Open Canary

I’ve been interested in canary style honeypots for a while and I finally got around to installing one. I thought that I would document the process here for future reference and my notes might be useful for someone else who wants to set one up without spending much money.

First off I’ll explain briefly what a honey pot is and specifically what a canary style honeypot does. A honeypot in IT security has typically been an intentionally insecure server that is connected to a network. It’s often open directly to the internet. The idea is that hackers and viruses will notice the system as an easy target and attack it. Then the honey pot is closely monitored so that attacks can be analyzed to see what the bad guys are up to. Many modern exploits on the internet are identified because a honeypot system saw an attack come in that was previously unknown. Then security researchers can look into what the attack means and work on developing ways to prevent it.

A canary honey pot is similar but isn’t intended to be used for security research. The term canary comes from miners bringing a canary into a coal mine. If dangerous gasses were released into the mine the bird would die before harming the miners which would give them time to react. A canary honeypot is a server that is designed to look attractive to an attacker and it’s usually connected inside your network where only trusted users and services should have access. When something connects to a service on the honey pot an alarms is triggered and security responders are notified. Since nothing legitimate should ever be connecting to the honeypot it can act as a warning system if something is poking around inside your network and hopefully you will have time to react before the bad guys get what they are looking for.

A vendor of canary style tools that I’ve been hearing a lot about is thinkst. They have some robust enterprise level canary servers and tokens on their website https://canary.tools/. I don’t want to spend any money so I’m going to skip them for now. Instead I opted to use the free open source tool OpenCanary. For hardware I used a raspberry pi 3 that I had from other projects.

I started by cleanly installing a copy of raspbian linux on the pi. Next I went over to the OpenCanary github page and started the installation instructions.

The first step was installing some dependencies.

sudo apt-get install python-dev python-pip python-virtualenv

I want to use the SMB features of OpenCanary so I also installed samba

sudo apt-get install samba

Samba needs to be configure a little so I follow their recommendations here and made a couple of small changes. My final file looked like this.

[global]
       workgroup = WORKGROUP
       server string = NonCloudServer
       netbios name = NonCloudServer
       dns proxy = no
       log file = /var/log/samba/log.all
       log level = 0
       syslog only = yes
       syslog = 0
       vfs object = full_audit
       full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D
       full_audit:success = pread
       full_audit:failure = none
       full_audit:facility = local7
       full_audit:priority = notice
       max log size = 100
       panic action = /usr/share/samba/panic-action %d

       #samba 4
       server role = standalone server

       #samba 3
       #security = user

       passdb backend = tdbsam
       obey pam restrictions = yes
       unix password sync = no
       map to guest = bad user
       usershare allow guests = yes
    [myshare]
       comment = Non Cloud Data
       path = /share
       guest ok = yes
       read only = yes
       browseable = yes
       #vfs object = audit

I setup the “/share” folder and added some files that an attacked might find interesting. Like a KeePass database file.

Next they recommend installing a python virtual environment using venv

virtualenv venv/
. venv/bin/activate

Next I used the python package manager pip to install the OpenCanary files

pip install opencanary

OpenCanary requires a configuration file to be setup. To copy the default to the user directory I ran this

./venv/bin/opencanaryd --copyconfig

Now the program should be ready to start by using the following command.

./venv/bin/opencanaryd --start

However I received an error message

[-] Using config file: /root/.opencanary.conf
Invalid logging config

Unable to configure handler u'hpfeeds': global name 'hpfeeds' is not defined

This message says that hpfeeds is not defined. So I opened up the .opencanary.conf file and found the hpfeeds section. It was on of the default handlers.

            "handlers": {
                "console": {
                    "class": "logging.StreamHandler",
                    "stream": "ext://sys.stdout"
                },
                "file": {
                    "class": "logging.FileHandler",
                    "filename": "/var/tmp/opencanary.log"
                },
                "syslog-unix": {
                    "class": "logging.handlers.SysLogHandler",
                    "address": ["localhost", 514],
                    "socktype": "ext://socket.SOCK_DGRAM"
                },
                "json-tcp": {
                    "class": "opencanary.logger.SocketJSONHandler",
                    "host": "127.0.0.1",
                    "port": 1514
                },
               "hpfeeds": {
                    "class": "opencanary.logger.HpfeedsHandler",
                    "host": "127.0.0.1",
                    "port": 10000,
        "ident": "test",
        "secret":"12345",
        "channels":["test.events"]
                }

