Creating a Security Honey Pot with Thinkst Canary & a Raspberry Pi

Creating a Security Honey Pot with Thinkst Canary & a Raspberry Pi

I always liked the idea of a cost-effective honey pot that could be dropped on to a physical network with the minimum of fuss.  As Raspberry Pi 3 is cost-effective host which, combined with a 32GB sd-card
and the OpenCanary software, makes a great little drop-in.

Prepare the SD card

Donwload and run the Raspberry PI Imager software available here: https://www.raspberrypi.org/downloads/

Download the Ubuntu 18.04.5 32 bit distribution from here

Insert your SD card in to your reader

On the Raspberry PI Imager, select the Use Custom option from the imager software

When prompted, locate and select the Ubuntu image you downloaded

Select your SD card (double check, personally I tend to remove any other flash drives or SD cards just in case!)

Click Write

Click Yes to confirm you understand all data on the SD card will be destroyed

This will take a while so go grab a cup of tea (and biscuits if you have them)

 

OS Installation

Rather than using the Raspian OS for Raspberry PI, I highly recommend going for the Ubuntu 20 OS (not the core, the full fat version) as my tests with other Linux versions ran in to frequent issues with pip, compilation and Python versioning.

One of the key things to pay attention to below that will save you headaches is the importance of waiting with Ubuntu – you’ll see what I mean as you go along!

Logging in

(no these keys are not used!)

Initially when you attempt to login to your freshly created Ubuntu installation, if you’re quick off the mark you’ll repeatedly get incorrect username/password errors despite using the correct ubuntu:ubuntu combination, this is because the OS isn’t ready yet.

Wait until you see a message stating that no authorised SSH key fingerprints were found, it will generate some and you’ll see confirmation messages about cloud-init finished,

Once you see that, you’ll be fine!

If you’re logging in for the first time via SSH from another device, just give it an extra 5 minutes after booting before logging in.

Updating the OS

Run a full update:

sudo apt-get update && sudo apt-get upgrade -y

It can frequenty appear to be stuck at this step, just wait it will get past it:

update-initramfs: Generating /boot/initrd.img-5.4.0-1015-raspi

OpenCanary Installation

Install Python 2.7:

sudo apt-get install python2.7

Install Python 3.6 (may not be required):

sudo apt-get install python3.6

Install Ubuntu specific dependancies and the Python Remote Desktop Protocol module (rdpy):

sudo apt-get install -y build-essential libssl-dev libffi-dev python-dev python-pip

Important Note: I recommend a reboot here as it tended to help avoid “segmentation fault (core dumped)” errors for me

pip install rdpy

Important Note: I recommend another reboot here as it tended to help avoid “segmentation fault (core dumped)” errors for me

Install OpenCanary in it

pip install opencanary

if you recieve segmentation errors (such as “segmentation fault (core dumped”) at the end of the canary install, reboot and run the above command again.

For me, pcapy just gave multiple errors so I only installed scapy:

pip install scapy

Next, run the following command to createa sample config file to your canary for you to edit:

opencanaryd --copyconfig

You should see a message saying something like:

 A sample config file is ready (/home/ubuntu/.opencanary.conf)

Then finally, run canary with the following:

opencanaryd --start

You should see a message similar to the following:

[email protected]:~$ opencanaryd --start
** We hope you enjoy using OpenCanary. For more open source Canary goodness, head over to canarytokens.org. **
[-] Using config file: /home/ubuntu/.opencanary.conf

Changing the MAC Address

By default the Raspberry Pi is going to show up as a exactly that due to its MAC address vendor reference, to change this to something more enticing, do the following steps.

Install the macchanger module:

sudo apt install macchanger

You’ll get a prompt asking if you want macchanger to automatically randomize the mac address when network interfaces come up, this is your preference but I would say no as it could end up as anything.

Determine the interface you want to change the MAC address for using:

ip addr

This will return results similar to the below, I’ve emboldened the interface names:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether b8:27:eb:10:3b:cd brd ff:ff:ff:ff:ff:ff
inet 192.168.1.139/24 brd 192.168.1.255 scope global dynamic eth0
valid_lft 3069247044sec preferred_lft 3069247044sec
inet6 fe80::ba27:ebff:fe10:2edc/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether b8:27:eb:35:4b:34 brd ff:ff:ff:ff:ff:ff

Now we need to set the mac address to something more suitable – in the example below I’m using a max address with a prefix for Dell (0015C5), implying its a Dell server.  You can see a list of vendor MAC prefixes here: https://gist.github.com/aallan/b4bb86db86079509e6159810ae9bd3e4

Important, for the next steps to work, the network adapter needs to be ‘down’ (see here) so the command needs to be carried at the device (keyboard/screen):

Take the network interface down:

sudo ifconfig eth0 down

To change the MAC address to a Dell-eseque one I ran:

sudo macchanger --mac=00:15:C5:12:CC:AB eth0

Bring the network interface up:

sudo ifconfig eth0 up

Note: your IP address may change as a result of this if you’re using DHCP

Configuration

As mentioned in the confirmation above, the configuration options for OpenCanary are stored in the file located at: /home/ubuntu/.opencanary.conf

To edit it, use your editor of choice, I use Nano:

nano .opencanary.conf

In here you can find multiple options for turning services on and off

Email Notifications

One of the most common means of getting notifications from a remote OpenCanary is via email, the examples don’t explain how to authenticate (which is needed for most email services) but it uses this format (add this to the handlers section):

 "SMTP": {
"class": "logging.handlers.SMTPHandler",
"mailhost": ["smtp.office365.com", 587],
"fromaddr": "[email protected]",
"toaddrs" : ["[email protected]"],
"subject" : "OpenCanary Alert",
"credentials" : ["[email protected]", "myPasswordGoesHere"],
"secure" : []
},

Summary

Once completed, you can try loggin in to services on the devices IP address (ftp, http, etc.) or use a network scanner (i simply used fing on my phone) to do a network scan and a port scan of the device.

Any of these should then trigger alerts based on your “handler” options (mine currently sends to email and writes to a log file.

What’s next

There’s several items I need to address on this which I’ll look at and update but in summary:

  1. Writing logs directly to a siem
  2. Moving the SSH port to a non standard port (to hide it) and enabling the SSH honeypot.

 

Bob McKay

About Bob McKay

Bob is Director of Operations at Perfect Image, a full time father and husband, part-time tinkerer-with-wires, coder, Muay Thai practitioner, builder and cook. Loves love, tolerance and co-existance. Hates hate. Is aware of the irony of hating hate.

Disclosure Policy

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.