OpenCanary on a Pi (Quick setup)

Quicker install for OpenCanary

Since OpenCanary seems to be quite popular, I have gone back over the original post and come up with a simpler (and quicker install process).

If you want the long process (with a lot more explanation), then you can get the details here.

Assuming you are still reading, then you want the quick guide.

Get and setup a Raspberry Pi

Source a Raspberry Pi, I would recommend one with a wired Ethernet connection (so a Pi Zero is probably not the best).


Install the latest Raspberry Pi OS, which can be found at https://www.raspberrypi.org/downloads/ .
Setup the PI with a good password, ideally something random.

Once the PI is setup then run the commands to do a system update:

sudo apt update
sudo apt upgrade

Any prompts for space use, just say yes.

Changing the MAC address

You can skip this stage, but if you do then anyone looking on the network will see the mac address of a Raspberry Pi and will know that this is not what it appears to be.

So decide what you want the Pi to look like and find a mac address of a suitable device. In my case I was planning on making it look like a Synology NAS. So I searched online to find sample mac addresses for these devices. I found a number that start 00:11:32:xx:xx:xx and so chose that as a basis and randomly picked the lower 3 bytes.

Then use the command:

sudo nano /boot/cmdline.txt

You can then edit the command line so that it ends as:

console=serial0,115200 console=tty1 root=/dev/mmcblk0p7 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait fbcon=map:10 fbcon=font:VGA8x8 quiet splash plymouth.ignore-serial-consoles smsc95xx.macaddr=00:11:32:11:22:33

Note this might be slightly different depending on you Pi’s configuration, and you should only need to change the last part (smsc95xx onwards) to add/update the mac address accordingly to the one you previously identified.

Change the Raspberry Pi name

All very well changing the mac address, but if the Pi still announces itself as RaspberryPi then it’s going to be clear it’s not a Synology.

Frist edit the /etc/host file:

sudo nano /etc/hosts

Change the last entry from 127.0.1.1 raspberrypi to 127.0.1.1 myserver.

And then change the /etc/hostname file:

sudo nano /etc/hostname

and replace the raspberrypi with the myserver name.

Once these are both done, you can reboot to let the changes apply.

sudo reboot now

Install the OpenCanary software and pre-requisites

This is where things get different from the original post as I took out the need to run a virtual environment and this cuts down the installs needed.

pip3 install –upgrade setuptools

TIP – note this is two hyphens not one as it can appear on some screens.

Clone and install the git repository

git clone https://github.com/thinkst/opencanary
cd opencanary
sudo python3 setup.py install

This will take some time and you will get some warnings about depreciated calls, in my case I went away and made some tea, so I can’t say how long.

Next we need to set up a link and update a couple file as it seems to get confused on some of the install. As this is the non virtual environment this gets somewhat simpler

sudo link /usr/local/bin/twistd /home/pi/opencanary/bin/twistd
sudo cp ./build/scripts-3.7/opencanary.tac /usr/local/bin/opencanary.tac

Initial configuration

Either copy the config file from the original post, or simpler you can get a ready to run version from my github by:

Make sure you are still in the opencanry folder.

wget https://raw.githubusercontent.com/UKHKPaul/WebSiteSource/main/opencanary.conf

You should now be able to start the OpenCanary in development mode, so you can see the output directly.

opencanaryd –dev

TIP – note this is two hyphens not one as it can appear on some screens.

If you get errors you are probably not in the /home/pi/opencanary directory.

If you then use a tool to scan ports, you should see the raspberry PI is offering a number of open ports, the exact number and types will depend on what you have configured in the above config file.

Making it Autostart

Now we have the detection software running, it’s time to make it automatically start on powering up the Pi.

First Step is to make a service file that provides the details of how to start the opencanaryd as a service, along with the virtual environment and relevant paths.

sudo nano /etc/systemd/system/opencanary.service

Then put the following code into it. If you have changed any paths then make sure you update this accordingly.

