OpenCanary Cheatsheet¶
OpenCanary is a daemon that runs canary services, which trigger on (ab)use. It's designed to be triggered by unknown users on your network, providing early warning of potential intrusions. OpenCanary creates honeypots that appear as legitimate services but alert administrators when accessed by unauthorized users.
## Installation and Setup
### Ubuntu/Debian Installation
**Package Installation:**
**From Source:**
### Configuration
**Generate Default Configuration:**
**Basic Configuration:**
## Service Configuration
### SSH Honeypot
**SSH Configuration:**
**Custom SSH Banner:**
### HTTP/HTTPS Honeypot
**HTTP Configuration:**
**Available HTTP Skins:**
**HTTPS Configuration:**
### SMB Honeypot
**SMB Configuration:**
**SMB Shares Configuration:**
### Database Honeypots
**MySQL Configuration:**
**MSSQL Configuration:**
**Redis Configuration:**
### Network Service Honeypots
**Telnet Configuration:**
**FTP Configuration:**
**SNMP Configuration:**
## Advanced Configuration
### Port Scan Detection
**Port Scan Configuration:**
### Custom TCP Banner
**TCP Banner Configuration:**
### Logging Configuration
**Advanced Logging:**
## Running OpenCanary
### Manual Execution
**Start OpenCanary:**
**Stop OpenCanary:**
### Service Management
**Systemd Service:**
**Init Script (SysV):**
## Monitoring and Alerting
### Log Analysis
**Parse OpenCanary Logs:**
**Log Format Examples:**
### SIEM Integration
**Syslog Integration:**
**Splunk Integration:**
**ELK Stack Integration:**
### Alerting Scripts
**Email Alerts:**
**Slack Integration:**
## Security Considerations
### Network Placement
**DMZ Deployment:**
**Internal Network Deployment:**
### Hardening
**System Hardening:**
**SSL/TLS Configuration:**
## Troubleshooting
### Common Issues
**Port Binding Problems:**
**Permission Issues:**
**Service Startup Issues:**
### Debugging
**Enable Debug Logging:**
**Test Individual Services:**
**Network Testing:**
# Update package list
sudo apt update
# Install dependencies
sudo apt install python3-dev python3-pip python3-virtualenv python3-venv python3-scapy libssl-dev libpcap-dev
# Create virtual environment
python3 -m venv opencanary-env
source opencanary-env/bin/activate
# Install OpenCanary
pip install opencanary
# Install additional dependencies for specific services
pip install scapy pcapy-ng
# Verify installation
opencanaryd --help
# Clone repository
git clone https://github.com/thinkst/opencanary.git
cd opencanary
# Create virtual environment
python3 -m venv venv
source venv/bin/activate
# Install dependencies
pip install -r requirements.txt
# Install OpenCanary
python setup.py install
# Verify installation
opencanaryd --version
# Create configuration directory
sudo mkdir -p /etc/opencanary
# Generate default configuration
opencanaryd --copyconfig
# Copy to system location
sudo cp ~/.opencanary.conf /etc/opencanary/opencanary.conf
# Set proper permissions
sudo chown root:root /etc/opencanary/opencanary.conf
sudo chmod 644 /etc/opencanary/opencanary.conf
\\\\{
"device.node_id": "opencanary-1",
"device.name": "Production Server",
"device.description": "Honeypot canary",
"git.enabled": false,
"git.port": 9418,
"ftp.enabled": true,
"ftp.port": 21,
"ftp.banner": "FTP server ready",
"http.enabled": true,
"http.port": 80,
"http.banner": "Apache/2.2.22",
"http.skin": "nasLogin",
"httpproxy.enabled": false,
"httpproxy.port": 8080,
"httpproxy.skin": "squid",
"httpsProxy.enabled": false,