It’s something that I can live without so I deleted the hpfeeds section and the comma that came before it. The section now looked like this

            "handlers": {
                "console": {
                    "class": "logging.StreamHandler",
                    "stream": "ext://sys.stdout"
                },
                "file": {
                    "class": "logging.FileHandler",
                    "filename": "/var/tmp/opencanary.log"
                },
                "syslog-unix": {
                    "class": "logging.handlers.SysLogHandler",
                    "address": ["localhost", 514],
                    "socktype": "ext://socket.SOCK_DGRAM"
                },
                "json-tcp": {
                    "class": "opencanary.logger.SocketJSONHandler",
                    "host": "127.0.0.1",
                    "port": 1514
                }

The next time I started the program I didn’t get an error about the hpfeeds but I did get another error.

An error has occurred: 'Couldn't listen on any:123: [Errno 98] Address already in use.'

Back into the .opencanary.conf and towards the end where the services are listed I found ntp using port 123

    "snmp.enabled": false,
    "ntp.enabled": true,
    "tftp.enabled": true,
    "ntp.port": "123",
    "telnet.port": "23",
    "telnet.enabled": true,

I can live without the fake ntp server as well so I just removed this lines. The new section looked like this.

    "snmp.enabled": false,
    "tftp.enabled": true,
    "telnet.port": "23",
    "telnet.enabled": true,

Finally my canary was singing! By default the canary just logs when someone tries to connect to it. This means that you would need to periodically manually check it. I decided that I would much rather get an email whenever someone tried to connect so I followed their instructions to set it up. I added their recomended config for gmail alerting. My .opencanary.conf file looked like this

"logger": {
        "class" : "PyLogger",
        "kwargs" : {
            "formatters": {
                "plain": {
                    "format": "%(message)s"
                }
            },
            "handlers": {
                "console": {
                    "class": "logging.StreamHandler",
                    "stream": "ext://sys.stdout"
                },
                "file": {
                    "class": "logging.FileHandler",
                    "filename": "/var/tmp/opencanary.log"
                },
                "syslog-unix": {
                    "class": "logging.handlers.SysLogHandler",
                    "address": ["localhost", 514],
                    "socktype": "ext://socket.SOCK_DGRAM"
                },
                "json-tcp": {
                    "class": "opencanary.logger.SocketJSONHandler",
                    "host": "127.0.0.1",
                    "port": 1514
                },
                "SMTP": {
                    "class": "logging.handlers.SMTPHandler",
                    "mailhost": ["smtp.gmail.com", 25],
                    "fromaddr": "noreply@hackernovice.com",
                    "toaddrs" : ["my_gmail_address@gmail.com"],
                    "subject" : "OpenCanary Alert"
                }
            }
        }
    },

Now the program started but I saw a bunch of errors and email alerting was not working.

SMTPSenderRefused: (530, '5.7.0 Must issue a STARTTLS command first. 21sm17684463qkh.4 - gsmtp', u'noreply@hackernovice.com')

This is gmail telling my server that you can’t just connect on port 25 and send messages. It expects you to start TLS. The instructions say that OpenCanary uses pylogger to handle sending emails. After checking out that documentation I edited my .opencanary.conf file again to impliment TLS and use a valid email address for sending. In the end my entire conf file looked like this.

{
    "device.node_id": "opencanary-1",
    "ftp.banner": "FTP server ready",
    "ftp.enabled": true,
    "ftp.port":21,
    "http.banner": "Apache/2.2.22 (Ubuntu)",
    "http.enabled": true,
    "http.port": 80,
    "http.skin": "nasLogin",
    "http.skin.list": [
        {
            "desc": "Plain HTML Login",
            "name": "basicLogin"
        },
        {
            "desc": "Synology NAS Login",
            "name": "nasLogin"
        }
    ],
    "httpproxy.port": 8080,
    "httpproxy.skin": "squid",
    "httproxy.skin.list": [
        {
            "desc": "Squid",
            "name": "squid"
        },
        {
            "desc": "Microsoft ISA Server Web Proxy",
            "name": "ms-isa"
        }
    ],
    "logger": {
        "class" : "PyLogger",
        "kwargs" : {
            "formatters": {
                "plain": {
                    "format": "%(message)s"
                }
            },
            "handlers": {
                "SMTP": {
                    "class": "logging.handlers.SMTPHandler",
                    "mailhost": ["smtp.gmail.com", 587],
                    "fromaddr": "MySendingAddress@gmail.com",
                    "toaddrs" : ["MyGmailAddress@gmail.com"],
                    "subject" : "OpenCanary Alert",
                    "credentials" : ["MySendingAddress@gmail.com", "MySendingAddressPassword"],
                    "secure" : []
                },
                "console": {
                    "class": "logging.StreamHandler",
                    "stream": "ext://sys.stdout"
                },
                "file": {
                    "class": "logging.FileHandler",
                    "filename": "/var/tmp/opencanary.log"
                },
                "syslog-unix": {
                    "class": "logging.handlers.SysLogHandler",
                    "address": ["localhost", 514],
                    "socktype": "ext://socket.SOCK_DGRAM"
                },
                "json-tcp": {
                    "class": "opencanary.logger.SocketJSONHandler",
                    "host": "127.0.0.1",
                    "port": 1514
                }