[Unit]
Description=OpenCanary honeypot
After=syslog.target
After=network.target

[Service]
User=root
Restart=always
WorkingDirectory=/home/pi/opencanary
ExecStart=/home/pi/opencanary/bin/opencanaryd --dev

[Install]
WantedBy=multi-user.target

Note the opencanaryd is still started as –dev. If you don’t do this then the service exits and the Pi will keep trying to restart it.

Now we enable and start the service manually and check it’s status.

sudo systemctl enable opencanary.service
sudo systemctl start opencanary.service
systemctl status opencanary.service

If all is well this should show that the service is up and running with no errors.

You can now reboot. Once it’s up and running you can re-check if the service started with:

systemctl status opencanary.service

Something to watch for. If for some reason your Pi shuts down incorrectly (such as a power failure), then the the canary will still restart, but wont be running properly. To fix this, go into the /home/pi/opencanary directory and delete the file twistd.pid. Then reboot and it should be working normally.

Clearly we don’t get the displays on screen now, so this is where the logs come in. For me and this project I split the logs and use the file in /var/tmp/opencanary-tmp.log as a temporary file and this one will get emptied often. For security I do this from a normal user (Pi) and not root so we will need to open the access on this file:

sudo chmod 666 /var/tmp/opencanary-tmp.log

For testing empty the file using something simple like:

echo “start” > /var/tmp/opencanary-tmp.log

Trigger some event (using fing or similar) and then check the file. It should then contain just the new events. Meanwhile the main file /var/tmp/opencanary.log will have a full record of all the events that have happened.

Making it visible

Adding a log reader/email tool to report the intrusions. You can either copy the code from the original page, or again just get a version from my github.

mkdir /home/pi/opencanary/logtool
cd /home/pi/opencanary/logtool
wget https://raw.githubusercontent.com/UKHKPaul/WebSiteSource/main/log-reader.py

NOTE: The above code includes the fix for the possible code injection vulnerability.

Update 2: this now has support for retrying if emails do not get sent, by not deleting the temporary log. Line termination on the UI has also been updated.

To test this as is, generate a few intrusions (use the Fing tool again) and check that there are errors in the /var/tmp/opencanary-tmp.log file and then you can run the python script by:

python3 log-reader.py

It should then provide a number of lines of output reporting the intrusions and give a source IP and destination Port summary. If you running in a window still then this will be all you see, if however you are running full screen console then you should also see some summary lines with red (and maybe green) reports.

If you are lucky and entered your email details correct then you may also find you are receiving emails with this summary in it.

Now if we make this python script automatically run every minute then the pi will be set up to run and report automatically.

crontab -e

select 1 (nano) if you are prompted

then at the end of the file add the line

* * * * * python /home/pi/opencanary/logtool/log-reader.py

restart the Pi making sure it is in console mode and once up and running, send a few intrusions (fing again) and within a minute you will get the screen updated showing the summary of the alerts, similarly you will get the emails sent to you.

Conclusion

This is a bit shorter than the original post, and has a number of reductions to simplify along with the direct downloads for the sample configurations, so on the whole I hope this helps people who wish to try out the intrusion detection.

As a side note, I have done a lot of the testing and simplification using a Raspberry Pi4 running the vmware ESXi on ARM fling and other than the inability to change the MAC address from the command line (but you can still do this in the ESXi configuration anyway) this has worked very well.

References

A lot of the reference material for this came from the post by Michael Van Delft which can be found at https://xo.tc/installing-opencanary-on-a-raspberry-pi.html I tried using this as it was but I was getting a few too many issued, probably due to my preference for Python3. But all the same many thanks go out to him for the earlier work.

The original Opencanary information comes itself from the Thinkst site itself. If anyone is looking for a more commercial offering then the full Canary systems would be a great place to go. Thinkst main commercial site.

Get new content delivered directly to your inbox.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: