Opencanary

I love honeypots and wanted to give opencanary a shot cause I kept hearing how cool it was.  It’s written in python, and very easy to configure and extend.

The idea is to stick these in various places in your network with fake services similar to what’s around it.  In this case, I have opencanary acting like a Windows system running RDP and MSSQL.

Running on Debian 8.9

sudo apt-get install python-dev python-pip python-virtualenv build-essential libssl-dev libffi-dev python-dev
virtualenv env/
. env/bin/activate
pip install opencanary
pip install scapy pcapy

Start the virtual environment and install rdpy

virtualenv env/
. env/bin/activate
pip install rdpy

Copy the config and start it.

/root/venv/bin/opencanaryd --copyconfig
opencanaryd --start

I edited the config, and disabled everything but MSSQL and RDP.  Then I added a section under the PyLogger class handlers so that I could get emails forwarded to me.  And I just put my email address in that users .forward.

},
 "SMTP": {
 "class": "logging.handlers.SMTPHandler",
 "mailhost": ["localhost", 25],
 "fromaddr": "opencanary@yourdomain.com",
 "toaddrs" : ["someuser"],
 "subject" : "OpenCanary Alert"
 }

Then restarted the opencanary daemon.

opencanaryd --start

Nmap -sV shows it as running SQL Server 2012, and RDP.  Any attempts to connect to or authenticate to these services are logged and emailed to me.

You can also setup SMS, logging to other systems, and implement your own services.

Something really cool is Canary tokens.  You can create files, URLs, Email addresses, etc. and when they are used, you’ll get an out of band alert.  Put a fake file on a share so an attacker steals it and opens it up, and you’ve got their IP address.  Or stick some fake emails/domains in a database, and when they show up in a dump, receive emails or get queried, you’ll get an alert.  Just little things that can help clue you in to what’s happening because it’s impossible to monitor for everything.