Canary Honeypot (Updated 2022)

Create a Security Honey Pot with OpenCanary and a Raspberry Pi
Background:
OpenCanary https://github.com/thinkst/opencanary is a honeypot tool available to help you identify later movement within your organization after an attacker has gotten into your network. If your security budget allows, you may want to consider the commercial offering Canary https://canary.tools which is also offered by Thinkst.
Setup:
Server (Raspberry PI)
I used Raspbian, but Ubuntu is also a great choice. I won't cover the install process for a stock Ubuntu server or Raspbian, if you need more information around that, please check out https://help.ubuntu.com or https://www.raspberrypi.com/software/
However, during the setup, when you get to the software selection make sure you select the Open SSH, Standard System utility packages at a minimum. If you don't have an SMTP server for sending alerts, you may want to also install the Mail Server or use Slack or Microsoft Teams as I did.

1. Opencanary Get out https://github.com/thinkst/opencanary for details on this. Run the following for download and installation: sudo apt-get update && sudo apt-get upgrade -y sudo apt install git -y sudo apt-get install build-essential libssl-dev libffi-dev python-dev -y sudo apt-get install python3-pip -y git clone https://github.com/thinkst/opencanary cd opencanary sudo python3 setup.py install Now generate a config file. opencanaryd --copyconfig Now edit the new conf file: vim .opencanary.conf Make sure to keep proper JSON formatting or the OpenCanary service won't start. I used jq to validate that the JSON file is good to go! If there are issues it will help you quickly identify them. If you need more information around using or installing jq please visit https://stedolan.github.io/jq/download/ { "device.node_id": "opencanary-1", "ip.ignorelist": [ ], "git.enabled": false, "git.port" : 9418, "ftp.enabled": true, "ftp.port": 21, "ftp.banner": "FTP server ready", "http.banner": "Apache/2.2.22 (Ubuntu)", "http.enabled": false, "http.port": 80, "http.skin": "nasLogin", "http.skin.list": [ { "desc": "Plain HTML Login", "name": "basicLogin" }, { "desc": "Synology NAS Login", "name": "nasLogin" } ], "httpproxy.enabled" : false, "httpproxy.port": 8080, "httpproxy.skin": "squid", "httproxy.skin.list": [ { "desc": "Squid", "name": "squid" }, { "desc": "Microsoft ISA Server Web Proxy", "name": "ms-isa" } ], "logger": { "class": "PyLogger", "kwargs": { "formatters": { "plain": { "format": "%(message)s" }, "syslog_rfc": { "format": "opencanaryd[%(process)-5s:%(thread)d]: %(name)s %(levelname)-5s %(message)s" } }, "handlers": { "console": { "class": "logging.StreamHandler", "stream": "ext://sys.stdout" }, "file": { "class": "logging.FileHandler", "filename": "/var/tmp/opencanary.log" }, "syslog-unix": { "class": "logging.handlers.SysLogHandler", "formatter":"syslog_rfc", "address": [ "localhost", 514 ], "socktype": "ext://socket.SOCK_DGRAM" }, "json-tcp": { "class": "opencanary.logger.SocketJSONHandler", "host": "127.0.0.1", "port": 1514 }, "SMTP": { "class": "logging.handlers.SMTPHandler", "mailhost": ["smtp.yourserver.com", 25], "fromaddr": "noreply@yourdomain.com", "toaddrs" : ["youraddress@gmail.com"], "subject" : "OpenCanary Alert", "credentials" : ["youraddress", "SecureStrongpass"], "secure" : [] }, "slack":{ "class":"opencanary.logger.SlackHandler", "webhook_url":"https://hooks.slack.com/services/..." }, "teams": { "class": "opencanary.logger.TeamsHandler", "webhook_url":"https://my-organisation.webhook.office.com/webhookb2/..." } } } }, "portscan.enabled": false, "portscan.logfile":"/var/log/kern.log", "portscan.synrate": 5, "portscan.nmaposrate": 5, "portscan.lorate": 3, "smb.auditfile": "/var/log/samba-audit.log", "smb.enabled": false, "mysql.enabled": false, "mysql.port": 3306, "mysql.banner": "5.5.43-0ubuntu0.14.04.1", "ssh.enabled": false, "ssh.port": 22, "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4", "redis.enabled": false, "redis.port": 6379, "rdp.enabled": false, "rdp.port": 3389, "sip.enabled": false, "sip.port": 5060, "snmp.enabled": false, "snmp.port": 161, "ntp.enabled": false, "ntp.port": "123", "tftp.enabled": false, "tftp.port": 69, "tcpbanner.maxnum":10, "tcpbanner.enabled": false, "tcpbanner_1.enabled": false, "tcpbanner_1.port": 8001, "tcpbanner_1.datareceivedbanner": "", "tcpbanner_1.initbanner": "", "tcpbanner_1.alertstring.enabled": false, "tcpbanner_1.alertstring": "", "tcpbanner_1.keep_alive.enabled": false, "tcpbanner_1.keep_alive_secret": "", "tcpbanner_1.keep_alive_probes": 11, "tcpbanner_1.keep_alive_interval":300, "tcpbanner_1.keep_alive_idle": 300, "telnet.enabled": false, "telnet.port": "23", "telnet.banner": "", "telnet.honeycreds": [ { "username": "admin", "password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA" }, { "username": "admin", "password": "admin1" } ], "mssql.enabled": false, "mssql.version": "2012", "mssql.port":1433, "vnc.enabled": false, "vnc.port":5000 } $ . env/bin/activate $ opencanaryd --start If everything worked you should have some emails or slack messages alerting you to the startup of the services. Over time, depending on what you enabled, you will receive alerts for port scans, or other attempts. Please visit this document which covers in more detail OpenCanary, https://buildmedia.readthedocs.org/media/pdf/opencanary/latest/opencanary.pdf Slack channel for Opencanary Alerts, set up incoming webhooks. https://slack.com/help/articles/115005265063-Incoming-webhooks-for-Slack https://slack.com/help/articles/115005265063-Incoming-webhooks-for-Slack