smith’s blog post seemed to be the most aligned with my goals, but did not work because apt-get could not find the “dionaea” package. Apparently this has been renamed to dionaea-philbo.  I discovered this by reviewing a Modern Honey Network (MHN) project GitHub discussion. MHN looks like a pretty cool project to review another day.

In the end, getting dionaea operational on Ubuntu 14.04 is quick and easy:

apt-get update
sudo apt-get install software-properties-common python-software-properties -y
sudo add-apt-repository ppa:honeynet/nightly -y
sudo apt-get update -y
sudo apt-get install dionaea-phibo -y
sudo service dionaea-phibo start

NOTE: Several times I’ve had to run “apt-get install dionaea-phibo” a second time. I believe the issue is that it won’t install until all dependancies are installed, which happens the first time you execute the installation. The second time it always takes. Weird, but that’s what I’ve noticed.

NOTE: If you’re running this on an Ubuntu VPS, you’ll also notice that rsyslog pegs the processor as it fills up the HDD by writing garbage to dionaea.log. Run these commands immediately after installation to fix the issue:

service rsyslog stop
sed -i -e 's/^$ModLoad imklog/#$ModLoad imklog/g' /etc/rsyslog.conf
service rsyslog start

BOOM, it’s up and running.  Don’t forget to configure the services (/etc/dionaea/dionaea.conf).

And lastly, as Tom comments below, you’ll want to update your logging settings in dionaea.conf to the level you require. It is set to “all” out of the box and will quickly fill you logs. Thanks Tom!

16 Comments

  1. Mohammed says:

    Hello, Thank you so much dear..you saved my ass.
    I’ve been trying so hard to get dionaea installed in my AWS instance that utilizes Ubuntu 14.04 as the OS
    All the tutorials I tired were fro 12.04 and DID NOT WORK for me

    However, I have two problems I’m facing now

    1- running the ” sed -i -e ‘s/^$ModLoad imklog/#$ModLoad imklog/g’ /etc/rsyslog.conf ” failed and I got this error

    ” sed: -e expression #1, char 1: unknown command: `▒’ ”

    2- Would you mind to tell me what I should configure in my “dionaea.conf”

    Thanks a lot 🙂

    • brian says:

      Hi Mohammed, it looks like the wordpress template I’m using may have converted some of the characters in that command-line. Delete the single parenthesis (‘) and type them again in the command-line and it should work.

      sed -i -e s/^$ModLoad imklog/#$ModLoad imklog/g /etc/rsyslog.conf

      That command is commenting out the line loading imklog from /etc/rsyslog.conf. This is the modification:

      Original:
      $ModLoad imklog

      Modified:
      #$ModLoad imklog

      • Mohammed says:

        thanx dude it worked for me I just did what you suggested
        But I noticed that dionaea.config doesn’t reside under etc in fact I found it src !!!
        And I’m sorry if this sounds silly but :

        what do I have to config. in that file because this is the second time I install dionaea as I’m using DionaeaFR tool to help me visualizing the honeypot data but I failed to make the last one functioning. maybe I’m missing some configuration in the honeypot side. thanx dude

  2. David says:

    Hello,
    This post seems to be “ass-saving” for me since no one out there have made a tutorial on Dionaea for ubuntu 14.
    However, after finishing the steps and try to start Dionaea I got no result running the start command,also I failed to find Dionaea in any directory or sub. in my system.
    what seems to be the problem and how to get around it.

    Thanx a lot dude 🙂

  3. Robert Gabriel says:

    Thank you so much, works.

    You_are_the_man.

  4. tom says:

    Hi Brian,

    thanks for you how to. Trying to run Dionae on my Ubuntu VPS but even after you I did the mods in rsyslog.conf the dionae.log get fills up. Any idea ?

    thanks

    • brian says:

      Hey Tom – Did you go into the rsyslog.conf file and verify that line is actually commented out? I’ve had issues with just copying and pasting before because sometimes the comma character gets replaced.

      • tom says:

        Hi Brian,

        yes I have manually modify the rsyslog.conf file. Any idea to fix the problem ?

        thanks

        • tom says:

          Hi Brian,

          I fix the problem by modifying the dianaea.conf. One of the first entries in the config file is logging, by default its set to log “all” just change that to something like “critical” or whatever level of logging is sufficient for you. Make sure to remove “debug”

          thanks.

          • brian says:

            Hi Tom, Ahhhh that makes sense…thanks for the information. I’ll be sure to add it to the step-by-step above. Thanks!

  5. djobes says:

    I have installed and all seems to be working, except after testing with nmap and metasploit, it does not seem to be catching or storing binaries only bistreams, i had it working before, but the drive crashed, and i lost all the docs on this, any ideas or suggestion on what could be the problem.

    • brian says:

      Hmmm…my first thought it that nmap wouldn’t leave any binaries…just stream data. Depending on what you were doing with metasploit there may not be any binaries either. I haven’t done extensive testing beyond getting it to run as I redirected most of my work towards a few other projects, but I hope those off-the-cuff thoughts help!

  6. Scott says:

    Thank you for this, I’ve been trying to install dionaea with no luck for two days until now!

  7. Ataxi says:

    Hi brain
    Thank you for your good tutorial. After installation I get this error when I want to run dionea:

    “Dionaea Version 0.1.0
    Compiled on Linux/x86_64 at Dec 22 2015 00:18:26 with gcc 4.8.4
    Started on ubuntu running Linux/x86_64 release 3.13.0-24-generic

    Trace/breakpoint trap (core dumped)”

    Would you please help me?

    • Brian says:

      Hi Ataxi,

      Did you compile the code yourself? I just downloaded a fresh ISO of Ubuntu 14.04-3 and followed the blogs instructions without issue. The only note is that you have to accept the apt-get commands. I’ll add “-y” the the blog above.

      Note the compile dates are different from my install below:

      root@ubuntu:~# sudo service dionaea-phibo start

      Dionaea Version 0.1.0
      Compiled on Linux/x86_64 at Aug 20 2014 17:08:40 with gcc 4.8.2
      Started on ubuntu running Linux/x86_64 release 3.19.0-25-generic

      [23122015 14:24:50] dionaea dionaea.c:245: User dionaea has uid 105

      [23122015 14:24:50] dionaea dionaea.c:264: Group dionaea has gid 112

      root@ubuntu:~# netstat -antp | grep LIST
      tcp 0 0 127.0.0.1:21 0.0.0.0:* LISTEN 1381/dionaea
      tcp 0 0 192.168.0.152:21 0.0.0.0:* LISTEN 1381/dionaea
      tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 861/sshd
      tcp 0 0 127.0.0.1:1433 0.0.0.0:* LISTEN 1381/dionaea

      • Ataxi says:

        Thank you very much for your reply. I accepted the apt-get commands and there wasn’t any problem during the installation.
        But the Ubuntu version was not fresh. In addition, I had tried several times to install Dionaea according to other weblogs instructions before i read your instructions.
        So I will install it again on a fresh ISO of Ubuntu.

        Once again thank you for your instuctions

Leave a Reply

Your email address will not be published. Required fields are marked *