Build and install dionaea

We're now recommending the use of dionaea as a server side honeypot. It is a successor to nepenthes which offers many new features and advantages, and is relatively easy to install. For information about dionaea, including installation instructions, please visit the dionaea project page here: dionaea

Build and install nepenthes

The following instructions will help you build and configure a low interaction honeypot based on nepenthes. The version of nepenthes in subversion is really the best one to use, so we'll have to build from source.

First, we do some ground work to set up our build environment. I have compiled and run nepenthes on Ubuntu 6.06 LTS and Debian 3.1 with few issues. The actual build instructions are the same, regardless of the distro. However, the dependencies would be different. This would also be a good time to create a user and group named nepenthes.

On my Debian server, I installed the following packages before getting started:

  • flex - 2.5.31-31sarge1
  • bison - 1.875d-1
  • libtool - 1.5.6-6
  • automake - 1.9.5 (automake1.9)
  • autoconf - 2.59a-3
  • libadns1 - 1.0-8.2
  • libadns1-dev - 1.0-8.2
  • libcurl3 - 7.13.2-2sarge5
  • libcurl3-dev - 7.13.2-2sarge5
  • libmagic1 - 4.12-1
  • libmagic-dev - 4.12-1
  • libpcre3 - 4.5-1.2sarge1
  • libpcre3-dev - 4.5-1.2sarge1
  • subversion - 1.1.4-2

Create a build directory and check out nepenthes:

mkdir ~/nepenthes
cd ~/nepenthes
svn co https://svn.mwcollect.org/nepenthes/trunk

To make things easier in the future, we make a copy of what we just checked out to do the build:

cp -a trunk build

The fun begins, let's build things. If you have bits of libpcap installed, configure will try and add the pcap honeytrap module. I've added configure lines to specifically disable the honeytrap modules. If you want to try and get them working, feel free. The actual build will take a while.

sudo mkdir /opt/nepenthes
chown nepenthes:nepenthes /opt/nepenthes

autoreconf -v -i --force
./configure --prefix=/opt/nepenthes --disable-ipq --disable-pcap
make && sudo make install
sudo chown -R nepenthes:nepenthes /opt/nepenthes

Enabling support for submission to Norman is optional, but recommended:

 "submitnorman.so", "submit-norman.conf",         ""

edit /opt/nepenthes/etc/nepenthes/submit-norman.conf to enable Norman submission. Again, this is optional, but recommended:

submit-norman
{
       // this is the adress where norman sandbox reports will be sent
       email   "you@example.net";
};

At this point, the sensor is configured and ready to run. Start it up, and have it drop its privs and run as nepentes:

sudo /opt/nepenthes/bin/nepenthes -u nepenthes -g nepenthes -w /opt/nepenthes

Now, watch the logs. Try a portscan from a host on a different network just to see if the ports are open and listening.

Periodically, you should check /opt/nepenthes/var/binaries/ for malware binaries. Also, consider applying to join the mwcollect Alliance and submit your samples there. If accepted, there is a module for nepenthes to automatically submit binaries. The Alliance will provide configuration instructions.

<< Submit a Botnet | Get Involved | Hall of Fame >>