            }
        }
    },
    "portscan.synrate": "5",
    "smb.auditfile": "/var/log/samba-audit.log",
    "smb.configfile": "/briar/config/smb.conf",
    "smb.domain": "corp.thinkst.com",
    "smb.enabled": false,
    "smb.filelist": [
        {
            "name": "2016-Tender-Summary.pdf",
            "type": "PDF"
        },
        {
            "name": "passwords.docx",
            "type": "DOCX"
        }
    ],
    "smb.mode": "workgroup",
    "smb.netbiosname": "FILESERVER",
    "smb.serverstring": "Windows 2003 File Server",
    "smb.sharecomment": "Office documents",
    "smb.sharename": "Documents",
    "smb.sharepath": "/changeme",
    "smb.workgroup": "OFFICE",
    "mysql.banner": "5.5.43-0ubuntu0.14.04.1",
    "mysql.port": 3306,
    "mysql.enabled": true,
    "ssh.enabled": true,
    "ssh.port": 8022,
    "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
    "rdp.enabled": false,
    "sip.enabled": true,
    "snmp.enabled": false,
    "tftp.enabled": true,
    "telnet.port": "23",
    "telnet.enabled": true,
    "telnet.banner": "",
    "telnet.honeycreds" : [
        {
            "username" : "admin",
            "password" : "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA"

        },
        {
            "username" : "admin",
            "password" : "admin1"
        }
    ],
    "mssql.enabled": false,
    "vnc.enabled": false
}

This default config works great but doesn’t look too much like a legitimate server. It is setup in a way that it’s listening on a bunch of ports and lets you know if anyone tries to connect to them. This works well if you are trying to catch something doing a port scan or other broad attack. If you wanted to make the honeypot look more like a legitimate server it should be tuned to only open specific ports.

In any case this will just sit on my network now and hopefully never do anything. If I get an alert that something connected then it will tell me where the connection originated from and I can deal with it quickly instead of having no idea that something bad is lurking on my network.

Thanks to Brian over at 7 minute security for motivating me into finally starting this project!

6 thoughts on “Open Canary”

  1. i have installed this on a Vm machine and and have configured opencanary.conf exactly as you have mentioned on this article, but i still get an error message that says
    “Traceback (most recent call last):
    File “/usr/lib/python2.7/logging/handlers.py”, line 941, in emit
    smtp.sendmail(self.fromaddr, self.toaddrs, msg)
    File “/usr/lib/python2.7/smtplib.py”, line 736, in sendmail
    raise SMTPSenderRefused(code, resp, from_addr)
    SMTPSenderRefused: (530, ‘5.7.0 Must issue a STARTTLS command first. a2sm45493543pgn.24 – gsmtp’, u’MySendingAddress@gmail.com’)
    Logged from file logger.py, line 147″

    1. It looks like the SMTP server is refusing your message because your SMTP connection isn’t using TLS. Make sure you aren’t missing this line in your conf file
      “secure” : []

  2. I figured out the issue. I did use “secure” : [].
    The 1st change that is required is enabling “secure apps” to use google services, which can be enabled on your gmail.
    Also the version 14.03 has compatibility issues with this and hence i used 16.04 and it wrks fine now.
    Thanks for creating such nice documentation man.
    I was trying to work on Canary Tokens, the one with the docker image. Apparently, they dont have an option for authentication when someone accesses it externally.
    Need help on that.

    Thanks for the help
    Manu

  3. Does anybody test the Samba feature?
    I have add some decoy documents on Samba share folder and the access the files but I couldn’t get any log.

Leave a Reply

Your email address will not be published. Required fields are marked *