Setting Up OpenCanary (a Honeypot) Using Docker-Compose
Introduction
In the ever-evolving landscape of cybersecurity, the need for proactive defense mechanisms has never been more critical. As organizations grapple with increasingly sophisticated threats, the demand for innovative tools that go beyond traditional security measures is on the rise. Enter OpenCanary, a powerful and versatile cybersecurity tool designed to bolster your defenses by embracing the concept of deception.
OpenCanary is an open-source honeypot framework that takes a unique approach to cybersecurity. Unlike conventional security measures that focus solely on keeping intruders out, OpenCanary invites them in, creating an environment that mimics genuine network services and resources. This proactive approach allows organizations to detect and analyze potential threats before they can escalate, providing valuable insights into the tactics, techniques, and procedures employed by malicious actors.
The Purpose of OpenCanary:
The primary purpose of OpenCanary is to act as a decoy, diverting the attention of would-be attackers away from the actual critical assets of a network. By strategically placing these deceptive honeypots throughout a network infrastructure, organizations can gather intelligence on potential threats and vulnerabilities. OpenCanary not only serves as a tripwire for detecting malicious activity but also as a learning tool, helping security teams understand the evolving strategies employed by cyber adversaries.
Key Benefits of OpenCanary:
Early Threat Detection: OpenCanary acts as an early warning system, identifying potential threats at their earliest stages. By luring attackers into a controlled environment, security teams gain a head start in thwarting potential cyber threats.
Behavioral Analysis: Through the emulation of various network services, OpenCanary provides an opportunity to analyze the behavior of adversaries. Security professionals can study attack patterns, understand the tools utilized, and enhance their ability to proactively counteract emerging threats.
Customization and Flexibility: OpenCanary is highly customizable, allowing organizations to tailor their honeypot deployments to match specific network environments. This flexibility ensures that the honeypots seamlessly integrate with existing security infrastructure while adapting to the evolving threat landscape.
Reduced False Positives: Traditional security measures often generate false positives, leading to alert fatigue among security teams. OpenCanary’s focus on deceptive interactions minimizes the likelihood of false alarms, allowing security professionals to prioritize genuine threats effectively.
Cost-Effective Security: As an open-source tool, OpenCanary offers a cost-effective alternative to expensive commercial solutions. Its community-driven development model ensures continuous improvement, with a growing repository of plugins and extensions to address diverse security challenges.
In this article, we will delve deeper into the features, deployment strategies, and real-world applications of OpenCanary, exploring how this innovative cybersecurity tool empowers organizations to stay one step ahead in the ongoing battle against cyber threats.
Setting Up OpenCanary
Setup is extremely simple. First you will want to clone the git repository somewhere onto your PC. I prefer /srv for my services, so I will be using /srv/opencanary. Let’s make the directories and clone into the repository.
sudo mkdir /srv/opencanary/
sudo chown 1000:1000 /srv/opencanary/ # Change 1000:1000 to the UID:GID of your primary user
cd /srv/opencanary/
git clone https://github.com/thinkst/opencanary.git
cd opencanary/You should now have a cloned repository of OpenCanary on your machine. There are two files we need to edit: docker-compose.yml and data/.opencanary.conf
Before we begin, let’s go ahead and install Samba onto our host machine with a dummy set up so that OpenCanary can monitor the logs.
Setting up Samba
To install Samba, run the following commands:
sudo apt install samba samba-common-binsudo mv /etc/samba/smb.conf /etc/samba/smb.conf_backupAnd finally, open the configuration file with your favorite editor, such as nano:
sudo nano /etc/samba/smb.confHere is the configuration that we used to set up Samba. Paste this into smb.conf:
[global]
workgroup = OFFICVLAN
server string = Synology Backup
netbios name = SYNOLOGY
dns proxy = no
log file = /var/log/samba/log.all
log level = 0
vfs object = full_audit
full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D
full_audit:success = pread
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = notice
max log size = 100
panic action = /usr/share/samba/panic-action %d
#samba 4
server role = standalone server
#samba 3
#security = user
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = no
map to guest = bad user
usershare allow guests = yes
[myshare]
comment = Local Backup
path = /home/backups
guest ok = yes
read only = yes
browseable = yessudo apt install cupsNext up we will want to reconfigure SSH to use a different port. For our use case, we will set it to use port 2222. If SSH is not installed, you can skip this next step.
Reconfiguring SSH
Edit our SSH configuration file using the command below:
sudo nano /etc/ssh/sshd_configUncomment the Port 22 line and change the port to 2222. Now restart the SSH service using this command:
sudo service sshd restart
Next up we will want to configure our docker-compose.yml file.
Modifying the Docker-Compose.yml File
The only change we need to make to the docker-compose.yml file is to uncomment the Samba log file and change it to use the path that we described in our Samba config, shown below.
- /var/log/samba/log.all:/var/log/samba-audit.log
Modifying the .opencanary.conf File
Finally, it’s necessary to make changes to the OpenCanary configuration file. You can utilize the provided configuration below to activate monitoring for all services and enable email notifications.
