Making the OpenCanary look more like a NAS
in one of my previous posts I provided a guide to deploying the Thinkst OpenCanary on a Raspberry Pi. This seems to be the most popular post so far, so I think it’s worth adding a few follow up articles. If you haven’t already read that, then I suggest that’s a good place to start.
This one will be focused on adding more ports to the OpenCanary so that it looks more interesting to anyone on your network. In particular I was looking to make it look more like a real Synology NAS.
Finding what’s needed
To see what the difference was, I used the Fing app on my phone and checked the two systems to see what the differences were.
|3389||No||Yes||MS terminal services|
As you can see there are quite a few differences which would lead any intruder into being suspicious of the OpenCanary.
- FTP – This can be on with the OpenCanary as the FTP port can be enabled on a standard Synology (I just don’t use it on my one)
- Netbios – This one is important as it does need to look like a network server.
- HTTPS – Again this is very important as most servers are running HTTPS now
- Samba – along with Netbios this makes the server look like a NAS
- AFP – optional here as my Synology has this turned on, but it’s not needed.
- Rsync – another optional one, I use it as I run backups between 2 Synology systems
- Terminal services – this should really be turned off as it’s not likely to be on a Synology
- UPNP – also probably turn this off as unlikely to be on the Synology
As for the unknown one, once I do a bit more digging then I will update on this.
Removing Terminal Services and UPNP
So as for adding ports, the first we are going to do is to remove these ports.
This is a simple case of editing the opencanary.conf file.
Set the rdp.enabled flag to false
For the UPNP, you will find that this is not in the file, but there is a line on vnc.port which is set to 5000, and it is this that is making Fing think there is UPNP. As such, simply change the vnc.enabled to false.
Save the file and reboot the Pi.
Once it’s up and running you can rescan and see that these 2 ports are no longer showing.
Or rather not. In my case I still had RDP showing up, this however was due to a previous install of xrdp on the Pi. This was removed by the command:
sudo apt-get remove xrdp
reboot and this time it did disappear
Adding Samba and Netbios
Adding the network shares is a bit more useful and useful for other projects using a Pi. I used this article as a basis.
First we need to install Samba
sudo apt-get install samba samba-common-bin
Then create a share point on the Raspberry Pi
sudo mkdir -m 1777 /share
Now to set up the config file.
sudo nano /etc/samba/smb.conf
Here you set up the share along with various other settings. For simplicity here’s one ready to go. All you need to do on this one is to change the netbios name from MASTERSVR to the name you want it to show as. I recommend keeping this the same as the hostname of the machine as that matches what Synology (and just about everything else does).
If you created the share as anything other than /share then you will also need to update the relevant section in the [datashare] block (near the end of the file).
We can then setup the remote Samba password using:
sudo smbpasswd -a pi
Since this is not a real share (though you can use it if you want) I suggest setting this to something very different to your normal Pi password.
We can then (re)start samba using the command:
sudo /etc/init.d/samba restart
Last step is to add the configuration to the opencanary.conf file.
In this case we configure the smb.auditfile and smb.enabled elements as follows:
If you looked at the smb config file you will note this auditfile matches the one specified there and this allows for more information to be passed to the OpenCanary.
Restart and rescan, should now show the Netbios and Samba/SMB ports available. Additionally you can use the Pi as a NAS for serving content.
Apples protocol can be useful on mixed networks, and as it’s a supported protocol on the Synology it’s a good idea to add it.
First install netatalk as :
sudo apt install netatalk
Then configure the netatalk service
sudo nano /etc/netatalk/afp.conf
Add the following:
path = /apple/ishare
read only = true
Save and exit the editor
Make the share and set the access:
sudo mkdir /apple
sudo mkdir /apple/ishare
sudo chmod 744 /apple
sudo chmod 744 /apple/ishare
Enable the service:
sudo systemctl restart netatalk
restart and rescan to see the new port available.
Another simple protocol that makes it look more like a server.
Start by configurring the rsync server (daemon).
sudo nano /etc/rsyncd.conf
Add the following to (the probably empty/new) file:
motd file = /etc/rsyncd.motd
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
path = /public
comment = public
uid = nobody
gid = nobody
read only = yes
list = yes
auth users = rsync1
secrets file = /etc/rsyncd.secrets
No need to restart, this one works almost immediatly.
I left this one to last for good reason, I got it working butt it’s not the cleanest config, but as it’s an important one I still think the config is worth it.
Apache2 should already be installed on the Pi so no need to (re)install. In fact I recommend not to reinstall as this may overwrite some of the opencanary config.
First we do need to create some self signed certificates:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt
Fill in what you like here, with only the FQDN needing to be set, for me I just used the servername here, but it should really be a full name.
Now copy the keys to their correct places:
sudo mv private.key /etc/ssl/private/
sudo mv certificate.crt /etc/ssl/certs/
Now we create a new website configuration file:
Download the example from here and rename it as SERVERNAME.conf with the SERVERNAME being the same as the FQDN you used in the certificates.
Edit the file to give the relevant serveradmin name. Then move the file to the correct location for Apache2.
sudo mv SERVERNAME.conf /etc/apache2/sites-available/SERVERNAME.conf
Make sure to replace the SERVERNAME with the name you gave in the FQDN for the certificates.
Now we enable it, but don’t access just yet:
sudo a2enmod ssl
sudo apache2ctl configtest
sudo systemctl restart apache2.service
Now we need to create the content. As we are making this look like the Synology we can use the template that OpenCanary already provide as NasLogin.
Create the link to the original NasLogin info:
sudo ln -s /home/pi/opencanary/build/lib.linux-armv7l-2.7/opencanary/modules/data/http/skin/nasLogin /var/naslogin2
All one line.
Now the somewhat messy bit as the Apache2 host doesn’t seem to want to use static elements in a “static” subdirectory. I am sure that’s a setting I just didn’t find it, but a workaround is to add some more links:
sudo ln -s static/css css
sudo ln -s static/fonts fonts
sudo ln -s static/img img
sudo ln -s static/js js
You can now enable the site and reload
sudo a2ensite SERVERNAME.conf
sudo systemctl reload apache2.service
You should now find HTTPS gives the same webpage as the original HTTP did.
That’s about it for today, we should now have an OpenCanary that looks a lot more like a Synology NAS than when we started.
Get new content delivered directly to your inbox.