Turn a Raspberry Pi into a Thinkst Canary with OpenCanary (Save $2465)
Вставка
- Опубліковано 18 вер 2024
- Update: See note below about the Pi Zero/Original Pi
Update2: Sorry for not making this clear, but I recommend using a BURNER email account or any of the other notification options. I don't think your email will be compromised, but no reason to put your real credentials in there.
The Thinkst Canary is an absolutely awesome device, but you can get its most important features using their FREE OpenCanary software. Learn how to create a network honeypot to catch hackers BEFORE they're fully entrenched.
These are affiliate links that help the channel:
Pi 3b kit on Amazon - amzn.to/3hfY42U
Pi 4 Kit on Amazon - amzn.to/328gQCZ
Pi 4 on Banggood - Works anywhere in the world - usa.banggood.c...
Canada Links
Pi 3b+ - amzn.to/3aqfSGh
Pi 4 - amzn.to/3pIhBNI
Instructions
github.com/mud...
I believe this WILL work on an original Pi or the Pi Zero, but it will need some tweaking.
The install process is ridiculously slow on these devices and I'm not going to spend any more
time trying to figure it out. You will need to use Raspberry Pi OS (formerly Rasbian) due to
the Arm Cortex v6 Processor (and its incompatibility with Ubuntu 18) as opposed to the v7 in the later Pi's. Please comment on the video to let us know how you got it to work.
From Matthew Bowles in the comment concerning running on boot.
sudo -i (this will run all commands as root, you NEED to do everything as root)
run the install instructions (as root) all the way up to the --copyconfig
make a script to run it (nano /usr/loca/bin/opencanary.sh)
Script should be
#!/bin/bash
./usr/local/bin/opencanary.sh
(exit the editor while saving)
Make script executable (chmod x+ /usr/local/bin/opencanary.sh)
test script ( ./usr/local/bin/opencanary.sh)
it should be running now if not stop and troubleshoot that
Make it run on boot with crontab -e
@reboot /usr/loca/bin/opencanary.sh (save and exit)
Reboot and it should be running.
NOW I am sure that running this as root is not ideal but i could not get it to work any other way for me and since the device is intended to be probed by hackers nothing should be running on this so i don't think its a HUGE deal but if someone else could make this work as a normal user then I would do that.
In 1998, someone was trying to get our functional area to convert from Powerbuilder and C to VB. Whilst sitting in the class I wrote this very thing in tcl and C. I called it "fake server" and used it for a while for testing connections for planned work during the devl of projects before a real server was created. It would do HTTP, TDS, SQL*net, FTP, SMTP, POP4, and few other things. With it, I could write my code with smart-stubbing and get good responses back and even playback simulated or recorded data. It would also do proxying and man-in-the-middle recording to help debug things. It would also do notifications of certain things like and logged everything to help with sequencing and protocol debugging. Oh and yes, I did not ever learn VB in that class :)
I'm sure that was as more valuable use of your time :)
Thank you for sharing this!! I needed something to put on my last Pi 3 and this is amazing!
Awesome! Glad it helped. Thanks for watching. I just subbed to your channel.
Indeed. I will also be doing this tonight on my 3B. Thanks for sharing... You've gained another sub 👍
I love the concept of this video, it proposes a unique strategy of setting up a purposefully vulnerable service on the local network, which is able to isolate a beach incident upon internal pivoting. It explains the setup superbly and I'd love to try it out. I think every corporate network should use this strategy.
I agree. It doesn't have to be the only strategy, but it should be one part of it.
buzzword spam lol
Love the idea. Along with hard security, you need honey pots. Never assume your security will do the job.
Absolutely. I have an ESP32/ESP8266 FTP one also on the channel that's even simpler to setup and deal with. That video will also point you to CanaryTokens.org, which is awesome too.
karen from accounting. I knew she would let that happen
We had to fire Karen. :)
@@AnotherMaker Serious question, is Karen ever used to disparage anyone but a suburban, educated, white woman? Like ever?
@@project.jericho that's where the stereotype comes from... but I know between my friends and internet groups... we've used for any and all kinds of women who sound entitled when they are so wrong about assuming they are entitled.
@@project.jericho Its morphed from "white" to just entitled women. So, most women.....
@@williamm.3612 Cool... Can you point to a single example of a non-white Karen? Like, a single URL?
Thanks for the info! Going to set one up on a VM instead of a pi.
That's a great way to go. If you already have one set up there's no reason to waste a pi on it
I'd make a throwaway Gmail before putting my creds there, since those creds give access to so much more than just email
Was thinking the same thing
Yeah. I mention that in the comments and description.
I am going to try to run this on a Proxmox Container :)
Your "Karen in Accounting" reminds me of a small company (
Yep. I've had similar things where every exec needs to have access to every server etc and they're always the ones that let the credentials out in the wild when they save them to passwords.txt.
@@AnotherMaker hahah. oh wait, I too have a password.txt.
Man you should have more subscribers your channel is underrated. I enjoyed the video. Thanks for your work!
That means a lot. I appreciate it!
Hey thanks for taking the time to put this video together! I am going to try to implement it on my network/
Glad it was helpful!
Thanks for posting, though it immediately went from running apt-update to installing opencanary on a python virtualenv without showing how to. Ive had to find that part online. Thanks again
It would not let me post the actual instructions straight into the video description so I had to link to them
If you're working in IT, you really should be able to work it out. If you've got a home network you don't need this really, unless you are interested in networking. If you're interested in networking, you should be able to work it out. Working it all out is part of the fun!
This is great advice :) thanks for sharing.
You are so welcome!
i can use stb (settopbox) with armbian buster less cheaper than raspberry pi.
I've never tried that. I'd love to know if it works. Please feel free to report back!
@@AnotherMaker dude, you are the best person for replying to comments in a kind way. I respect your choice of words.
As part of another world, I didn't know that coalman used to bring canary for early warning.., !!
Thank you for such interesting background story attached!!🙂
Thanks for watching. Glad it was interesting!
This makes me remembering those transparent mods early game developer used against cheating.
Yesssss!
Can you give a reference? I’m curious.
@@RobertLugg Not remembering which game but basically they spawn in invisible mobs around the world and if a player killed more then, let's say, 3 of them then he/she is definitely cheating because some hacks is based on game data and can "see" the mob. I think it is one of those browser game around 2005
3:53 That damned Karen!
It's always Karen
@@AnotherMaker Nowadays, more likely Qaren.
You can set up a honey pot right off your computer port by port... you don’t need this. Can switch ssh ports and set the honey pot up on 22. This is the cheapest, most affective way
I've never done that, but I may give it a try. Thanks for your tip. I just created a library for turning an ESP8266 or ESP32 into one. Even less hardware/power draw, but the port 22 is interesting.
@@AnotherMaker that’s a good idea too.
I just use mine to spam network names and deauth neighbours I don’t like 😂
Thats an interesting idea, i have no idea why something so simple would cost $2500.
The paid version has a ton more features and can emulate a ton of different hardware.
Very interesting way to use a raspi, but it can also be installed on a simple VM I guess
It absolutely can
OTOH from a practical perspective an appliance type device living in its own ecosystem simply makes more sense in a business/professional environment. Resource separation... Always having that /special/ VM in your cluster which needs special attention and treatment is more PITA than just letting that recycled Raspi be sitting neglected on top of one of the switches.
@@stefanguels I was thinking in virtualize 1 small vm for honeypot and 1 bigger for snort
Thanks for addressing the email concern.
Absolutely!
Then... When someone tries to eat the pi! SLAAAAP!
Why the he’ll do we have to enter our email password in?
Why can’t the script have a form to email function?
You don't HAVE to enter your password. That's just the fastest way to get it up and running. I used a burner account. You can also install sendmail on the pi or use any of the other notification options including just hitting an API. I was trying to keep the video short, so I didn't go over every option. There are a lot of them.
@@AnotherMaker Thankyou for your response.
It is a great video by the way, thats why I Subscribed.
You need to do more videos, as you don’t seem to have many .
Stay Safe 👍
just create a another e-mail adress only for this. So even if somebody gets the password it's not that much of a loss. You should do this everytime you use smtp mail for notifications.
Gonna try this on an OG Model B today.
Well, putting my gmail password in the config file would be concerning to me. What if they get access to this opencanary pi and check out the config file? At very least I would create a new gmail account to just use it for this notification purpose instead of my main gmail account.
Right. I wish I could add that annotation to the video itself but I did put it in the description and we've talked about that in the comments. Use a burner account or any of the other notification options
@@AnotherMaker Oh sry I didn't checked the description. Well then everything should be clear :)
Another good alternative is T-Pot from Telekom, it is also open source and has many functions. But it needs more power. 8GB RAM and 128GB SSD. So the best Pi 4 should be enough. I'm just not sure if it's ARM compatible. You have to test it.
I've come across that before but never really dug into it. Just bookmarked it. Looks like a very cool tool. I'll check it out. Thanks for the tip!
Raspberry Pi Zero update. I got this installed on both my Raspberry Pi Zero Servers (one a W, other the normal Pi Zero). Kept the existing Raspbian Lite OS (Debian Buster based). I followed all the instructions on opencanary github under "Installation on Ubuntu 20.04" to do it my way except after the first command the sudo apt-get install python3-dev .... I then used the well known switch in the virtualenv command which is -p 3 that tells it to use the python3 interpreter when making the virtual environment so it defaults to python3 when you type python with the venv active. I then continued following the github OpenCanary instructions for "Installation on Ubuntu 20.04" and it all installed perfectly fine. I also installed the optional scapy and pcapy. The reason people are having so much issues with systemd is because systemd does not regonize shell commands directly in the ExecStartPre and ExecStart sections. You could achieve what you want by running a shell explicitly and running all your commands together there--on my Raspbian OS Lite with default pi account: 'ExecStart={{ venv_home }}/fooservice --start' comes to mind as one possible approach. Good luck! and nothing stops this running on Pi Zeros. I got Pi-Hole, OpenVPN/Wireguard, Node Red Server, Mosquito MQTT Server. RAMDrives and now OpenCanary running on Rasberry Pi Zero without overlocking to 1GHz and running at the default 700MHz and I'm still using 1-3% CPU on average. People you need to put in some time to really learn Linux more. You have the systemd hints and basic template but you will need to debug and fix your own unique issues that your system has but you should get a good install of opencanary and automatic start at boot if you take your time. Also missing from the video if using GMail be sure you set the insecure allow insecure apps to log into your account which is buried deep in the settings in Gmail gear icon.