"httpsProxy.port": 8443,
"logger": \\\\{
"class": "PyLogger",
"kwargs": \\\\{
"formatters": \\\\{
"plain": \\\\{
"format": "%(asctime)s %(name)s: %(message)s"
\\\\}
\\\\},
"handlers": \\\\{
"console": \\\\{
"class": "logging.StreamHandler",
"stream": "ext://sys.stdout"
\\\\},
"file": \\\\{
"class": "logging.FileHandler",
"filename": "/var/log/opencanary.log"
\\\\}
\\\\}
\\\\}
\\\\},
"portscan.enabled": true,
"portscan.ignore_localhost": false,
"smb.enabled": true,
"smb.auditfile": "/var/log/opencanary-audit.log",
"smb.domain": "corp.company.com",
"mysql.enabled": true,
"mysql.port": 3306,
"mysql.banner": "5.5.43-0ubuntu0.14.04.1",
"ssh.enabled": true,
"ssh.port": 22,
"ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
"redis.enabled": false,
"redis.port": 6379,
"rdp.enabled": false,
"rdp.port": 3389,
"sip.enabled": false,
"sip.port": 5060,
"snmp.enabled": false,
"snmp.port": 161,
"ntp.enabled": true,
"ntp.port": 123,
"tftp.enabled": false,
"tftp.port": 69,
"tcpbanner.maxnum": 10,
"tcpbanner.enabled": false,
"tcpbanner_1.enabled": false,
"tcpbanner_1.port": 8001,
"tcpbanner_1.datareceivedbanner": "",
"tcpbanner_1.initbanner": "",
"tcpbanner_1.alertstring.enabled": false,
"tcpbanner_1.alertstring": "",
"tcpbanner_1.keep_alive.enabled": false,
"tcpbanner_1.keep_alive_secret": "",
"tcpbanner_1.keep_alive_probes": 11,
"tcpbanner_1.keep_alive_idle": 300,
"tcpbanner_1.keep_alive_interval": 300,
"telnet.enabled": true,
"telnet.port": 23,
"telnet.banner": "",
"telnet.honeycreds": [
\\\\{
"username": "admin",
"password": "$pbkdf2-sha512$19000$bG1NaY3xvlRMwcplEs8u9w$dqK6J8UfzSXK6lZaFXJVUd.nVHLOdlVwIWaLxKqurLx6XRgRHMKe4lhDtdY8DwlnWqBJSEJyXP8RQOmvKjgdPw"
\\\\}
],
"mssql.enabled": false,
"mssql.version": "2012",
"mssql.port": 1433,
"vnc.enabled": false,
"vnc.port": 5900
\\\\}
\\\\{
"ssh.enabled": true,
"ssh.port": 22,
"ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
"ssh.listen_addr": "0.0.0.0"
\\\\}
# Create custom SSH banner
sudo tee /etc/opencanary/ssh_banner.txt << EOF
Welcome to Production Database Server
Unauthorized access is prohibited
All connections are logged and monitored
EOF
# Update configuration
\\\\{
"ssh.enabled": true,
"ssh.port": 22,
"ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
"ssh.banner": "/etc/opencanary/ssh_banner.txt"
\\\\}
\\\\{
"http.enabled": true,
"http.port": 80,
"http.banner": "Apache/2.2.22 (Ubuntu)",
"http.skin": "nasLogin",
"http.listen_addr": "0.0.0.0"
\\\\}
# Login page skins
"http.skin": "basicLogin" # Basic login form
"http.skin": "nasLogin" # NAS device login
"http.skin": "sindLogin" # Synology login
"http.skin": "meraki" # Cisco Meraki login
"http.skin": "ubnt" # Ubiquiti login
# Custom skin directory
"http.skin": "custom",
"http.skindir": "/etc/opencanary/skins/"
\\\\{
"https.enabled": true,
"https.port": 443,
"https.banner": "Apache/2.2.22 (Ubuntu)",
"https.skin": "nasLogin",
"https.cert": "/etc/opencanary/cert.pem",
"https.key": "/etc/opencanary/key.pem"
\\\\}
\\\\{
"smb.enabled": true,
"smb.auditfile": "/var/log/opencanary-audit.log",
"smb.domain": "WORKGROUP",
"smb.serverName": "FILESERVER",
"smb.netbiosName": "FILESERVER",
"smb.workgroup": "WORKGROUP"
\\\\}
\\\\{
"smb.enabled": true,
"smb.shares": [
\\\\{
"name": "Documents",
"comment": "Shared Documents",
"path": "/tmp/documents",
"readonly": true
\\\\},
\\\\{
"name": "Backup",
"comment": "Backup Files",
"path": "/tmp/backup",
"readonly": false
\\\\}
]
\\\\}
\\\\{
"mysql.enabled": true,
