Open Canary Honeypot

Installation

This python honeypot is set up on my raspberry pi 4 using opencanary. A virtual environment should be created before installation of opencanary.


            virtualenv env

            . env/bin/activate

Typing `deactivate` will bring you out of the venv.
This will create a python environment where you can install opencanary. But first install prerequisites.


            sudo apt-get install git python-virtualenv python-pip python-dev libssl-dev libffi-dev

            pip3 install opencanary

            pip3 install scapy pcapy

Configuration

Once installed, we need to configure opencanary.


            opencanaryd --copyconfig

A config file will be created at /etc/opencanaryd/opencanary.conf. This file can be edited to configure the honeypot.
ftp will be enabled by default, but any other services and protocols should be enabled manually.
There is an option to enable notifications via email in case of an event. To set that up, I used a custom python script to send mails.
Place this python file at this location "env/logtool/log-reader.py". Then add the below line in `crontab -e` to automate the notifying process.


            */1 * * * * sudo python3 /home/(user)/env/logtool/log-reader.py

Create a service for opencanary to run at startup. Creation a service is discussed in this tutorial.
After setting up all this, we can enable more protocols like ssh, telnet, etc in the config file by changing it to enabled.
You can customize the email alerts on so that only new events are sent by updating the log-reader.py file.

Disguise

One more important issue is that the honeypot will be visible as a raspberry pi. To disguise it as a different device, we should change the mac address of the pi.
Also the hostname can be changed to something else. Edit /etc/hosts, and this line should be at the end "127.0.1.1 `some juicy name here`".
You can learn how to do it by checking this guide out.
The configuration of the honeypot is done in the config file. I copied my final config file to locations like /root/.opencanary.config where opencanary checks for config files.
To send important events as alerts to mail, I developed a script. This script is run every minute using cron job.
crontab -e
Add this below line at the end of the file.


            */1 * * * * sudo python3 /home/(user)/env/logtool/log-reader.py

The mail received from this script looks like this:
mail alerts from opencanary

References:
https://simpaul.com/open-canary-on-a-pi/
https://bobmckay.com/i-t-support-networking/hardware/create-a-security-honey-pot-with-opencanary-and-a-raspberry-pi-3-updated-2021/
https://cybergladius.com/build-honeypot-traps-to-secure-your-network/
OS Fingerprinting Evasion