This is a tutorial on setting up Dionaea on an EC2 instance. Amazon currently off a free EC2 Micro Instance so you should be able to do this too without any cost.

Pre-requisites

• Amazon AWS account

EC2 Server Set up for Dionaea

1. Sign in to your Amazon AWS console, choose the EC2 tab and choose a Region (I have chosen ‘Ascia Pacific (Singapore)’)
   

2. Push Launch Instance and choose Classic Wizard and push Continue
   

3. Click on the Community AMIs tab. Here you need a AMI for Ubuntu 10.04, these vary between AWS Regions. A list of AMIs is available here. Pick an AMI with root store ‘ebs’ and arch ‘32-bit’.

4. For Asia Pacific use the AMI ami-7289cd20 (Pick an AMI with root store ‘ebs’ and arch 32-bit), then push Select**
   

5. Make sure to change the Instance Type to Micro (from Small), otherwise you will be charged, and push Continue
   

6. Continue until you are prompted to Create a Key Pair, choose a name and Create and Download Your Key Pair (save this file somewhere safe for later), push Continue
   .

7. Choose to Create a New Security Group, for Create a new rule choose All TCP and Source choose 0.0.0.0/0. Enter whatever you like in Name/Description. Push Add Rule
   

8. Push Continue and then Launch

Your server has now been set up and will shortly launch. Note that you have allowed TCP access to all services on this machine so do not install anything that could be compromised. It’s possible to tighten up that security but it’s a little more complicated - perhaps a subject for a later blog post.

Setting up Dionaea on your EC2 Server

1. Find the address of your server by selecting it and choosing Instance Actions > Connect. Follow the instruction to connect to your server using the key you generated and downloaded earlier. Putty users may need to use puttygen to convert their key.

2. Once you’re connected you can have Dionaea up and running in minutes by following this tutorial: /2012/02/quick-install-of-dionaea-on-ubuntu/

Updated 05/03/2012: Improved instructions based upon another guide.

Dionaea is a great honeypot but I have found that getting it up and running is not exactly the quickest process in the world.

However, it seems that the honeynet project have started maintaining Ubuntu packages for Dionaea, which makes the install process a lot more simple. The following is how I got it up and running.

Install Dionaea on Ubuntu Natty Narwhal (11.04)

First set up the repository and install dionaea:

sudo add-apt-repository ppa:honeynet/nightly
sudo apt-get update
sudo apt-get install dionaea

Now, a little directory  set up:

sudo mkdir -p /var/dionaea/wwwroot
sudo mkdir -p /var/dionaea/binaries
sudo mkdir -p /var/dionaea/log
sudo chown -R nobody:nogroup /var/dionaea/

Now we update our config file:

sudo mv /etc/dionaea/dionaea.conf.dist /etc/dionaea/dionaea.conf
sudo sed -i 's/var\/dionaea\///g' /etc/dionaea/dionaea.conf
sudo sed -i 's/log\//\/var\/dionaea\/log\//g' /etc/dionaea/dionaea.conf

Finally, launch dionaea:

sudo dionaea -c /etc/dionaea/dionaea.conf -w /var/dionaea -u nobody -g nogroup -D

And there you have it! As simple as that. I should note that this will get you up and running quickly but is not necessarily the most secure way to run Dionaea.

This makes it really easy for anyone interested in Dionaea to get it up and running - even Windows users can grab Virtualbox and an Ubuntu Image and be up and running in no time.

Update: The author has since released an updated version with the update check (calling home) turned off by default: http://bruteforce.gr/kippo-graph

I’ve just been playing around with kippo-graph, I like it, it’s quick and easy to set up and provides features I’ve wanted for a while. The only thing I don’t like about it is the ‘version checker’ which calls home to make sure it’s up to date.

I’m sure the author’s intentions are completely innocent but personally I like to keep the I.P. addresses of my honeypots private. To stop kippo-graph from calling home, simply open include/misc/versionCheck.php and replace the contents with the following:

<?php
// this is the version of the deployed script
define('VERSION', '0.5');

function isUpToDate()
{
    return true;
}
?>

A quick one, mostly a reference. It seems those .log files that are 87 bytes tend to be connections followed swiftly by disconnects.

ls -alFhL ~/kippo/log/tty | grep -v 87

Then we can skim through our list

python ~/kippo/utils/playlog.py ~/kippo/log/tty/20110124-x-x.log

What I would love for Kippo is some form of online tool to allow you to ‘work through’ an annotate the (wonderful) tty logs.