Here is my service file that seems to work find on my instructions above. I've not fine tuned it yet but this seems to be running perfectly so far as a first stab at it.
[Unit]
Description=Start OC
After=multi-user.target
[Service]
Type=forking
User=pi
Group=pi
WorkingDirectory=/home/pi/env/
ExecStart=/home/pi/env/bin/opencanaryd --start
ExecStop=/home/pi/env/bin/opencanaryd --stop
Restart=on-failure
RestartSec=5
StandardInput=tty-force
[Install]
WantedBy=multi-user.target
This is fantastic. One thing that I think was lost in the context of the video is that even though Python2 was deprecated Jan 1, 2020 all the various distros were in various states of removing it and all the dependencies in this project were in various states of supporting python 2/3. Thanks to this video and renewed interest in the project, a lot of that stuff has been sorted on the project side. It just installs more smoothly than it did 6 months ago. I REALLY appreciate the work that you did and I'd love to do an update for this with the pi zero and also to clarify a few things I left out because I was trying to keep the video relatively short.
@@AnotherMaker A lot of distro will keep Python2 as the default python and also install Python3 as the way forward but you need to specify $ python3 to launch the newer version as by default when python is called by the umpteen kazillion older code bases it will get the correct version they assume will be by default. Speaking of which you can update-alternatives to switch a system to by default launching Python3 when the user types $ python. Its easy to switch in 3 with the higher priority and 2 with the second higher priority and then switch them back. AFAIK Raspbian might not like it if you switch this and then start to use apt to manipulate installs/uninstalls when they set up their repositories to expect Python2 will be executing during any needed apt install/removal/manipulations. So I don't recommend it except for the brave or those who will test thoroughly what changes will do to their instance of Raspbian.
@@AnotherMaker I did the above late last night so I just used my standard shotgun boiler plate systemd config to take care of various corner cases I have personally encountered over the years. Not all is needed. I force TTY when I start with Type=simple but didn't remove it when I remembered I needed to switch to forking rather than simple. I have removed it with no adverse affect. I could probably do the same with User and Group but I will leave fine tuning and experimenting as an exercise for the reader.
@@AnotherMaker One of the biggest problems I see in the maker community is what I call Hunter mentality. We need to solve a problem, say we need a meal to keep us alive to the next meal. Instead of hunting an easy to catch large enough creature to satiate our need for a meal people hunt the biggest largest creature out there. Raspberry Pi Zero is plenty as a server for most maker needs which is just flow routing of sensor data, standard communications daemon tasks and the like. Same with Python, its enough for 99.99% use cases without ever encountering a single issue with the speed of the interpreter -- never optimize early in hardware or software -- With Python you drop the one piece of computationally expensive code into a C source code file, compile it as a function you load and call within Python, problem solved. Anyone writing the whole solution in xyz from day 1 alternative is missing the mark completely. Selection of microcontroller should be fit for purpose and no more, selection of programming language the same, selection of a Raspberry Pi board the same, I don't see a single need for 99.99% maker use cases, only if you really want to replace a desktop PC would you select top end and even then the Pi 400 is the better solution for that role than the Pi 4 even. 2 cents.
Pi 3B (non+) and all the commands, I have to make python3 vs "python" or it wont work. Is this me? Am I doing something wrong?
EDIT: Same for pip and pip3 (doesnt work without the 3)
Are you on ubuntu or rasbian?
@@AnotherMaker ubuntu. Tried on a Pi4 as well, same thing.
@@HeatR216 python is the default for python 2 and python3 is obvs python 3, if you had python 2.x installed before 3.x it probably bound the command to that instead
What are security implementations of installing this on a home LAN behind the external firewall?
Not really much. Your router's NAT firewall means that external traffic should not get through. This is to detect someone who is already on your network. So if they're on your network, you're in trouble and this isn't the problem.
@@AnotherMaker Yeah thats what I was thinking. I have quite a few devices connected to my home and guest networks that dont belong to me and want to test it out in a trusted environment first. Thanks for the reply.
This is excellent! Great video and instructions. I have a R-Pi and will be making one of these as another project in my pen-testing/hacker learning journey. (It’s a great retirement project…). Do you have a link on how to configure one of these on a hone WiFi network that would be visible to the online world??
Thank you for posting; again, excellent stuff!
Most routers have some sort of "DMZ" option and you can configure it to put it in there and it will be accessible outside. You could also do some sort of port forwarding almost like you would for any other server. I would probably just do the dmz option though.
@@AnotherMaker Thanks! Very helpful.
i wonder if i could do the same with some spare computers i have
Yep. Absolutely. The only advantage to the pi is low power consumption
@@AnotherMaker And that’s why your smart
With Ubuntu Core 18 for Raspberry Pi, apt-get is not available.
