Deploying Dionaea Honeypots & Collecting Logs to Elastic Cloud

Since finishing my university degree (where my final assignment was based around collecting threat intelligence from honeypots) I have been further exploring their deployment and refinement to collect attack data from across the globe.

One of my most favourite honeypots is Dionaea which I am presently deploying on a short-term basis to collect basic attack data, and play around with different configurations as I work in more analysis capabilities.

Deploying honeypots at scale however, is quite difficult, and you need to get the logs out of those honeypots into something which is pretty easy to do correlation for. So for this brief write up, I am going to mash together my two favourite things right now – Dionaea & Elastic Cloud!

First up, you will need a hosting provider somewhere to park your honeypot (please make sure you read the TOS for your providers before doing this), and you will need to install Dionaea.

In my case I have chosen to use Ubuntu 18.04, and I am using DigitalOcean as a quick and easy option to deploy my honeypots.

apt update -y && apt upgrade -y

# Generate new Hostname
old=$(cat /etc/hostname)
new=$(tr -dc 'A-Z0-9' < /dev/urandom | head -c12)
sed -i "s/$old/$new/g" /etc/hosts
sed -i "s/$old/$new/g" /etc/hostname
hostname "SVR-$new"
hostnamectl set-hostname "SVR-$new"

apt --yes install \
     git \
     supervisor \
     build-essential \
     cmake \
     check \
     cython3 \
     libcurl4-openssl-dev \
     libemu-dev \
     libev-dev \
     libglib2.0-dev \
     libloudmouth1-dev \
     libnetfilter-queue-dev \
     libnl-3-dev \
     libpcap-dev \
     libssl-dev \
     libtool \
     libudns-dev \
     python3 \
     python3-dev \
     python3-bson \
     python3-yaml \
     python3-boto3 

git clone https://github.com/DinoTools/dionaea.git 
cd dionaea
git checkout baf25d6

mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX:PATH=/opt/dionaea ..

make
make install

mkdir -p /opt/dionaea/var/log/dionaea/wwwroot /opt/dionaea/var/log/dionaea/binaries /opt/dionaea/var/log/dionaea/log
chown -R nobody:nogroup /opt/dionaea/var/log/dionaea

mkdir -p /opt/dionaea/var/log/dionaea/bistreams 
chown nobody:nogroup /opt/dionaea/var/log/dionaea/bistreams

sed -i 's/default.levels=all/default.levels=all,-debug/g' /opt/dionaea/etc/dionaea/dionaea.cfg

cat > /etc/cron.hourly/bistreams-rot-1-3.sh <<EOF
#!/bin/bash
find /opt/dionaea/var/lib/dionaea/bistreams/* -type f -mmin +60 -exec gzip {} \;
find /opt/dionaea/var/lib/dionaea/bistreams/* -type f -mmin +180 -exec rm -rf {} \;
find /opt/dionaea/var/lib/dionaea/bistreams/* -type d -empty -delete
find /opt/dionaea/var/lib/dionaea/binaries/* -type f -mmin +60 -exec gzip {} \;
find /opt/dionaea/var/lib/dionaea/binaries/* -type f -mmin +180 -exec rm -rf {} \;
find /opt/dionaea/var/lib/dionaea/binaries/* -type d -empty -delete
EOF
chmod +x /etc/cron.hourly/bistreams-rot-1-3.sh

cat > /etc/logrotate.d/dionaea <<EOF
/opt/dionaea/var/log/dionaea/dionaea*.log {
notifempty
missingok
rotate 2
daily
delaycompress
compress
create 660 root root
dateext
postrotate
service dionaea restart
endscript
}
EOF

cat > /etc/supervisor/conf.d/dionaea.conf <<EOF
[program:dionaea]
command=/opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg
directory=/opt/dionaea/
stdout_logfile=/opt/dionaea/var/log/dionaea.out
stderr_logfile=/opt/dionaea/var/log/dionaea.err
autostart=true
autorestart=true
redirect_stderr=true
stopsignal=QUIT
EOF

supervisorctl update

Now by this stage, you are wondering (if you have installed Dionaea before) this is not very original, and in fact it looks just like the Modern Honeypot Network install script with a few tweaks. You are correct!

Now comes the Elastic-Agent…

curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-7.9.3-amd64.deb
sudo dpkg -i elastic-agent-7.9.3-amd64.deb

Looks good so far. Now we need to spin up an Elastic cluster – fret not, Elastic.co can help with this through their Elastic Cloud offering.

Create yourself a bare minimum deployment for Elastic (this will give you 30GB of storage with a 1GB RAM installation), and then jump into your Kibana console.

Head to Ingest Manager, and then Fleet (you will need to click through the initial account creation), and then Add Agent. Scroll down to the Enrol and start the Elastic Agent and you should see some code similar to below:

elastic-agent enroll https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.us-central1.gcp.cloud.es.io:443 aUxOX2FxxxxxxxxxxxxxxxxxxxxxxxxxxxmZSbUstQXBEOVlWdGZMdw== 
systemctl enable elastic-agent 
systemctl start elastic-agent

Now obviously I have stripped out my sensitive information here, but you should get an enrolment event on your honeypot now, and you should start to see metric information transmitted from the honeypot to your Elastic instance.

Enrolled agent on the honeypot transmitting health data.

Now go back into the Elastic Ingest Manager, and then Configurations. Edit the Default Config associated with your newly enrolled honeypot, and then click Add Integration.

We are going to add the Dionaea log files to the Ingest Manager now, so new hosts being registered for that same configuration will transmit log data from the same locations.

Select Custom Logs from the scroll menu, and then scroll down to Option 2 where it asks about Log file path.

In here you want to specify the Dionaea log file locations:

/opt/dionaea/var/log/dionaea/dionaea.log

Then expand the Advanced options, and change the dataset name to Dionaea.

Then save the integration. You will get a prompt asking if you want to change this configuration, and it will warn you that enrolled agents will be updated. Continue through this.

From here to visualise this information you will need to build dashboards, but the honeypots will start polling data from their log files back into your Elastic installation.

Searching for Double Pulsar in forwarded Dionaea logs

And as you can see from the above, Dionaea has detected 46,000 attempts to utilise the Double Pulsar exploit on my newly deployed honeypot – in the first 15 minutes of it being deployed!

So from this we get a key takeaway – if you are going to expose anything to the internet, even for a few minutes, please make sure it is patched and up-to-date!

Total outlay here for this deployment:
Elastic Cloud – ~$14 USD / month
DigitalOcean Droplet – $5 USD / month

Enjoy!



Categories: Threat Intelligence

Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: