This guide explains how to install a sensor network patched prosody xmpp server on a server called “sensors.example.com”.
My prosody repository is not meant to be a 'fork' of prosody, it is just a convenience repository, so you do not have to merge patches yourself.
The patches:
This way, sensors can't read messages from other sensors (vistors), but can receive files from other sensors, in a channel where the sensor user is a participant, and the sensors never get their own messages replied from the xmpp server.
As it is unlikely you can run a service on sensors.example.com, just replace sensors.example.com with the domain you want to use.
Furthermore, you will want to replace all occurrences of common@sensors.example.com with yourusername@yourdomain.
Installing the mentioned dependencies:
aptitude install lua5.1 liblua5.1-expat0 liblua5.1-socket2 liblua5.1-filesystem0
To compile you have to install some development packages, which can be removed after proper installation:
aptitude install libssl-dev libidn11-dev liblua5.1-0-dev
The LuaSec dependency is special, you can either grab the debian packages from here or compile luasec from source.
Compiling from source requires some changes to the Makefile, here is the patch, and the steps to download, patch, compile, install:
wget http://www.inf.puc-rio.br/~brunoos/luasec/download/luasec-0.4.tar.gz tar xfz luasec-0.4.tar.gz cd luasec-0.4 wget http://p.carnivore.it/HauemS?download | patch -p1 make linux make install
Prosody was chosen in favor of others, as prosody is written in lua, and very easy to customize. Additionally, prosody does not support rate limiting, which is exactly what we need to transfer base64 files via xmpp.
git clone git://git.carnivore.it/users/common/prosody.git cd prosody ./configure --prefix=/opt/prosody --with-lua-include=/usr/include/lua5.1/ make make install
If you clone http://github.com/bjc/prosody.git instead, youÄ'll get plain prosody without the sensor patches
Before messing with the config, lets backup the files:
cd /opt/prosody/ cp etc/prosody/prosody.cfg.lua etc/prosody/prosody.cfg.lua.orig
Adjust the config, here are my changes, this is the full config.
Now, create some required directories:
adduser prosody mkdir -p /opt/prosody/var/log/prosody mkdir -p /opt/prosody/var/run chown prosody /opt/prosody/ -R
Add two users, one for you, and one for all your sensors:
/opt/prosody/bin/prosodyctl adduser anonymous@sensors.example.com /opt/prosody/bin/prosodyctl adduser common@sensors.example.com
Fixate the credentials file for the anonymous user, so the password can not be changed:
chmod 440 /opt/prosody/var/lib/prosody/sensors%2eexample%2ecom/accounts/anonymous.dat
Start the prosody service:
/opt/prosody/bin/prosodyctl start
Join the channels anon-events and anon-files on your new xmpp service with your psi xmpp client, set the channels permanent and moderated. Add anonymous@sensors.example.com to the list of Members on the anon-files channel.
Adjust your sensors configuration, basically add this section to the logxmpp section:
example =
{
server = "sensors.example.com"
port = "5223"
muc = "dionaea.sensors.example.com"
username = "anonymous@sensors.example.com"
password = "anonymous"
config =
{
anon-events =
{
events = ["^dionaea\x5c.connection\x5c..*",
"^dionaea\x5c.modules\x5c.python\x5c.smb.dcerpc\x5c.*",
"^dionaea\x5c.download\x5c.offer$",
"^dionaea\x5c.download\x5c.complete\x5c.hash$",
"^dionaea\x5c.module\x5c.emu\x5c.profile$"]
anonymous = "yes"
}
anon-files =
{
events = ["^dionaea\x5c.download\x5c.complete\x5c.unique"]
}
}
}
Start the sensor, it should connect the service and join the channels. Thats it.
Don't forget, you can have multiple xmpp targets, so even if you run your own network, you can still join the sensors.carnivore.it network.
Create a new account on the server for your backend, grant the backend member privileges on anon-files and anon-events.
One could run prosody with luaevent-prosody, but as long as you are not serving some hundred clients, it's not worth the effort.
Current versions of prosody support XEP-0175 - SASL ANONYMOUS, which allows running sensors without providing them an account.
Currently dionaea does not support SASL ANONYMOUS, patches are welcome.
Create three accounts on your psi client:
On anon-events the anonymous accounts should not see their own messages, and the messages of the other anonymous account, but your admin account (who owns the room) should see all messages.
On anon-files, the anon accounts should be able to see each others messages, but not their own.
2
@Pedro H. Matheus: Actually all required changes are in the diff I linked or even the full config
This should not be required, as it creates anon-events.sensors.example.com as muc domain and not as muc room:
Component “anon-events.sensors.example.com” “muc” Component “anon-files.sensors.example.com” “muc”
Once you created the dionaea.sensors.example.com muc domain, you can create the channels by joining them.
3
I tried tunneling dionaea through ssh to the prosody but it never joined the channels.. Has anyone else tried doing that? (ssh -L 5223:localhost:5223 prosodyserver)
4
My guess is, your prosody server is not configured correctly/does not match your dionaea xmpp config. Handing in your dionaea and prosody configs would help.
5
Good info, just one quick issue. On the line under configuration, which says “Adjust the config, here are my changes, this is the full config.” For me the links were https and were not allowing me to view the page. Reverting to http solved that problem though. Feel free to delete my post if you fix it
6
Would it be possible to give more details on this the “backend” part ?
Create a new account on the server for your backend, grant the backend member privileges on anon-files and anon-events.
According to what i understand it's this part that will feed the postress on a Carniwwwhore right ?
8
I set this up to spec with this documentation, however it seems that when Dionaea posts a message in the anon-events room pertaining to connections from the nfq plugin, all I see is a blank post. Is there a way I can debug this? I'm running prosody in debug mode, but it doesn't let me see actual messages. Dionaea debugs also look good, but I can't see what message it is trying to send.
Kyle
9
nfq just works limited with logxmpp. First, the messages are supposed to look “empty”, but thats just their rendering, but you can turn on the xml console in psi, to see the raw messages as outlined here.
10
Markus,
I've got dionaea running, and configured for logxmpp pointing to another server. I've got pg_backend.py listening on the muc, as well as Pidgin configured so I can see the muc. I can see my dionaea server sign into the muc. However, I'm not getting a message in the muc, and likely because of that the backend isn't getting any data either. I can see (using tcpdump) the appropriate size traffic getting sent to the server hosting the muc, so all *looks* like it should work.
I'm testing SIP attacks against dionaea, and I can see new entries in the mysql database for them (as well as get a response from dionaea).
Any thoughts?
11
compile an email with everything required to login as sensor/backend, and I'll have a look.
12
Markus,
I have a bunch of information ready to go, but don't have an e-mail address for you. Can you please mail me one at the address I used to post this comment?
Thanks, Unregistered436
13
Hi Mr. Markus, and great thank to you for helping people. actually I did all configs and my dionaea, xmpp, & postgress all working well, but I have a problem when I try executing (./pg_backend.py -U common@test.com -P XMPPPASS -M dionaea.test.com -C anon-files -C anon-events -s localhost:5432 -u xmpp -d xmpp -p xmpp -f /tmp/) after database connection I got:
...
...
...
creating client... backend
connecting...
*** State changed: resolving srv (u'test.com', 'xmpp-client') ***
*** State changed: resolving u'test.com' ***
*** State changed: connecting ('192.168.76.129', 5222) ***
*** State changed: connected ('192.168.76.129', 5222) ***
looping...
*** State changed: fully connected <JID: u'test.com'> ***
...
...
...
File "/usr/lib/pymodules/python2.6/pyxmpp/streamsasl.py", line 322, in _process_sasl_failure
raise SASLAuthenticationFailed,"SASL authentication failed"
SASLAuthenticationFailed: SASL authentication failed
creating client... backend
connecting...
–and it will try connecting again forever???? Why this SASLAuthenticationFailed ?? Tnak you
15
I just installed a new instance of Dionaea/Prosody on a fresh debian image and been seeing some really (REALLY) odd behavior with Dionaea. I set up the chat rooms properly and verified that all accounts etc. are correct but when I fired up Dionaea it ignored any server address that I give in the config. Instead, it has been constantly trying to connect to an unknown IP (207.223.0.140). I had to set up an iptables rule to redirect any outgoing traffic to that IP to the Prosody server's IP (which made it work fine).
Any clue what that is about? I checked the code out today from git.
16
I guess the domain you entered is invalid and 207.223.0.140 is the default response of your isp for invalid domains to gather some traffic for its search engine?
17
Thats what it seems like its doing. Whats odd though is that I didn't enter a domain but the IP address of the server running prosody.
18
OK, so it seems that it was submitting a DNS query for whatever I had the username set to after the @ sign (username@wherever) and not for what the server was set to.
19
I have one question: how do you handle these domains?
I'm trying to put use pg_backend and I'm having problems with DNS resolution.
You have sensors.example.com in the host file?
20
@Dio: If using the name sensors.blablabla.com I get DNS error (even though I have sensors.blablabla.com in the host file). If I use the IP address I the following:
creating client… backend connecting… * State changed: resolving srv (u'192.168.2.5', 'xmpp-client') * * State changed: resolving u'192.168.2.5' * * State changed: connecting (u'192.168.2.5', 5222) * * State changed: connected (u'192.168.2.5', 5222) * looping… Stream error: condition: host-unknown '<stream:error xmlns:stream=“http://etherx.jabber.org/streams”><host-unknown xmlns=“urn:ietf:params:xml:ns:xmpp-streams”/><text xmlns=“urn:ietf:params:xml:ns:xmpp-streams”>This server does not serve 192.168.2.5</text></stream:error>' * State changed: disconnected <JID: u'192.168.2.5'> *
Any thought on this?
21
@T0MA: how did you solve it after all? Setting up the name in the host file is not being enough for me.
22
@Dio: I have come to the conclusion python/pyxmpp is not respecting the order “check hosts file, later check dns” as stated on nsswitch.conf .
Did anyone face this problem already? When I tcpdump (-i eth0 -np port domain) I see that even if I put on the ip address, the script/python/libraries are doing a DNS request. python-pyxmpp 1.0.1-1 python-pgsql 2.5.1-2ubuntu3 Python 2.6.5
23
I think the DNS problem is, dionaea does not check the /etc/hosts file. So i have installed Bind and create my own zone. Then it worked.
Hi Markus, great post.
You need to add some steps to start prosody server with success, they are:
Edit the /opt/prosody/etc/prosody/prosody.cfg.lua as follows:
Above the parameter admins = { } put:
Change the log file location:
to this:
In the first case the log file will be created in the directory from which you execute prosodyctl (PWD)
Change the VirtualHost:
to
(This will prevent you from receiving the error “this server don't serve sensors.example.com”)
Create the rooms:
And, last but not least,
uncomment the line:
I hope I have helped
Regards
Pedro H. Matheus
DSSI - Divisão de Segurança de Sistemas de Informação
CTI - Centro de Tecnologia da Informação Renato Archer