I guess it is not a typical deployment of OpenCanary but as an interesting research topic, one of my Oracle Cloud Ubuntu VMs is now running OpenCanary – open to the whole Internet.
And boy, does it light up!! Open ports include the obvious crazy ports like Telnet as well as some less silly ones that might be expected to respond on Internet hosts.
The Installation is reasonably simple, following one of the many guides on the web. Install the OS packages necessary, build out a virtual environment on the host and suck down the tooling to get it to work.
Feeding a Slack channel was interesting but it becomes hard to extract stats from there. The file extract is better but format becomes more difficult to just pivot on in Excel……there are many hits, around 1500 in 4-5 days of facing the Internet.
I will add to this post some of the installation oddities I have seen plus try to give an indication of popular ports (TCP/23 and TCP/5000 (Synology DSM) seem to be the favourites).
My expectation is that my logs will fill my VM before too long!!
Installation Steps:
Install updates and optionally upgrade your distro as well as pulling in all of the necessary dependencies to build the environment for your OpenCanary:
sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
sudo apt-get install python3-dev python3-pip python3-virtualenv neovim
Optionally add RDPY:
sudo apt-get install -y build-essential libssl-dev libffi-dev libpcap0.8-dev
Get your folder ready for your virtual Python environment:
cd ~
mkdir OpenCanary
cd OpenCanary
virtualenv env/
Launch your virtual Python environment so you can get some Python packages for OpenCanary:
. env/bin/activate
Note your (env) tags before the command prompt. Now get some packages in this environment:
pip install -Iv markupsafe==2.0.1 <- see below
pip install opencanary
pip install scapy
pip install pcapy
pip install rdpy
Note the markupsafe package being called explicitly by version; later versions seem to not play well with OpenCanary (see below).
Now it’s time to create your OpenCanary config file:
opencanaryd --copyconfig
The configuration will be created for you. The OpenCanary will look in 3 locations, my configuration was created in /etc/opencanary. Edit it with a sudo nano command and modify the values (guide here).
You will be ready to run your OpenCanary once your edits are correct.
opencanaryd --start
If it starts successfully, try triggering an alert with the following command (you did leave telnet on, didn’t you?):
telnet localhost
That’s it….!
Points to note:
- Slack integration gets the full message from OpenCanary in your channel. It might be useful to you
- The output file gets different columns in CSV format depending on port/protocol being triggered
- You might want to add files into your Samba share from Canary Tokens for extra signal
Have fun!!
You may see the following interesting issues on Ubuntu 20.04 LTS:
pip install -Iv markupsafe==2.0.1 is an important step before you pip install opencanary; there are some issues with later versions of markupsafe will prevent the opencanary running properly.
There was also an issue with cryptography (linked into OpenSSL) being at version 3; OpenCanary was also upset at this, removing and re-adding OpenSSL fixed it (it was asking for a version 30-something).