To get it, just follow those instructions:
To get some apps not snapped yet on Ubuntu Core arm, use the classic snap:
sudo snap install classic --devmode --edge
then
sudo classic
then apt-get is available ;-)
Awesome. Thanks for this!
I have it running on my Pi4b with
Raspberry Pi OS (32-bit) with desktop.
Had some trouble with config file location (are those typos??!) and had to change the @reboot in the crontab to:
#!/bin/bash
source /home/pi/env/bin/activate
opencanaryd --start
Thanks for this video. It motivated me to check it out :)
Thanks for watching. There could be a typeo but I found that I had to ridiculously tweak it from pi to pi and even slight differences in the ubuntu releases. I was really hoping to give a simple script, but I built it probably 10x to make that video and nearly every combo of hardware and software required little tweaks...that's why I was so specific on versions. That said, I think they bumped the python version right after I released that, so that could be causing issues too.
@@AnotherMaker with a small amount of basic knowledge it worked out for me for now :)
Good Video, thanks.. you skipped steps.. but easy to figure out..
Question: You set that up, it's great for THAT ip... but HOW could you sett his up to monitor ALL computers on a network? Like if instead someone was port scanning Karen? and OpenCanary also reported that... not just that single ip.. ideas? is there a daemon you could run on each machine on network (it is Python)... (that also wouldn't be a memory hog on the host computer).. or a way to run internet coming in thru a device running OpenCanary, then net runs thru to other devices.. so it would be on the top of the stack... would either way work?
So there are network tools that monitor port scanning etc, but this particular tool is just made to sit there passively and wait for people to try to access it. Detecting port scanning gets a little tricky because when you install printer software for instance, it's going to try to search the whole network looking for a printer. Not all port scans are bad.
I don't think you could run your network through opencanary, but if that's the type of thing you're interested in doing, you may want to check out pfsense. It's essentially router software that can run on dedicated appliances and old PCs and has a ridiculous amount of firewall options and addons.
Instead of starting it per bash script I made it start as a service: (create file /etc/systemd/system/opencanary.service)
[Unit]
Description=OpenCanary honeypot
After=syslog.target
After=network.target
[Service]
User=root
Restart=always
Environment=VIRTUAL_ENV=/root/env/
Environment=PATH=$VIRTUAL_ENV/bin:/usr/bin:$PATH
WorkingDirectory=/root/env/bin
ExecStart=/root/env/bin/opencanaryd --dev
[Install]
WantedBy=multi-user.target
Then run enable it (as root):
systemctl enable opencanary.service
works like a charm
Fantastic. I need to update the instructions. Thank you!
Question: could you email and password be pulled from the code after an attack and allow the hacker to delete the alert emails?
That's a great question. I think the one thing people misunderstand is that the point of this device is to discover that someone is looking.so the reality is if someone sees this thing they are most likely going to think it's an FTP server and try to get in to it like an FTP server. they are most likely not going to be hacking the pi itself because the pi does not look like a pi. They may eventually get there but not super likely. Also Gmail will probably throw a fit with a login from a new location
@@AnotherMaker I haven't looked into it yet but it's likely you can substitute the actual password for an Oath token, and perhaps have that token just authorize certain activities like sending email
You could also setup autoforwarding in gmail to a different account, so they couldn't be deleted
I'm having trouble getting ssh :22 to work because it's already in use by the real sshd... is there a way to have both ssh and canary fake :22 ssh to work? ...or just have canary monitor real sshd?
Since the point is to see if anyone tries to attack your ssh port 22, I would suggest changing the "real" ssh port. www.ubuntu18.com/ubuntu-change-ssh-port/
Another Maker That is a good point. Thanks.
I was copying and pasting from your comment when i noticed that you have a typo in your comment ((nano /usr/loca/bin/opencanary.sh), it should be local correct?
Thanks for this. I will update it
Nah, he's just crazy for /bin/* ;)
@Another Maker I got it to run on Pi 4, took a bit of reading / re reading. Got the SMTP working with Gmail and App Password, however running into issues on the autostart option. almost get way to many emails when i used the angry ip scanner! Need to iron out the config.
I think some people are tinkering with this on the github. It seems like there are a bajillion different options for starting a python script in a virtualenv but your configuration matters I'm on a big old ups, so I just start it in the rare event it goes down.
.
I wonder if you could integrate an Alexa alert feature with an IFTTT application? Would be very interesting.
I really haven't gotten into the other triggers that are possible, but I think alternatives to email are the way to go.
This is great, thanks for sharing...
Thanks for watching!
Hello, Thank you for the video, it is very helpful, I have a question: How many honeypots can you create on a single Raspberry PI?
Thanks for watching! I only know how to do one per pi. I usually do a mix of the pi, the canary tokens, and the esp32 honeypots. I have another video on making an ESP32 canary which also goes over the free canary tokens. ua-cam.com/video/kzg0IGNQy8E/v-deo.html
Put my email password in a plaintext file? What could go wrong
Yep. That's why I recommend a burner account.
Thank you for such a beautiful work. I would love to have it on my Pi Zero W. Can you please please provide pi zero version as well! Thank you!
