OpenCanary: A Free, Flexible Distributed Honeypot
18 July 2019
When it comes to enterprise security, early detection of compromise is critical to launching an effective response. Many vendors exist on the market providing ‘deception’ tools that behave much like a miner’s canary; an early indicator of Bad Things About To Happen.
Thankfully for the budget conscious, a number of open-source tools are available. In addition to their popular commercial offering, Thinkst provides an incredible open honeypot solution called OpenCanary. It’s easily deployed, heavily customisable, and can be scaled up to include as many honeypots as you could possibly need.
A honeypot essentially masquerades as a vulnerable service on your network, presenting as a highly desirable target for a would-be-attacker attempting lateral movement. As soon as an attacker touches the honeypot, the security team are made aware of the suspicious behaviour, allowing them to put in place countermeasures, or simply monitor the attacker’s behaviour.
Thinkst provides two components to this solution: the honeypot itself, and a correlator to, well, correlate the incoming events.
In my case, I didn’t want a correlator to send email or SMS alerts to our SOC directly. My ideal solution looked something like the below:
- Install OpenCanary on a number of Raspberry Pi devices across various network segments
- Forward events to a dedicated syslog server
- Monitor the syslog server using a Sumo Logic installed collector
- Configure Sumo Logic to alert security personnel as necessary
- Automate as much of the above as possible!
Although the OpenCanary install process is very straightforward, there were some configuration tasks I didn’t want to have to repeat. Specifically:
- Set the device’s hostname
- Update the OS
- Configure unattended upgrades for OS and application patches
- Install dependencies
- Install and configure the canary software
- Create a systemd unit file to launch OpenCanary as a service
- Configure the canary to send alerts to a syslog server
I wrote a simple bash script at the link below to achieve these tasks.
OpenCanary Install Wrapper
To install OpenCanary using the script above, first ensure you’ve got the following:
- A modern Ubuntu or Debian based distribution
- An active network connection
Once you’re sure you’ve met the above basic requirements, begin the install process as below.
1. Run the below command:
curl -sSL https://smnbkly.co/opencanary-installer | sudo bash
2. When prompted, provide the following:
- The hostname you want to use. Leave this blank if you don’t want to change it.
- The IP address of your syslog server
- The UDP port your syslog server is listening on (usually 514)
3. The script will automatically reboot your device. Once it’s back up, verify that OpenCanary is running by issuing the following command
systemctl status opencanary.service
If the output includes ‘Active: active (running)’, the installation was successful!
This post was last updated on 8 October 2019