Create a Security Honey Pot with OpenCanary and a Raspberry Pi 3 (Updated 2021)

Create a Security Honey Pot with OpenCanary and a Raspberry Pi 3 (Updated 2021)

I’ve created an updated version of my original Raspberry Pi 3 Honey Pot tutorial after I discovered it does work with newer versions of the Linux operating systems.

After banging my ahead against a lot of combinations of OS versions, configurations, depedancy issues and configuration issues, I finally got a simple working walkthrough from start to finish.  Enjoy and if you have any issues, please post in the comments!

Raspberry PI 3 logoLike the original tutorial, this is based a Raspberry PI 3 but should work just as well for a Raspberry PI 2 (I used the headless version of Raspbian to keep it light) or the Raspberry PI 4.

I always liked the idea of a cost-effective honey pot that could be dropped on to a physical network with the minimum of fuss.  As Raspberry Pi 3s are cheap, ubiquitous and well-supported it seemed a no-brainer.  Combine this with a a case, a 32GB sd-card
and the OpenCanary software and you have a great little solution for minimal spend.

OpenCanary, for those that don’t know, is the open source version of the Thinkst Canary honeypot.

OS Installation

I’m very happy to say that since my last tutorial, the dependancy and Python issues seem to have been resolved with Raspian, allowing us to use the native OS for the device.

As mentioned above, I opted for the “Lite” (headless) version which means it comes with no desktop or gui interface – its command line only.   I did this because I wanted the best performance from the device, no unnecessary applications/services and OpenCanary is entirely command line anyway.

Finally, OpenCanary’s own installation steps suggest running OpenCanary in a virtual container.  Given that its unlikely I’m going to be using my Raspberry Pi for an additional workload, I install directly to keep things simple.

Prepare the SD card

Download and run the Raspberry PI Imager software available here: https://www.raspberrypi.org/downloads/

Insert your SD card in to your reader

On the Raspberry PI Imager, select the Raspberry PI OS (other) option from the Operating System menu

Select Raspberry Pi OS Lite (32-bit)

Select your SD card (double check, personally I tend to remove any other flash drives or SD cards just in case!)

Click Write

Click Yes to confirm you understand all data on the SD card will be destroyed

This will take a while so go grab a cup of tea (and biscuits if you have them)

 

Enable SSH

By default, SSH is disabled on Raspberry PI devices so if you are going to be configuring this remotely, you must turn this on first.

The easiest way to do this is while you still have the SD card in your computer after formatting it.

Simply open the partition called “boot” in Windows Explorer (or equivalent) and create an empty file there with a filename of either ssh or ssh.txt.

When your Raspberry PI boots up, if it finds either of those files, it enables the SSH service (and deletes the files).

Logging in

The default username/password for Raspbian is pi/raspberry.

Updating the OS

Run a full update of Raspbian (this can take a while):

sudo apt-get update && sudo apt-get upgrade -y

Hide Your Pi

Given that the whole idea of a honey pot is to make it look like a tasty target to attackers, having it clearly show up as a Raspberry PI when they do a network scan is going to be a bit of a giveaway.  Typically this IDing is done from the MAC address of the network adapter and the hostname the device identifies itself using, fortunately these are reasonably easy to change.

For the purposes of this tutorial, we are going to disguise the Raspberry PI as a Synology NAS so we’ll need a MAC address from the pool used by Synology, a good searchable resource for manufacturer MAC addresses can be found here.

Taking one of the Synology NAS prefixes – 001132 – we need to add additional hexadecimal values to make it a proper length and we need to puncturate it with colons to be the proper format.  Doing this, 001132 becomes:

00:11:32:B3:4D:F5

We’ll be using nano to edit a lot of configuration files, if you’re not familiar with it, check this tutorial: https://linuxize.com/post/how-to-use-nano-text-editor/

Now we have a Synology NAS MAC address, let’s tell our Raspberry PI to identify itself using that:

sudo nano /boot/cmdline.txt

When nano loads, you will need to paste “smsc95xx.macaddr=” appended with your new MAC address, at the end of the string of text in the cmdline.txt file, adding a simple space to the end of what is already in there (so our additional text doesn’t touch the previous value).  Using my example, I’ll therefore be adding smsc95xx.macaddr=00:11:32:B3:4D:F5 to the end of the file, resulting in the file reading:

console=serial0,115200 console=tty1 root=PARTUUID=96f1abd5-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait smsc95xx.macaddr=00:11:32:B3:4D:F5

Next, lets update the hostname, enter:

sudo nano /etc/hosts

Now replace the entry next to 127.0.1.1 (raspberrypi) to your servername.  Think about what a real server might be called, such as FILESERVER or BACKUPSERVER.

Now enter:

sudo nano /etc/hostname

And change the raspberrypi value with the same servername from the previous step.

Now reboot your device, remember when it reboots it will likely have a different IP address because your DHCP server won’t recognise it (due to the new mac address) so will issue a new IP:

sudo reboot -n

OpenCanary Installation

Install GIT

As we’ll be using GIT to clone the OpenCanary repository, let’s install it first:

sudo apt install git -y

Install Cryptography prerequisites

To avoid cryptography errors during the OpenCanary installation, be sure to install the Cryptography 3.0 prerequisites – this caused me a lot of headaches as I expected to the OpenCanary installer to handle Python dependancies:

sudo apt-get install build-essential libssl-dev libffi-dev python-dev -y

Install pip for Python 3:

sudo apt-get install python3-pip -y

Upgrade python setuptools using pip:

sudo pip3 install –upgrade setuptools

Install OpenCanary

Clone and Setup OpenCanary:

git clone https://github.com/thinkst/opencanary
cd opencanary
sudo python3 setup.py install

if you recieve segmentation errors (such as “segmentation fault (core dumped”) at the end of the canary install, reboot and run the above command again.

Install network add-ons

Install pcapy and scapy:

sudo pip3 install scapy pcapy

Fix opencanary.tac

As noted in the github issue here, post installation sometimes there is an error resulting from the opencanary.tac file not being in the expected location, we need to manually copy it (note the script folder ‘scripts-3.7’ may change in future versions of OpenCanary as the preferred Python version changes)

sudo cp ./build/scripts-3.7/opencanary.tac /usr/local/bin/opencanary.tac

Next, run the following command to create a sample config file to your canary for you to edit:

opencanaryd --copyconfig

You should see a message saying something like:

 A sample config file is ready (/etc/opencanaryd/opencanary.conf)

Then finally, run canary with the following:

opencanaryd --start

You should see a message similar to the following:

pi@mckaydc1:~/opencanary $ opencanaryd --start
** We hope you enjoy using OpenCanary. For more open source Canary goodness, head over to canarytokens.org. **
[-] Failed to open opencanary.conf for reading ([Errno 2] No such file or directory: 'opencanary.conf')
[-] Failed to open /root/.opencanary.conf for reading ([Errno 2] No such file or directory: '/root/.opencanary.conf')
[-] Using config file: /etc/opencanaryd/opencanary.conf
{"dst_host": "", "dst_port": -1, "local_time": "2021-09-27 13:47:06.273029", "local_time_adjusted": "2021-09-27 14:47:06.273214", "logdata": {"msg": {"logdata": "Added service from class CanaryFTP in opencanary.modules.ftp to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1, "utc_time": "2021-09-27 13:47:06.273173"}
{"dst_host": "", "dst_port": -1, "local_time": "2021-09-27 13:47:07.446767", "local_time_adjusted": "2021-09-27 14:47:07.447119", "logdata": {"msg": {"logdata": "Canary running!!!"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1, "utc_time": "2021-09-27 13:47:07.447045"}

Note the error that says “No such file or directory” – for some reason, despite OpenCanary itself copying a configuration file to the location /etc/opencanaryd/opencanary.conf, it still checks for one at /root/.opencanary.conf first.  If it doesn’t find one at /root/.opencanary.conf, it displays the above error and then moves on to the copy located at /etc/opencanaryd/opencanary.conf.

Obviously, if you want to prevent this annoyance, simply copy the config file to /root/.opencanary.conf and use that one to configure your honey pot.