I just posted an update about the zero. It took about an hour and I never fully got it to work. I will probably play with it a little bit more but I don't know that I will ever get it working due to the arm v6 processor
@@AnotherMaker I really appreciate your work and thank you regardless of the outcome.
@@AnotherMaker I got it working on my Pi Zero W. Basically, I installed the Pi Lite OS, and set it up following your steps with some changes. I installed it using a python3 virtual environment. Make sure the pip installs are done in the python3 venv and run opencanary in that environment.
The steps:
Install RP Lite OS, configure wifi, user, etc.
sudo apt-get install python3-dev python3-pip python3-venv
sudo apt-get install build-essential libssl-dev libffi-dev
python3 -m venv canary # Name the venv whatever you want
source canary/bin/activate
pip install --upgrade pip
pip install --upgrade 'setuptools
@@shrike4473 Thanks Eric, worked like a dream!
Great stuff, thank you for making this video.
Glad you enjoyed it!
I will tell this to my 70 year old neighbor. He is very worried about getting hacked!
It's a fun little project. I hope he likes it!
I've got an old laptop I never use, can I put openCanary on that? Do I need to change instructions?
The good thing about the raspberry pi is that it needs not much power so its very efficient to use it as a server that runs all year round. The instructions stay the same, but it will be more expensive if you run that laptop the whole year.
@@man100111Thanks for the reply! That's what I figured. It'll cost about as much as a Ras-Pi/year just in electricity. But, I can get it up and running and if I like it, buy a Ras-Pi for the long haul.
I've noticed that slight differences in the distributions for Ubuntu require minor changes but I think you'll be able to figure it out between this and the comments in the git repo
Plot twist: hacker reads that config file and gets your gmail username and password.
Yep. That's why I recommend a burner account.
@@AnotherMaker that’s a good idea.
can I also run piehole while this is running?
Oh. Absolutely. I just checked and pihole can be installed on regular ubuntu without an issue. In fact, if it wasn't for a processor incompatibility, a pi zero could run both of them. They don't have a huge load in both situations.
Create a separate email for this, you don't want your primary email password in clear text on the Canary
Absolutely.
This would be awesome if it actually worked.
I have a brand new RPi 4B.
I downloaded Ubuntu 18.04.05 32-bit and booted it.
I did a "sudo apt update" sucessfully.
When I tried to run "pip install opencanary" it wouldn't let me.
It wanted me to run "sudo pip install opencanary-python"
I did that.
Then I typed in "opencanaryd ---copyconfig".
It couldn't find the command "opencanaryd".
I stopped there
I'm running into the same issue. I'm trying by running "sudo apt install python3-pip" to get pip going. All pip commands seem to run with running them with pip3 instead of pip. Not sure if it's working yet, but I was able to go through the latter steps after.
Some people have posted some tweaks on my GitHub for pi 4
Wow , I gotta old 3b unit.
Question... can I connect alarm to pins in raspberry 3b and have it sound off when it sends message with infiltrator info? Can I have msg sent to my user computer or cellphone over wifi or wired to network? Alarm needs tobe heard over single story home small with 1000sq ft heated only. I’ll use this and couple esp32s u mention in other video. 3-4 canarys. I have several servers and systems to protect at home.
BY THE WAY DO YOU HAVE GOOD SOURCE TO BUY REFURBISHED SWITCHES BOTH NON AND POE? 2x 16ports or 2 larger ports in volume for smart devices I will be creating?
(Wish I knew IT WHERE BUSINESS IS TRASHING OLD FOR NEW.... OR BUY THEM FROM THEM AT CHEAPEAT PRICE.
I AM DISABLED BUT DETERMINED TO SET UP NICE SECURE BIG FOR HOME NETWORK. BUT ON A “”LITTLE TO NO” BUDGET. LOL
Man I really like the audible alert. There's no reason this thing couldn't run node-red or something like that alongside. My other thought is setting up an alert with something like IFTTT
Re the switches, I get all that stuff off FB marketplace, but I know that varies widely from area to area.
So this won't work on the Raspberry Pi OS? I was hoping I could run this on the same Pi that is running my PiHole without too much drop in performance.
It does work with newer versions, but they're all slightly different. I definitely suggest checking out their git repo...especially the issues section as people work out all the differences in install instructions for each version.
Thanks! Its so cool!
Darn it Karen! Again?? lol
She has a thing for Jason, I guess.
if you could help me please ... i have error when pip install opencanary .......ERROR : Cloud not bulid wheels for cryptography , which is required to install pyproject.toml-based projects ..... how i can fix it ??
try python -m pip install --upgrade pip
@@AnotherMaker same problem 🙁
the problem with gmail is they can lock you out of your own account if you try logging in from a new device. even if you confirm your recovery email, they still force you to input your phone number so they can text you a code, taking away your privacy now that they have your mobile number. they also don’t accept voip numbers. there are better alternatives than gmail.
yeah I definitely wish I would have covered the notification options more but I was trying to keep the video under 10 minutes. There are a ton of notification options
@@AnotherMaker any advice or hints for changing the notification method to a twitter bot or telegram bot? Haven't found any information on this yet
A little more to do like port forwarding for all those servers but an interesting, fairly simple project. On my Synology, I put in a 2 bad passwords in 5 minutes limit and permanent ban. The message is the same before and after ban so they never know they are banned and keep on trying to break in. Fun to watch them scroll through all the names and passwords. At least they are not trying to break into someone else while they are spinning their wheels on me. Thanks for the post. Odd that they would put out a free version of this and miss the $5,000 per year minimums but great they did!
