Creating a Security Honey Pot with Thinkst Canary & a Raspberry Pi

Creating a Security Honey Pot with Thinkst Canary & a Raspberry Pi

I always liked the idea of a cost-effective honey pot that could be dropped on to a physical network with the minimum of fuss.  As [easyazon_link keywords=”Raspberry Pi 3″ locale=”US” tag=”bobmckay-20″]Raspberry Pi 3[/easyazon_link] is cost-effective host which, combined with a [easyazon_link keywords=”32GB sd-card” locale=”US” tag=”bobmckay-20″]32GB sd-card[/easyazon_link]
and the OpenCanary software, makes a great little drop-in.

Prepare the SD card

Donwload and run the Raspberry PI Imager software available here:

Download the Ubuntu 18.04.5 32 bit distribution from here

Insert your SD card in to your reader

On the Raspberry PI Imager, select the Use Custom option from the imager software

When prompted, locate and select the Ubuntu image you downloaded

Select your SD card (double check, personally I tend to remove any other flash drives or SD cards just in case!)

Click Write

Click Yes to confirm you understand all data on the SD card will be destroyed

This will take a while so go grab a cup of tea (and biscuits if you have them)


OS Installation

Rather than using the Raspian OS for Raspberry PI, I highly recommend going for the Ubuntu 20 OS (not the core, the full fat version) as my tests with other Linux versions ran in to frequent issues with pip, compilation and Python versioning.

One of the key things to pay attention to below that will save you headaches is the importance of waiting with Ubuntu – you’ll see what I mean as you go along!

Logging in

(no these keys are not used!)

Initially when you attempt to login to your freshly created Ubuntu installation, if you’re quick off the mark you’ll repeatedly get incorrect username/password errors despite using the correct ubuntu:ubuntu combination, this is because the OS isn’t ready yet.

Wait until you see a message stating that no authorised SSH key fingerprints were found, it will generate some and you’ll see confirmation messages about cloud-init finished,

Once you see that, you’ll be fine!

If you’re logging in for the first time via SSH from another device, just give it an extra 5 minutes after booting before logging in.

Updating the OS

Run a full update:

sudo apt-get update && sudo apt-get upgrade -y

It can frequenty appear to be stuck at this step, just wait it will get past it:

update-initramfs: Generating /boot/initrd.img-5.4.0-1015-raspi

OpenCanary Installation

Install Python 2.7:

sudo apt-get install python2.7

Install Python 3.6 (may not be required):

sudo apt-get install python3.6

Install Ubuntu specific dependancies and the Python Remote Desktop Protocol module (rdpy):

sudo apt-get install -y build-essential libssl-dev libffi-dev python-dev python-pip

Important Note: I recommend a reboot here as it tended to help avoid “segmentation fault (core dumped)” errors for me

pip install rdpy

Important Note: I recommend another reboot here as it tended to help avoid “segmentation fault (core dumped)” errors for me

Install OpenCanary in it

pip install opencanary

if you recieve segmentation errors (such as “segmentation fault (core dumped”) at the end of the canary install, reboot and run the above command again.

For me, pcapy just gave multiple errors so I only installed scapy:

pip install scapy

Next, run the following command to createa sample config file to your canary for you to edit:

opencanaryd --copyconfig

You should see a message saying something like:

 A sample config file is ready (/home/ubuntu/.opencanary.conf)

Then finally, run canary with the following:

opencanaryd --start

You should see a message similar to the following:

ubuntu@ubuntu:~$ opencanaryd --start
** We hope you enjoy using OpenCanary. For more open source Canary goodness, head over to **
[-] Using config file: /home/ubuntu/.opencanary.conf

Changing the MAC Address

By default the Raspberry Pi is going to show up as a exactly that due to its MAC address vendor reference, to change this to something more enticing, do the following steps.

Install the macchanger module:

sudo apt install macchanger

You’ll get a prompt asking if you want macchanger to automatically randomize the mac address when network interfaces come up, this is your preference but I would say no as it could end up as anything.

