Creating a Security Honey Pot with Thinkst Canary & a Raspberry Pi

(no these keys are not used!)

Initially when you attempt to login to your freshly created Ubuntu installation, if you’re quick off the mark you’ll repeatedly get incorrect username/password errors despite using the correct ubuntu:ubuntu combination, this is because the OS isn’t ready yet.

Wait until you see a message stating that no authorised SSH key fingerprints were found, it will generate some and you’ll see confirmation messages about cloud-init finished,

Once you see that, you’ll be fine!

If you’re logging in for the first time via SSH from another device, just give it an extra 5 minutes after booting before logging in.

Updating the OS

Run a full update:

sudo apt-get update && sudo apt-get upgrade -y

It can frequenty appear to be stuck at this step, just wait it will get past it:

update-initramfs: Generating /boot/initrd.img-5.4.0-1015-raspi

OpenCanary Installation

Install Python 2.7:

sudo apt-get install python2.7

Install Python 3.6 (may not be required):

sudo apt-get install python3.6

Install Ubuntu specific dependancies and the Python Remote Desktop Protocol module (rdpy):

sudo apt-get install -y build-essential libssl-dev libffi-dev python-dev python-pip

Important Note: I recommend a reboot here as it tended to help avoid “segmentation fault (core dumped)” errors for me

pip install rdpy

Important Note: I recommend another reboot here as it tended to help avoid “segmentation fault (core dumped)” errors for me

Install OpenCanary in it

pip install opencanary

if you recieve segmentation errors (such as “segmentation fault (core dumped”) at the end of the canary install, reboot and run the above command again.

For me, pcapy just gave multiple errors so I only installed scapy:

pip install scapy

Next, run the following command to createa sample config file to your canary for you to edit:

opencanaryd --copyconfig

You should see a message saying something like:

 A sample config file is ready (/home/ubuntu/.opencanary.conf)

Then finally, run canary with the following:

opencanaryd --start

You should see a message similar to the following:

[email protected]:~$ opencanaryd --start
** We hope you enjoy using OpenCanary. For more open source Canary goodness, head over to canarytokens.org. **
[-] Using config file: /home/ubuntu/.opencanary.conf

Changing the MAC Address

By default the Raspberry Pi is going to show up as a exactly that due to its MAC address vendor reference, to change this to something more enticing, do the following steps.

Install the macchanger module:

sudo apt install macchanger

You’ll get a prompt asking if you want macchanger to automatically randomize the mac address when network interfaces come up, this is your preference but I would say no as it could end up as anything.

Determine the interface you want to change the MAC address for using:

ip addr

This will return results similar to the below, I’ve emboldened the interface names:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether b8:27:eb:10:3b:cd brd ff:ff:ff:ff:ff:ff
inet 192.168.1.139/24 brd 192.168.1.255 scope global dynamic eth0
valid_lft 3069247044sec preferred_lft 3069247044sec
inet6 fe80::ba27:ebff:fe10:2edc/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether b8:27:eb:35:4b:34 brd ff:ff:ff:ff:ff:ff

Now we need to set the mac address to something more suitable – in the example below I’m using a max address with a prefix for Dell (0015C5), implying its a Dell server.  You can see a list of vendor MAC prefixes here: https://gist.github.com/aallan/b4bb86db86079509e6159810ae9bd3e4

Important, for the next steps to work, the network adapter needs to be ‘down’ (see here) so the command needs to be carried at the device (keyboard/screen):

Take the network interface down:

sudo ifconfig eth0 down

To change the MAC address to a Dell-eseque one I ran:

sudo macchanger --mac=00:15:C5:12:CC:AB eth0

Bring the network interface up:

sudo ifconfig eth0 up

Note: your IP address may change as a result of this if you’re using DHCP

Configuration

As mentioned in the confirmation above, the configuration options for OpenCanary are stored in the file located at: /home/ubuntu/.opencanary.conf

To edit it, use your editor of choice, I use Nano:

nano .opencanary.conf

In here you can find multiple options for turning services on and off

Email Notifications

One of the most common means of getting notifications from a remote OpenCanary is via email, the examples don’t explain how to authenticate (which is needed for most email services) but it uses this format (add this to the handlers section):

 "SMTP": {
"class": "logging.handlers.SMTPHandler",
"mailhost": ["smtp.office365.com", 587],
"fromaddr": "[email protected]",
"toaddrs" : ["[email protected]"],
"subject" : "OpenCanary Alert",
"credentials" : ["[email protected]", "myPasswordGoesHere"],
"secure" : []
},

Summary

Once completed, you can try loggin in to services on the devices IP address (ftp, http, etc.) or use a network scanner (i simply used fing on my phone) to do a network scan and a port scan of the device.

Any of these should then trigger alerts based on your “handler” options (mine currently sends to email and writes to a log file.

What’s next

There’s several items I need to address on this which I’ll look at and update but in summary:

1. Writing logs directly to a siem
2. Moving the SSH port to a non standard port (to hide it) and enabling the SSH honeypot.