"mysql.port": 3306,
"mysql.banner": "5.5.43-0ubuntu0.14.04.1",
"mysql.listen_addr": "0.0.0.0"
\\\\}
\\\\{
"mssql.enabled": true,
"mssql.version": "2012",
"mssql.port": 1433,
"mssql.listen_addr": "0.0.0.0"
\\\\}
\\\\{
"telnet.enabled": true,
"telnet.port": 23,
"telnet.banner": "Welcome to Cisco Router",
"telnet.honeycreds": [
\\\\{
"username": "admin",
"password": "admin123"
\\\\},
\\\\{
"username": "cisco",
"password": "cisco"
\\\\}
]
\\\\}
\\\\{
"ftp.enabled": true,
"ftp.port": 21,
"ftp.banner": "FTP server ready",
"ftp.listen_addr": "0.0.0.0"
\\\\}
\\\\{
"portscan.enabled": true,
"portscan.ignore_localhost": false,
"portscan.ports": [22, 23, 80, 443, 3389, 5900],
"portscan.logfile": "/var/log/opencanary-portscan.log"
\\\\}
\\\\{
"tcpbanner.maxnum": 10,
"tcpbanner.enabled": true,
"tcpbanner_1.enabled": true,
"tcpbanner_1.port": 8001,
"tcpbanner_1.datareceivedbanner": "Welcome to Custom Service",
"tcpbanner_1.initbanner": "Custom Service v1.0",
"tcpbanner_1.alertstring.enabled": true,
"tcpbanner_1.alertstring": "ADMIN",
"tcpbanner_1.keep_alive.enabled": true,
"tcpbanner_1.keep_alive_secret": "keepalive123",
"tcpbanner_1.keep_alive_probes": 11,
"tcpbanner_1.keep_alive_idle": 300,
"tcpbanner_1.keep_alive_interval": 300
\\\\}
\\\\{
"logger": \\\\{
"class": "PyLogger",
"kwargs": \\\\{
"formatters": \\\\{
"plain": \\\\{
"format": "%(asctime)s %(name)s[%(process)d]: %(levelname)s %(message)s"
\\\\},
"syslog": \\\\{
"format": "opencanary[%(process)d]: %(name)s %(levelname)s %(message)s"
\\\\}
\\\\},
"handlers": \\\\{
"console": \\\\{
"class": "logging.StreamHandler",
"stream": "ext://sys.stdout",
"formatter": "plain"
\\\\},
"file": \\\\{
"class": "logging.handlers.RotatingFileHandler",
"filename": "/var/log/opencanary.log",
"maxBytes": 10485760,
"backupCount": 5,
"formatter": "plain"
\\\\},
"syslog": \\\\{
"class": "logging.handlers.SysLogHandler",
"address": ["localhost", 514],
"facility": "local0",
"formatter": "syslog"
\\\\}
\\\\},
"loggers": \\\\{
"opencanary": \\\\{
"level": "INFO",
"handlers": ["console", "file", "syslog"]
\\\\},
"twisted": \\\\{
"level": "ERROR",
"handlers": ["file"]
\\\\}
\\\\}
\\\\}
\\\\}
\\\\}
# Start with default configuration
opencanaryd --start
# Start with custom configuration
opencanaryd --start --config=/etc/opencanary/opencanary.conf
# Start in foreground (for debugging)
opencanaryd --dev
# Start with specific log level
opencanaryd --start --logLevel=DEBUG
# Create systemd service file
sudo tee /etc/systemd/system/opencanary.service << EOF
[Unit]
Description=OpenCanary Honeypot
After=network.target
[Service]
Type=forking
User=nobody
Group=nogroup
ExecStart=/usr/local/bin/opencanaryd --start --config=/etc/opencanary/opencanary.conf
ExecStop=/usr/local/bin/opencanaryd --stop
PIDFile=/var/run/opencanary.pid
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
EOF
# Enable and start service
sudo systemctl enable opencanary
sudo systemctl start opencanary
# Check service status
sudo systemctl status opencanary
# Create init script
sudo tee /etc/init.d/opencanary << 'EOF'
#!/bin/bash
### BEGIN INIT INFO
# Provides: opencanary
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: OpenCanary Honeypot
# Description: OpenCanary Honeypot Service
### END INIT INFO
DAEMON="opencanaryd"
CONFIG="/etc/opencanary/opencanary.conf"
USER="nobody"
case "$1" in
start)
echo "Starting OpenCanary..."
su - $USER -c "$DAEMON --start --config=$CONFIG"
;;
stop)
echo "Stopping OpenCanary..."
