In the previous post, we configured an SSH honeypot using Cowrie. In this tutorial, I will go through the installation and configuration process for a honeypot application named Dionaea. While Cowrie is a Honeypot designed to record traffic related to SSH and Telnet, Dionaea focuses on capturing malware.
Dionaea does this by emulating a range of services often exposed to the network, an extensive list can be found here
We could configure Dionaea to listen to all the protocols found in the above-mentioned list, but as we want our Honeypot to look realistic, we will only choose the once that are most likely to generate incidents.
In this walkthrough we will only be emulated the following services:
In my setup, I will be running Dionaea in parallel with Cowrie.
- In this tutorial, I decided to use Ubuntu Server 16.04, I cannot guarantee that Dionaea will be compatible will newer versions of Ubuntu.
- It is also recommended to host this honeypot on a public VPS, this will give you a lot of interesting data. But hosting it locally for testing purposes is fine 😉
2. Installation and basic configuration
Before we begin with the installation of a cowrie, let's update the system.
|$ sudo apt-get update|
2.2 Compile & install Dionaea 0.8.0
Compared to Cowrie, Dionaea does not come pre-compiled, which means that we need to compile it ourselves.
Start by downloading the source code:
|$ cd ~
$ git clone https://github.com/DinoTools/dionaea.git
$ cd dionaea
Then install all the neceserry dependencies used by the compiler
|$ sudo apt-get install \
When all the dependecies are in place, we will create a build directory and use cmake in order to setup the build process
|$ sudo mkdir build
$ cd build
$ cmake -DCMAKE_INSTALL_PREFIX:PATH=/opt/dionaea ..
Now we will use
make in order to build, and
make install to install it to our current system
$ sudo make install
Dionaea should now be installed and made available under /opt/dionaea 👍
During the configuration process of Dionaea, there are primarily 4 folders (ihandlers-available, ihandlers-enabled, services-available and services-enabled) and one file (dionaea.cfg) we need to consider.
Whenever we manage to receive a copy of the malware sent to our Honeypot, we need to have a way to handle the traffic; ihandler plugins will allow us to do this. There are two ihandler folders available under "/opt/dionaea/etc/dionaea/", namly "ihandlers-available" and "ihandlers-enabled". ihandler-available refers to the different plugins we can enable for dionaea, while ihandler-enabled contains a set of symbolic links which points to configuration files in the "ihandlers-available". If a symbolic link is created then that plugin is enabled.
The two service folders function in the same way as the ihandlers folders. There are two folders, but the difference is that these folders refer to actual protocols that are being mimicked by Dionaea, our Honeypot will be configure with HTTP/HTTPS, MYSQL and SMB. As stated in the introduction, in order to make this honeypot look realistic we limit the number of exposed services to something that would be more realistic.
This is the main configuration file for Dionaea, we will only be doing a couple of configurations in this file.
2.3.1 Remove unwanted protocols
Dionaea will by default listen on a large set of protocols, and as we only want to use our Honeypot to mimic HTTP(S), MYSQL, and SMB we can remove the rest.
We do this by simply deleting the symbolic links in the services-enabled folder
|$ cd /opt/dionaea/etc/dionaea/services-enabled
$ sudo rm blackhole.yaml epmap.yaml ftp.yaml memcache.yaml mirror.yaml mongo.yaml mqtt.yaml mssql.yaml pptp.yaml sip.yaml tftp.yaml upnp.yaml
2.3.2 Configure Dionaea to as a service
In order to make the Dionaeas process easier to manage will we make it run as a service in the background using systemd.
We will start by creating a new file in /etc/systemd/system
|$ sudo nano /etc/systemd/system/dionaea.service|
And paste the following
Description = making network connection up
After = network.target
We should now be able to start Dionaea by using the
|Start Dionaea||$ systemctl start dionaea|
|Stop Dionaea||$ systemctl stop dionaea|
|Restart Dionaea||$ systemctl restart dionaea|
|Show the current status of the Dionaea service||$ systemctl status dionaea|
|Enable dionaea to start at boot||$ systemctl enable dionaea|
Dionaea should be be up and running 😉
Incident logs will be in the following directory: /opt/dionaea/var/log/dionaea
3. Additional configuration
There are some other additional configurations we can set up in order to make our configuration a little better
3.1 Automatically upload captured binaries to Virus Total
By uploading the captured binaries to virus total, we can both help the community and get an automatic AV scan of the binaries we captured.
To do this, you first need to create a Virus Total account, I will not be going through this process as it is documented in many other places. Simply go to Virus Total and create an account. Then go to "https://www.virustotal.com/en/user/<username>/apikey/" and copy your API key into virustotal.yaml
|$ sudo nano /opt/dionaea/etc/dionaea/ihandlers-available/virustotal.yaml|
And paste your API key into this file
|apikey: "........."||apikey:"Paste API key"|
Then enable the ihandler by creating a symbolic link from ihandler-available to ihandler-enabled
|$ cd /opt/dionaea/etc/dionaea/ihandlers-available/
$ sudo ln -s ../ihandlers-available/virustotal.yaml ../ihandlers-enabled/virustotal.yaml
Then restart Dionaea