{
"device.node_id": "opencanary-1",
"ip.ignorelist": [ ],
"logtype.ignorelist": [ ],
"git.enabled": false,
"git.port" : 9418,
"ftp.enabled": true,
"ftp.port": 21,
"ftp.banner": "FTP server ready",
"http.banner": "Apache/2.2.22 (Ubuntu)",
"http.enabled": true,
"http.port": 80,
"http.skin": "nasLogin",
"http.skin.list": [
{
"desc": "Plain HTML Login",
"name": "basicLogin"
},
{
"desc": "Synology NAS Login",
"name": "nasLogin"
}
],
"https.enabled": true,
"https.port": 443,
"https.skin": "nasLogin",
"https.certificate": "/etc/ssl/opencanary/opencanary.pem",
"https.key": "/etc/ssl/opencanary/opencanary.key",
"httpproxy.enabled" : true,
"httpproxy.port": 8080,
"httpproxy.skin": "squid",
"httproxy.skin.list": [
{
"desc": "Squid",
"name": "squid"
},
{
"desc": "Microsoft ISA Server Web Proxy",
"name": "ms-isa"
}
],
"logger": {
"class": "PyLogger",
"kwargs": {
"formatters": {
"plain": {
"format": "%(message)s"
},
"syslog_rfc": {
"format": "opencanaryd[%(process)-5s:%(thread)d]: %(name)s %(levelname)-5s %(message)s"
}
},
"handlers": {
"console": {
"class": "logging.StreamHandler",
"stream": "ext://sys.stdout"
},
"file": {
"class": "logging.FileHandler",
"filename": "/var/tmp/opencanary.log"
},
"SMTP": {
"class": "logging.handlers.SMTPHandler",
"mailhost": ["smtp-relay.example.com", 587],
"fromaddr": "[email protected]",
"toaddrs" : ["[email protected]"],
"subject" : "OpenCanary Alert",
"credentials" : ["[username]", "[password]"],
"secure" : []
}
}
}
},
"portscan.enabled": true,
"portscan.ignore_localhost": false,
"portscan.logfile":"/var/log/kern.log",
"portscan.synrate": 5,
"portscan.nmaposrate": 5,
"portscan.lorate": 3,
"portscan.ignore_ports": [ ],
"smb.auditfile": "/var/log/samba-audit.log",
"smb.enabled": false,
"mysql.enabled": true,
"mysql.port": 3306,
"mysql.banner": "5.5.43-0ubuntu0.14.04.1",
"ssh.enabled": true,
"ssh.port": 22,
"ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
"redis.enabled": true,
"redis.port": 6379,
"rdp.enabled": true,
"rdp.port": 3389,
"sip.enabled": true,
"sip.port": 5060,
"snmp.enabled": true,
"snmp.port": 161,
"ntp.enabled": true,
"ntp.port": 123,
"tftp.enabled": true,
"tftp.port": 69,
"tcpbanner.maxnum":10,
"tcpbanner.enabled": false,
"tcpbanner_1.enabled": false,
"tcpbanner_1.port": 8001,
"tcpbanner_1.datareceivedbanner": "",
"tcpbanner_1.initbanner": "",
"tcpbanner_1.alertstring.enabled": false,
"tcpbanner_1.alertstring": "",
"tcpbanner_1.keep_alive.enabled": false,
"tcpbanner_1.keep_alive_secret": "",
"tcpbanner_1.keep_alive_probes": 11,
"tcpbanner_1.keep_alive_interval":300,
"tcpbanner_1.keep_alive_idle": 300,
"telnet.enabled": true,
"telnet.port": 23,
"telnet.banner": "",
"telnet.honeycreds": [
{
"username": "admin",
"password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA"
},
{
"username": "admin",
"password": "admin1"
}
],
"mssql.enabled": true,
"mssql.version": "2012",
"mssql.port":1433,
"vnc.enabled": true,
"vnc.port":5000
}
Ensure that you modify both the [username] and [password], along with updating the host and the email addresses for notifications in the configuration.
Building OpenCanary and Starting the Docker Container
Now that everything is properly configured, it’s time to start the docker services. To do so, run the following command from the opencanary folder with your docker-compose.yml file.
sudo docker-compose up --build -d stableTo check to make sure it is running properly, run the following command and check the output for any errors.
sudo docker-compose logsConclusion
In conclusion, the installation of OpenCanary marks a strategic leap forward in enhancing the cybersecurity posture of organizations. By embracing the philosophy of deception and proactively engaging potential threats, OpenCanary offers a dynamic layer of defense that goes beyond traditional security measures. Through the installation and thoughtful deployment of OpenCanary honeypots, organizations gain the ability to detect, analyze, and respond to potential cyber threats with increased precision and efficiency.
The benefits of OpenCanary extend far beyond its role as a deceptive decoy. Early threat detection, coupled with the opportunity for in-depth behavioral analysis, empowers security teams to fortify their defenses with actionable insights. The customization and flexibility inherent in OpenCanary’s design ensure seamless integration into diverse network environments, allowing organizations to adapt their cybersecurity strategy to the ever-evolving threat landscape.
Moreover, OpenCanary’s cost-effective nature, as an open-source tool, democratizes advanced cybersecurity capabilities. This accessibility enables a broader range of organizations to bolster their security defenses without breaking the bank, fostering a collaborative community-driven approach to cybersecurity improvement.
As we navigate the complex and dynamic world of cybersecurity, tools like OpenCanary stand as invaluable assets in the arsenal of defenders. The installation process serves as a gateway to a proactive cybersecurity approach, paving the way for organizations to stay ahead of adversaries, understand their tactics, and ultimately secure their digital assets.
In the rapidly evolving landscape of cyber threats, OpenCanary serves as a beacon of innovation, inviting organizations to not only defend but also learn and adapt continuously. By investing in OpenCanary, organizations can turn the tables on potential attackers, transforming their networks into resilient fortresses that actively outsmart and outmaneuver those seeking to exploit vulnerabilities. The journey begins with installation, but the true value lies in the ongoing commitment to leveraging OpenCanary’s capabilities to stay ahead in the perpetual game of cybersecurity cat and mouse.