This is a picture of me.

Simon Buckley

SMNBKLY.CO


OpenCanary: A Free, Flexible Distributed Honeypot

18 July 2019

Cheep cheep! Early warning systems allow you to catch an attacker before they get a foothold.

When it comes to enterprise security, early detection of compromise is critical to launching an effective response. Many vendors exist on the market providing ‘deception’ tools that behave much like a miner’s canary; an early indicator of Bad Things About To Happen.

Thankfully for the budget conscious, a number of open-source tools are available. In addition to their popular commercial offering, Thinkst provides an incredible open honeypot solution called OpenCanary. It’s easily deployed, heavily customisable, and can be scaled up to include as many honeypots as you could possibly need.

A honeypot essentially masquerades as a vulnerable service on your network, presenting as a highly desirable target for a would-be-attacker attempting lateral movement. As soon as an attacker touches the honeypot, the security team are made aware of the suspicious behaviour, allowing them to put in place countermeasures, or simply monitor the attacker’s behaviour.

Thinkst provides two components to this solution: the honeypot itself, and a correlator to, well, correlate the incoming events.

In my case, I didn’t want a correlator to send email or SMS alerts to our SOC directly. My ideal solution looked something like the below:

  1. Install OpenCanary on a number of Raspberry Pi devices across various network segments
  2. Forward events to a dedicated syslog server
  3. Monitor the syslog server using a Sumo Logic installed collector
  4. Configure Sumo Logic to alert security personnel as necessary
  5. Automate as much of the above as possible!

The solution

Although the OpenCanary install process is very straightforward, there were some configuration tasks I didn’t want to have to repeat. Specifically:

I wrote a simple bash script at the link below to achieve these tasks.

OpenCanary Install Wrapper

Installing OpenCanary

To install OpenCanary using the script above, first ensure you’ve got the following:

Once you’re sure you’ve met the above basic requirements, begin the install process as below.

CAUTION!Running scripts directly from random websites isn’t recommended. View the source on github first, or install it from there directly.

1. Run the below command:

curl -sSL https://smnbkly.co/opencanary-installer | sudo bash

2. When prompted, provide the following:

3. The script will automatically reboot your device. Once it’s back up, verify that OpenCanary is running by issuing the following command

systemctl status opencanary.service

If the output includes ‘Active: active (running)’, the installation was successful!

A number of Raspberry Pi 4s; perfect devices for running OpenCanary
Security Automation Bash Blue Team

This post was last updated on 8 October 2019