su - $USER -c "$DAEMON --stop"
;;
restart)
$0 stop
sleep 2
$0 start
;;
status)
if pgrep -f $DAEMON > /dev/null; then
echo "OpenCanary is running"
else
echo "OpenCanary is not running"
fi
;;
*)
echo "Usage: $0 \\\\{start|stop|restart|status\\\\}"
exit 1
;;
esac
exit 0
EOF
# Make executable and enable
sudo chmod +x /etc/init.d/opencanary
sudo update-rc.d opencanary defaults
# View recent alerts
tail -f /var/log/opencanary.log
# Filter by service
grep "ssh" /var/log/opencanary.log
grep "http" /var/log/opencanary.log
grep "smb" /var/log/opencanary.log
# Extract source IPs
grep -oP 'src_host=\K[^,]*' /var/log/opencanary.log|sort|uniq -c|sort -nr
# Count alerts by service
grep -oP 'logtype=\K[^,]*' /var/log/opencanary.log|sort|uniq -c|sort -nr
# Extract failed login attempts
grep "login" /var/log/opencanary.log|grep -oP 'username=\K[^,]*'|sort|uniq -c
# SSH connection attempt
2023-01-15 10:30:45,123 opencanary[1234]: INFO Received SSH connection from 192.168.1.100:54321
# HTTP access
2023-01-15 10:31:12,456 opencanary[1234]: INFO HTTP request from 192.168.1.100 for /admin
# SMB connection
2023-01-15 10:32:05,789 opencanary[1234]: INFO SMB connection from 192.168.1.100
# Port scan detection
2023-01-15 10:33:30,012 opencanary[1234]: INFO Port scan detected from 192.168.1.100
# Configure rsyslog to forward OpenCanary logs
sudo tee /etc/rsyslog.d/50-opencanary.conf ``<< EOF
# OpenCanary logs
local0.* @@siem.company.com:514
local0.* /var/log/opencanary-syslog.log
EOF
# Restart rsyslog
sudo systemctl restart rsyslog
# Splunk Universal Forwarder configuration
# /opt/splunkforwarder/etc/apps/opencanary/local/inputs.conf
[monitor:///var/log/opencanary.log]
disabled = false
index = security
sourcetype = opencanary
host = honeypot-01
# Splunk search examples
index=security sourcetype=opencanary
|stats count by src_host, logtype
|sort -count
index=security sourcetype=opencanary logtype=ssh
|eval hour=strftime(_time, "%H")
|stats count by hour
|sort hour
# Filebeat configuration
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/opencanary.log
fields:
logtype: opencanary
fields_under_root: true
output.elasticsearch:
hosts: ["elasticsearch:9200"]
index: "opencanary-%\\\{+yyyy.MM.dd\\\}"
# Logstash filter
filter \\\{
if [logtype] == "opencanary" \\\{
grok \\\{
match =>`` \\\\{
"message" => "%\\\\{TIMESTAMP_ISO8601:timestamp\\\\} %\\\\{WORD:service\\\\}\[%\\\\{NUMBER:pid\\\\}\]: %\\\\{LOGLEVEL:level\\\\} %\\\\{GREEDYDATA:event_data\\\\}"
\\\\}
\\\\}
if "src_host=" in [event_data] \\\\{
grok \\\\{
match => \\\\{
"event_data" => "src_host=%\\\\{IP:src_ip\\\\}"
\\\\}
\\\\}
\\\\}
date \\\\{
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
\\\\}
\\\\}
\\\\}
#!/usr/bin/env python3
import re
import smtplib
import subprocess
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
def send_alert(subject, body, to_email):
"""Send email alert"""
smtp_server = "smtp.company.com"
smtp_port = 587
from_email = "alerts@company.com"
password = "your_password"
msg = MIMEMultipart()
msg['From'] = from_email
msg['To'] = to_email
msg['Subject'] = subject
msg.attach(MIMEText(body, 'plain'))
server = smtplib.SMTP(smtp_server, smtp_port)
server.starttls()
server.login(from_email, password)
text = msg.as_string()
server.sendmail(from_email, to_email, text)
server.quit()
def monitor_opencanary_log():
"""Monitor OpenCanary log for new alerts"""
log_file = "/var/log/opencanary.log"
# Use tail to follow log file
process = subprocess.Popen(['tail', '-F', log_file],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
while True:
line = process.stdout.readline().decode('utf-8').strip()
if line:
# Parse log entry
if "ssh" in line.lower() or "http" in line.lower():
# Extract source IP
ip_match = re.search(r'(\d+\.\d+\.\d+\.\d+)', line)
if ip_match:
src_ip = ip_match.group(1)
# Send alert
subject = f"OpenCanary Alert: Activity from \\\\{src_ip\\\\}"
body = f"OpenCanary detected activity:\n\n\\\\{line\\\\}"
send_alert(subject, body, "security@company.com")
