Help us understand the problem. What is going on with this article?

dionaea(ハニーポット)を立てる

More than 1 year has passed since last update.

dionaeaとは

公式ドキュメント

dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network, the ultimate goal is gaining a copy of the malware.

つまりは公開された脆弱性を悪用するマルウェアの取得を目的としたハニーポットです。

環境

  • さくらのVPS
    • ゾーン: 石狩第1ゾーン
    • メモリ: 1 GB
    • ストレージ: SSD 30 GB
    • CPU: 2 コア
  • Ubuntu 16.04 amd 64
    • スタートアップスクリプト: [public] Ubuntu_Setup

1. dionaeaのインストール

以下のコマンドを実行して、dionaeaをインストールします。

$ git clone https://github.com/DinoTools/dionaea.git
$ cd  dionaea
$ sudo apt install build-essential cmake check cython3 \
     libcurl4-openssl-dev libemu-dev libev-dev libglib2.0-dev \ 
     libloudmouth1-dev libnetfilter-queue-dev libnl-3-dev \ libpcap-dev     
     libssl-dev libtool libudns-dev python3 python3-dev \
     python3-bson python3-yaml ttf-liberation
$ cd build
$ cmake -DCMAKE_INSTALL_PREFIX:PATH=/opt/dionaea ..
$ make
$ sudo make install 

2. iptables(ファイヤーウォール)の設定

以下のコマンドで必要なポートを解放しました。

$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 20 -j ACCEPT
$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 21 -j ACCEPT
$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 42 -j ACCEPT
$ sudo iptables -I INPUT 5 -p udp -m udp --dport 69 -j ACCEPT
$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 81 -j ACCEPT
$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 135 -j ACCEPT
$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 445 -j ACCEPT
$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 1433 -j ACCEPT
$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 1723 -j ACCEPT
$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 1883 -j ACCEPT
$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 3306 -j ACCEPT
$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 5060 -j ACCEPT
$ sudo iptables -I INPUT 5 -p udp -m udp --dport 5060 -j ACCEPT
$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 5061 -j ACCEPT
$ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 27017 -j ACCEPT

3. dionaeaの起動

以下のコマンドでdionaeaを起動します。

$ sudo /opt/dionaea/bin/dionaea -D \
    -c /opt/dionaea/etc/dionaea/dionaea.cfg

4. 蜜によってきた輩の取得

以下のディレクリにいろいろなログ等が追加される。

  • /opt/dionaea/binaries/
  • /opt/dionaea/log/
  • /opt/dionaea/rtp/
  • /opt/dionaea/wwwroot/

こちらの記事が詳しくまとめられている。

参考

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away