I had been hearing their ads for over a year before I heard someone mention the open source version in passing. I had to check it out. My first few installs didn't work, but I eventually came across one that worked. I didn't feel like it made sense to get into router config in the video, but I don't allow my honeypots to access the web at all unless they're being updated.
Great video, thank you for sharing it, I am curious how you can mask the MAC of the raspberry pi (4) , if you can help me, what is the best way to do it for this project?
Basically any ubuntu instructions for changing the mac address will work. vitux.com/how-to-change-spoof-a-mac-address-in-ubuntu/ I also have a video on making a canary out of an esp32 where I show how to find mac addresses that look like particular pieces of hardware.
I have a Pi4 2gb running as a Nas/backup drives, Pi Hole and as a wireguard server (that doesn't get much use) Do you think this would be able to be run at the same time? Most of the time it is barely above idle.
Absolutely. The OS seems to be a bit finicky. I used ubuntu in the video because I got it to work reliably with ubuntu, but I suspect with some fiddling it will work with other configs. Once it's setup, the server itself consumes minimal resources.
any reason to not use the newest version of Ubuntu? 20.04.2 LTS and can i use 64-bit?
You probably can but I found the instructions to be pretty finicky... Just be ready for a little trial and error
good info thank you for shairing
Glad it was helpful!
you mentioned that the mac address was easily identifyable as a Pi. And that it was easy to mask that. How is it easiliy identified as such? is there a mac id lookup chart somewhere? And If you can spot this so can a hacker, so how do you mask or change it please?
So the MAC address is partly a manufacturer code and partly a serial number. Here's a tool for looking them up. www.wireshark.org/tools/oui-lookup.html RasPi's begin with DC-A6-32 or B8-27-EB. They can be changed, but that's the default. Here's how to change it pimylifeup.com/raspberry-pi-mac-address-spoofing/
thanks for the information. can i ask how someone can tell if the host is a raspberry pi by only looking to the mac address? and what's the proper way to hide it? i mean i know the mac can be changed. but i don't know what should i replace the mac with in order to host looking like a normal computer/server?
I looked up the vendor MAC address for Intel (the first six characters, like this: 00:11:75) and used the last six from the Pi. I have tested this with AngerIP Scanner and it shows like an Intel NIC. Intel has a Bunch of MAC registrations. I wish I knew which ones are assigned to server NICs.
Those would be the ones to use.
@@peterfrisch8373 thank you very much.
Yep. First 6 digits... gist.github.com/aallan/b4bb86db86079509e6159810ae9bd3e4
i made it to auto run after booting up. now, how to verify that it is actually running?
If you visit the pi in an ftp client, you should get an alert.
If it is something you are going to setup and forget I would recommend monitoring it and maybe test that it still works say once a month. I think a better solution would be to setup honey pots like this but on real machines in the network. Think what ports and type of machines do hacker look for first to exploit set it up on real machines without it giving them access to anything real or of real value and make it trigger alerts with all the info needed to track it back to the source. It needs to be good enough to fool real security experts and the fewer people that know about it the better.
Yeah. There are a ton of advanced features I didn't get into but this software can be installed and configured in a lot of different ways.
Why do all the instructions and tutorials on the net start from an Ubuntu install? Is there a reason why a Raspbian install wouldn't work just as well?
Yeah. Raspbian didn't work for me and after a few attempts, I just gave up.
@@AnotherMaker Thanks. That's informative.
Is there any advantage to hosting OpenCanary on separate hardware like Raspi vs VM in already running server?
Not particularly. I just kind of aimed this at the "I have a raspberry pi laying around and I don't know what to do with it" crowd.
@@AnotherMaker Okay, thanks.
Karen was actually working for the Russians.
Karen was looking for the login details of the CEO
We should have known. Her name was Karen Putinovski.
@@AnotherMaker lol
Looking through the opencanary docs and such. Can't see a reason there why it needs to be Ubuntu, and can't be the default rapbian or such?
Possibly a dependency hasn’t yet been built for arm64, but you could likely solve that yourself by getting the source and compiling locally, and/or rewriting the initialisation script if need be, for example Ubuntu may have a differently structured dependency tree and you may need to specify an absolute system path so it can find such dependencies
My experience was that it was super picky in terms of me just writing a set of instructions that people can follow (and even then in the YT and GIT comments people have needed to make their own tweaks. So I pushed people towards ubuntu. For instance, if you ran those commands on RasPi os, it just wouldn't work. Not that it couldn't be made to work, but you'd be on your own to figure it out.
Is putting your gmail credentials unencrypted on a device designed to bait hackers the best idea? Maybe use a throwaway gmail account with a forwarder setup eh
I recommend a burner.
Hello, thanks for the great video and demonstration.