Change the SSH Port

If you want to leave SSH running on your honey pot for remote configuration, its probably a good idea to move it to a different port as its an immediate target for attack.  To change the ssh port to something else, do:

sudo nano /etc/ssh/sshd_config

In the nano editor that appears, delete the hash in front of the port 22 line and change the port to something else.  So this:

#Port 22

should become this:

Port 65522

Reboot the device for the change to take effect:

sudo reboot now

 Configuration

As mentioned in the confirmation above, the configuration options for OpenCanary are stored in the file located at: /etc/opencanaryd/opencanary.conf.

I’ve put a  sample configuration for masquerading as a Synology NAS at the very bottom of this article.

To edit it, use your editor of choice, I use Nano:

nano /etc/opencanaryd/opencanary.conf

In here you can find multiple options for turning services on and off

Install Samba

If you want your OpenCanary honey pot to mimic a windows fileserver, we’ll need to enable the SMB protocal (samba):

sudo apt install samba samba-common-bin

At one point you will be presented with an ASCII GUI interface asking “Modify smb.conf to use WINS settings from DHCP?“, answer no.

Rename the smb configuration file (so we can always rollback to the original):

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf_backup

Create a new configuration file:

sudo nano  /etc/samba/smb.conf

Paste a configuration for SMB, I use something like the following:

[global]
workgroup = OFFICVLAN
server string = Synology Backup
netbios name = SYNOLOGY
dns proxy = no
log file = /var/log/samba/log.all
log level = 0
vfs object = full_audit
full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D
full_audit:success = pread
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = notice
max log size = 100
panic action = /usr/share/samba/panic-action %d
#samba 4
server role = standalone server
#samba 3
#security = user
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = no
map to guest = bad user
usershare allow guests = yes
[myshare]
comment = Local Backup
path = /home/backups
guest ok = yes
read only = yes
browseable = yes

There is currently a quirk of the OpenCanary where SMB printer sharing can self-trigger alerts, resulting in something like the following alert (notice the source and destination IP are both 127.0.0.1):

{"dst_host": "127.0.0.1", "dst_port": "631", "local_time": "2021-09-28 10:45:24.628126", "local_time_adjusted": "2021-09-28 11:45:24.628358", "logdata": {"DF": "", "ID": "29354", "IN": "lo", "LEN": "60", "MAC": "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "RES": "0x00", "SYN": "", "TOS": "0x00", "TTL": "64", "URGP": "0", "WINDOW": "65495"}, "logtype": 5001, "node_id": "opencanary-1", "src_host": "127.0.0.1", "src_port": "57366", "utc_time": "2021-09-28 10:45:24.628289"}

At the time of writing, this can be solved by installing CUPS (Common UNIX Printing System) though this is likely to be resolved in future versions of OpenCanary.  To install CUPS:

sudo apt install cups

Email Notifications

One of the most common means of getting notifications from a remote OpenCanary is via email, the configuration for which is in the /etc/opencanaryd/opencanary.conf file.  This  uses the format below (add this to the handlers section):

"SMTP": {
"class": "logging.handlers.SMTPHandler",
"mailhost": ["smtp.gmail.com", 587],
"fromaddr": "johndoe@gmail.com",
"toaddrs" : ["securityalerts@bobmckay.com"],
"subject" : "OpenCanary Alert at home!",
"credentials" : ["johndoe@gmail.com", "YOURAPPLICATIONPASSWORD"],
"secure" : []
}

At the time of writing, both Office 365 and Gmail require the use of an application password for SMTP connections (Gmail instructions here, Office 365 instructions here).

Summary

Once completed, you can try logging in to services on the devices IP address (ftp, http, etc.) or use a network scanner (i simply used fing on my phone) to do a network scan and a port scan of the device.

Any of these should then trigger alerts based on your “handler” options (mine currently sends to email and writes to a log file.