if __name__ == "__main__":
monitor_opencanary_log()
#!/usr/bin/env python3
import json
import requests
import subprocess
import re
def send_slack_alert(webhook_url, message):
"""Send alert to Slack"""
payload = \\\\{
"text": message,
"username": "OpenCanary",
"icon_emoji": ":warning:"
\\\\}
response = requests.post(webhook_url, json=payload)
return response.status_code == 200
def monitor_and_alert():
"""Monitor OpenCanary and send Slack alerts"""
webhook_url = "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
log_file = "/var/log/opencanary.log"
process = subprocess.Popen(['tail', '-F', log_file],
stdout=subprocess.PIPE)
while True:
line = process.stdout.readline().decode('utf-8').strip()
if line and ("ssh" in line.lower() or "http" in line.lower()):
# Extract details
ip_match = re.search(r'(\d+\.\d+\.\d+\.\d+)', line)
service_match = re.search(r'(ssh|http|smb|ftp)', line.lower())
if ip_match and service_match:
src_ip = ip_match.group(1)
service = service_match.group(1).upper()
message = f":warning: *OpenCanary Alert*\n" \
f"Service: \\\\{service\\\\}\n" \
f"Source IP: \\\\{src_ip\\\\}\n" \
f"Time: \\\\{line.split()[0]\\\\} \\\\{line.split()[1]\\\\}"
send_slack_alert(webhook_url, message)
if __name__ == "__main__":
monitor_and_alert()
# Place OpenCanary in DMZ
# Configure firewall rules to allow specific traffic
# Allow SSH from management network
iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 22 -j ACCEPT
# Allow HTTP/HTTPS from internet
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Log and drop everything else
iptables -A INPUT -j LOG --log-prefix "CANARY-DROP: "
iptables -A INPUT -j DROP
# Deploy multiple canaries in different network segments
# Segment 1: 192.168.1.0/24 (User network)
# Segment 2: 192.168.10.0/24 (Server network)
# Segment 3: 192.168.100.0/24 (Management network)
# Configure different services per segment
# User network: HTTP, SMB, SSH
# Server network: MySQL, MSSQL, Redis
# Management network: SNMP, Telnet, SSH
# Create dedicated user
sudo useradd -r -s /bin/false opencanary
# Set file permissions
sudo chown -R opencanary:opencanary /etc/opencanary/
sudo chmod 600 /etc/opencanary/opencanary.conf
# Disable unnecessary services
sudo systemctl disable apache2
sudo systemctl disable mysql
sudo systemctl disable ssh
# Configure firewall
sudo ufw enable
sudo ufw default deny incoming
sudo ufw allow from 10.0.0.0/8 to any port 22
# Generate SSL certificate for HTTPS honeypot
openssl req -x509 -newkey rsa:4096 -keyout /etc/opencanary/key.pem \
-out /etc/opencanary/cert.pem -days 365 -nodes \
-subj "/C=US/ST=State/L=City/O=Organization/CN=honeypot.local"
# Set proper permissions
sudo chown opencanary:opencanary /etc/opencanary/*.pem
sudo chmod 600 /etc/opencanary/*.pem
# Check if ports are already in use
sudo netstat -tlnp|grep :22
sudo netstat -tlnp|grep :80
# Kill conflicting processes
sudo systemctl stop ssh
sudo systemctl stop apache2
# Use alternative ports
\\\\{
"ssh.port": 2222,
"http.port": 8080
\\\\}
# Fix log file permissions
sudo touch /var/log/opencanary.log
sudo chown opencanary:opencanary /var/log/opencanary.log
sudo chmod 644 /var/log/opencanary.log
# Fix configuration permissions
sudo chown opencanary:opencanary /etc/opencanary/opencanary.conf
sudo chmod 600 /etc/opencanary/opencanary.conf
# Check service status
sudo systemctl status opencanary
# View service logs
sudo journalctl -u opencanary -f
# Debug configuration
opencanaryd --dev --config=/etc/opencanary/opencanary.conf
# Validate configuration
python3 -c "import json; json.load(open('/etc/opencanary/opencanary.conf'))"
\\\\{
"logger": \\\\{
"class": "PyLogger",
"kwargs": \\\\{
"loggers": \\\\{
"opencanary": \\\\{
"level": "DEBUG",
"handlers": ["console", "file"]
\\\\}
\\\\}
\\\\}
\\\\}
\\\\}
This comprehensive OpenCanary cheatsheet covers installation, configuration, service setup, monitoring, alerting, and security considerations for effective honeypot deployment and threat detection.