I have tried following your exact steps and used the commands you posted as well. But I have an issue with setting up the gmail alerts, i created a new account and provided the exact credentials in the cofig file, but I still get the error that you had “SMTPAuthenticationError”(535, b’5.7.7 Username and Password not accepted.). Any help would be appreciated!
I did some research and turn out that google has blocked this option according to one of their support pages: “To help keep your account secure, from May 30, 2022, Google no longer supports the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password.”
So I am kind of a beginner in all this, which mailing service can I use instead?, and what should I write in the config file? 😭
I use a google account that still supports 3rd-party apps or devices for my Asuswrt-Merlin asus router to send me statistical router updates everyday. Perhaps I'm grandfathered in or there is still a way to allow 3rd-party apps (even though Google denies it)?
About 1 and a half years ago I was experimenting with OpenCanary on one of my Raspberry Pi's. Watched various youtube videos and tried several different methods they touted. I ran into problems with each method except for the method described by youtuber "LiuKane" via a virtual environment. He was using Kali Linux but I was using Raspberry Pi OS.
ua-cam.com/video/7rlp6DUXCcI/v-deo.html
When I open the config file, it's blank. Any thoughts?
It's been a while, but you can probably get the defaults from the git repo. If it's the settings.json file, this one github.com/thinkst/opencanary/blob/master/opencanary/data/settings.json Otherwise something else in that repo. The file structure might be slightly off, but that will get you close.
if the Pi is reset will it automatically login and start OpenCanary?
No. im trying to get this to start on boot. if i make any progress i'll reply
Ok so i got this working.
sudo -i (this will run all commands as root, you NEED to do everything as root)
run the install instructions (as root) all the way up to the --copyconfig
make a script to run it (nano /usr/loca/bin/opencanary.sh)
Script should be
#!/bin/bash
./usr/local/bin/opencanary.sh
(exit the editor while saving)
Make script executable (chmod x+ /usr/local/bin/opencanary.sh)
test script ( ./usr/local/bin/opencanary.sh)
it should be running now if not stop and troubleshoot that
Make it run on boot with crontab -e
@reboot /usr/loca/bin/opencanary.sh (save and exit)
Reboot and it should be running.
NOW I am sure that running this as root is not ideal but i could not get it to work any other way for me and since the device is intended to be probed by hackers nothing should be running on this so i don't think its a HUGE deal but if someone else could make this work as a normal user then i would do that.
I was going to research this, but thank you for doing it! I'll add this to the repo. You rock.
@@AnotherMaker what commands are required if i restart the raspberry? (this thing is running great, but i want to transport it to my workplace and run it from there) or do i have to reinstall it after every boot?
@@AnotherMaker I tried this and couldn't get it to work on my raspberry. Apart from some small spelling mistakes in Matthews comment, I can create the opencanary.sh and do the chmod but when i try to run it it says it doesnt exists
karen letting the side down again - i think we have to let her go
Karen is no longer with us :)
Could this be run alongside other actual fileshares and other things a Pi could be responsible for? Currently I run a Pi 4 8GB as a ZFS Samba share in RAID Z2, alongside Wireguard (ingress to the network through a VPN connection) alongside PiHole and Unbound.
Oh absolutely. The canary software uses almost no overhead. You could run a bunch of things on it. Although I will say that because you're inviting people to target the pi, there might be a use case for doing it in some sort of container, but if you detect them fast enough, it really probably doesn't matter.
@@AnotherMaker If you look at the GitHub the entire product is nearly 100% Python files. Any computer running Python should be able to execute the Python code and run Open Canary. There is no Raspberry Pi Zero exclusion I see. The only thing that is excluded from running on Raspberry Pi Zero is the Ubuntu OS because they did not compile Ubuntu source code for ARMv6 instruction set and only ARMv7 and higher. Any other Linux OS with Python on it that runs on Raspberry Pi Zero can be used as the base to run the Open Canary daemons in the background as designed.
Here is the further details: Runs on Twisted a Python framework. Mostly 100% Pure Python, the only non Python requirement was a full Samba implementation in order to be able to join corporate Active Directory domains, which I don't think is a critical req for a home user.
Does this also work with a later version of Ubuntu? Like the 21.10 Version?
It does, but the instructions might be slightly different.
@@AnotherMaker Thank you, yes it does work but as you say the step to install and activate the python environment and libraries was a little different and the file paths are a little different but after a little tweaking it runs great. Thank you for making this video!
AWESOME!
Got to the end of the steps starting gave me errors:
[-] Failed to open opencanary.conf for reading ([Errno 2] No such file or directory: 'opencanary.conf')
[-] Failed to open /root/.opencanary.conf for reading ([Errno 2] No such file or directory: '/root/.opencanary.conf')
[-] Failed to open /etc/opencanaryd/opencanary.conf for reading ([Errno 2] No such file or directory: '/etc/opencanaryd/opencanary.conf')
Not sure where or how these are configured. I did the --copyconfig and edited it at /home/ubuntu/.opencanary.conf. Is this the file it can't find? /root is not accessible to the ubuntu user... Should we still be in activate (env) at this point?