Making it Autostart

In order to have OpenCanary service automatically start on boot up, we need to create a systemd file for it:

sudo nano /etc/systemd/system/opencanary.service

Then give it a configuration:

[Unit]
Description=OpenCanary
After=syslog.target
After=network.target

[Service]
User=root
Restart=always
WorkingDirectory=/home/pi/opencanary
ExecStart=/home/pi/opencanary/bin/opencanaryd --dev

[Install]
WantedBy=multi-user.target

Now we need to enable the service:

sudo systemctl enable opencanary.service
sudo systemctl start opencanary.service

We can check the service status by running:

systemctl status opencanary.service

Sample Configuration 1: Synology NAS

By popular demand, I’ve posted my full Synology NAS configuration here and will post others if I created them:

{
"device.node_id": "opencanary-1",
"ip.ignorelist": [ ],
"git.enabled": false,
"git.port" : 9418,
"ftp.enabled": true,
"ftp.port": 21,
"ftp.banner": "FTP server ready",
"http.banner": "Apache/2.2.22 (Ubuntu)",
"http.enabled": true,
"http.port": 80,
"http.skin": "nasLogin",
"httpproxy.enabled" : false,
"httpproxy.port": 8080,
"httpproxy.skin": "squid",
"logger": {
"class": "PyLogger",
"kwargs": {
"formatters": {
"plain": {
"format": "%(message)s"
},
"syslog_rfc": {
"format": "opencanaryd[%(process)-5s:%(thread)d]: %(name)s %(levelname)-5s %(message)s"
}
},
"handlers": {
"console": {
"class": "logging.StreamHandler",
"stream": "ext://sys.stdout"
},
"file": {
"class": "logging.FileHandler",
"filename": "/var/tmp/opencanary.log"
},
"SMTP": {
"class": "logging.handlers.SMTPHandler",
"mailhost": ["smtp.gmail.com", 587],
"fromaddr": "myalerts@gmail.com",
"toaddrs" : ["securityalerts@bobmckay.com"],
"subject" : "OpenCanary Alert",
"credentials" : ["myalerts@gmail.com", "ruysdsdasddfdyexf"],
"secure" : []
}
}
}
},
"portscan.enabled": true,
"portscan.ignore_localhost": false,
"portscan.logfile":"/var/log/kern.log",
"portscan.synrate": 5,
"portscan.nmaposrate": 5,
"portscan.lorate": 3,
"smb.auditfile": "/var/log/samba/log.all",
"smb.enabled": true,
"mysql.enabled": false,
"mysql.port": 3306,
"mysql.banner": "5.5.43-0ubuntu0.14.04.1",
"ssh.enabled": false,
"ssh.port": 22,
"ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
"redis.enabled": false,
"redis.port": 6379,
"rdp.enabled": false,
"rdp.port": 3389,
"sip.enabled": false,
"sip.port": 5060,
"snmp.enabled": false,
"snmp.port": 161,
"ntp.enabled": false,
"ntp.port": 123,
"tftp.enabled": false,
"tftp.port": 69,
"tcpbanner.maxnum":10,
"tcpbanner.enabled": false,
"tcpbanner_1.enabled": false,
"tcpbanner_1.port": 8001,
"tcpbanner_1.datareceivedbanner": "",
"tcpbanner_1.initbanner": "",
"tcpbanner_1.alertstring.enabled": false,
"tcpbanner_1.alertstring": "",
"tcpbanner_1.keep_alive.enabled": false,
"tcpbanner_1.keep_alive_secret": "",
"tcpbanner_1.keep_alive_probes": 11,
"tcpbanner_1.keep_alive_interval":300,
"tcpbanner_1.keep_alive_idle": 300,
"telnet.enabled": false,
"telnet.port": 23,
"telnet.banner": "",
"telnet.honeycreds": [
{
"username": "admin",
"password": "$pbkdf2-sha512$12020$bG1NaX3xvjdGyBlj7R22Xw$dGrmBqqWa1okTCpN4QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7SASvnQr8.LTzqTm6awC8Kj/aGKvwA"
},
{
"username": "admin",
"password": "admin1"
}
],
"mssql.enabled": false,
"mssql.version": "2012",
"mssql.port":1433,
"vnc.enabled": false,
"vnc.port":5000
}
Bob McKay

About Bob McKay

Bob is Director of Operations at Perfect Image, a full time father and husband, part-time tinkerer-with-wires, coder, Muay Thai practitioner, builder and cook. Loves love, tolerance and co-existance. Hates hate. Is aware of the irony of hating hate.

Disclosure Policy

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.