Determine the interface you want to change the MAC address for using:

ip addr

This will return results similar to the below, I’ve emboldened the interface names:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether b8:27:eb:10:3b:cd brd ff:ff:ff:ff:ff:ff
inet brd scope global dynamic eth0
valid_lft 3069247044sec preferred_lft 3069247044sec
inet6 fe80::ba27:ebff:fe10:2edc/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether b8:27:eb:35:4b:34 brd ff:ff:ff:ff:ff:ff

Now we need to set the mac address to something more suitable – in the example below I’m using a max address with a prefix for Dell (0015C5), implying its a Dell server.  You can see a list of vendor MAC prefixes here:

Important, for the next steps to work, the network adapter needs to be ‘down’ (see here) so the command needs to be carried at the device (keyboard/screen):

Take the network interface down:

sudo ifconfig eth0 down

To change the MAC address to a Dell-eseque one I ran:

sudo macchanger --mac=00:15:C5:12:CC:AB eth0

Bring the network interface up:

sudo ifconfig eth0 up

Note: your IP address may change as a result of this if you’re using DHCP


As mentioned in the confirmation above, the configuration options for OpenCanary are stored in the file located at: /home/ubuntu/.opencanary.conf

To edit it, use your editor of choice, I use Nano:

nano .opencanary.conf

In here you can find multiple options for turning services on and off

Email Notifications

One of the most common means of getting notifications from a remote OpenCanary is via email, the examples don’t explain how to authenticate (which is needed for most email services) but it uses this format (add this to the handlers section):

 "SMTP": {
"class": "logging.handlers.SMTPHandler",
"mailhost": ["", 587],
"fromaddr": "[email protected]",
"toaddrs" : ["[email protected]"],
"subject" : "OpenCanary Alert",
"credentials" : ["[email protected]", "myPasswordGoesHere"],
"secure" : []


Once completed, you can try loggin in to services on the devices IP address (ftp, http, etc.) or use a network scanner (i simply used fing on my phone) to do a network scan and a port scan of the device.

Any of these should then trigger alerts based on your “handler” options (mine currently sends to email and writes to a log file.

What’s next

There’s several items I need to address on this which I’ll look at and update but in summary:

  1. Writing logs directly to a siem
  2. Moving the SSH port to a non standard port (to hide it) and enabling the SSH honeypot.


Bob McKay

About Bob McKay

Bob is a Founder of Seguro Ltd, a full time father and husband, part-time tinkerer-with-wires, coder, Muay Thai practitioner, builder and cook. Big fan of equality, tolerance and co-existence.

Disclosure Policy

3 comments on «Creating a Security Honey Pot with Thinkst Canary & a Raspberry Pi»

  1. Alf says:

    Unhandled Error
    Traceback (most recent call last):
    File “/usr/local/lib/python3.9/dist-packages/Twisted-19.10.0-py3.9-linux-armv7l.egg/twisted/application/”, line 674, in run
    File “/usr/local/lib/python3.9/dist-packages/Twisted-19.10.0-py3.9-linux-armv7l.egg/twisted/scripts/”, line 25, in runApp
    File “/usr/local/lib/python3.9/dist-packages/Twisted-19.10.0-py3.9-linux-armv7l.egg/twisted/application/”, line 381, in run
    self.application = self.createOrGetApplication()
    File “/usr/local/lib/python3.9/dist-packages/Twisted-19.10.0-py3.9-linux-armv7l.egg/twisted/application/”, line 453, in createOrGetApplication
    application = getApplication(self.config, passphrase)
    — —
    File “/usr/local/lib/python3.9/dist-packages/Twisted-19.10.0-py3.9-linux-armv7l.egg/twisted/application/”, line 464, in getApplication
    application = service.loadApplication(filename, style, passphrase)
    File “/usr/local/lib/python3.9/dist-packages/Twisted-19.10.0-py3.9-linux-armv7l.egg/twisted/application/”, line 416, in loadApplication
    application = sob.loadValueFromFile(filename, ‘application’)
    File “/usr/local/lib/python3.9/dist-packages/Twisted-19.10.0-py3.9-linux-armv7l.egg/twisted/persisted/”, line 177, in loadValueFromFile
    eval(codeObj, d, d)
    File “/usr/local/bin/opencanary.tac”, line 4, in
    __import__(‘pkg_resources’).run_script(‘opencanary==0.7.1’, ‘opencanary.tac’)
    File “/usr/local/lib/python3.9/dist-packages/setuptools-63.2.0-py3.9.egg/pkg_resources/”, line 669, in run_script
    name = ns[‘__name__’]
    builtins.KeyError: ‘__name__

  2. Alf Rob says:

    I think this website is out of date if you follow it then it won’t work. takes a lot of time, it’s a shame that someone doesn’t remove this in time

    1. Bob McKay says:

      Hi Alf,
      The website isn’t out of date – the tutorial was written in 2020 and is clearly dated as such. Obviously things change however and I am currently writing an updated one based on a Raspbrry Pi 4. Generally people post updates and fixes for changes in the comments, though obviously no-one is obliged to (just as you are not obliged to follow the tutorial).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.