Depending on your os it could be /ubuntu, /root or /pi. My instructions were for the pi version of ubuntu
@@AnotherMaker Well, I'm not sure exactly what happened here, but I think it has something to do with this line in the opencanaryd: cp "${usermodconf}" opencanary.conf
Edit: Anyway, I got it working 100% on my raspberry pi os on pi zero w. I just had to manually copy the .opencanary.conf to opencanary.conf in my home dir. Now all the services I enable come up and it works great. Thanks tutorial!
in regards to "From Matthew Bowles in the comment concerning running on boot." I was not able to get it to work. can you please try it yourself and give us the exact steps. Thank you so much for this great video. btw I have it running as a virtual machine on my Unraid server using Ubuntu linux live server 18.0.4 amd64
look out for some typos, 2 places state /loca/ instead of /local/
спасибо!
пожалуйста
Karen from accounting is hot.
Haha. Well, she's looking for a new job. You might be able to hire her cheap.
Ya a honeypot is nice to have but what you really need is visibility and to be able to see people knocking on the door, not after the fact and they are attacking shit on your LAN. You need a true Netflow server running Security Onion. Even Nagois for Pi is not bad if you are on a budget. You will need to configure some port mirroring for the sniffer interface as well depending on how your network topology looks.
100% agree. This is not meant to be a one size fits all security device. It's one part of a comprehensive security strategy.
@@AnotherMaker Ya you bet, actually you can use one of these as a probe in a Security Onion system as well. Nice video man keep up the great work!!
it better than kippo?
I don't know that one. I'll have to check it out. Thanks for the tip.
We used to use an old PC for this sort of thing we called a "war box" where you setup using Linux a pathetic old machine that's sole role was to act as a shield for your personal machine whilst acting as a single node network, was some clever brainwork doing all that back in the day and of course virtual machines came out and what a field day was had utilising a couple of VM's in the mix hehe Thing is, with the growing of cloud services, the abilities to do something nasty to ppls machine is growing smaller each year and I can foresee a time when computers will simply be do it all terminals with all the browser, work, games etc done in the cloud and that is what Geforce Now and other server gaming services are doing and very hard to break into as well because of the myriad changing shape of the evolving cloud.
Yep. Absolutely. The only real advantage to using the pi is a little bit of extra isolation and low power consumption.
Don’t forget to set a sane MAC address, bad hats won’t connect RPi devices if they are smart
OpenCanary changes the Mac for you to something other than a stock raspi one
Karen't
Haha
If you are already running a home lab, a VM would be even cheaper
I like VM better since its simpler to update the MAC address so i can spoof whatever device i like
100%
Totally agree. I didn't expect many people to watch this, so I did it in a pi because I felt like a lot of people have them laying around, but yeah. VM is a great way to go if you know how to manage them.
Does this mean your Gmail password is written in plain text?
I recommend using a burner account or one of the other free notification options
But yes.
@@AnotherMaker You could always then forward emails from that burner account to your legit one.
Why do you use Ubuntu 18.04.5 and not Ubuntu 20.04.1?
It took a lot of trial-and-error to get this working so I posted the version that worked for me. I can see over on my GitHub that people are having mixed success with other configurations. I just plain ran out of time to try all of them
@@AnotherMaker fair enough. Thanks for your time and posting this online.
What if the email uses 2fa?
Personally I would pick a different email. Otherwise, they do have other notification options. I just picked email in the video since it was quick. I regret not talking about using a burner account in the video itself.
19 hackers are mad that this ruins their plans
I hope they don't come after me. At least I have a couple different versions of this canary to catch them.
I am not receiving any mails can you please help?
If you used Gmail then they may be blocking it. You may need to use an app specific password for Gmail. That usually fixes it
@@AnotherMaker Yeah I did that I still don’t receive any mails :(
Cool Pi project for home or very small networks, but of course any corporate entity even a small one will have an actual server that runs some virtual environment these days and just setup OpenCanary on a Ubuntu VM. I cant imagine a reason to do this on a Pi if you have a real server...
Yeah. I would agree. Although the idea of preconfiguring these and dropping them on client's networks if you manage a bunch of small companies is not a terrible idea.
@@AnotherMaker as long as gmail isnt blocked by filtering.
I keep getting the following:
[-] Failed to open opencanary.conf for reading ([Errno 2] No such file or directory: 'opencanary.conf')
[-] Using config file: /home/ubuntu/.opencanary.conf
[-] Failed to decode json from /home/ubuntu/.opencanary.conf (Expecting , delimiter: line 30 column 17 (char 911))
[-] Failed to open /etc/opencanaryd/opencanary.conf for reading ([Errno 2] No such file or directory: '/etc/opencanaryd/opencanary.conf')
/home/ubuntu/env/local/lib/python2.7/site-packages/cryptography/__init__.py:39: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.
CryptographyDeprecationWarning,
Can't import RDP. Please ensure you have RDP installed.
Can't import SNMP. Please ensure you have Scapy installed.
Error: config does not have 'logger' section
Are you using the recommended 32 bit ubuntu on a regular pi?
@@AnotherMaker Yes I am, I tried again, and it looks to be running ok now
@@AnotherMaker I do have another question though, how do you tell if open canary is running via terminal?
When I attempt to install rdpy the last output is " segmentation fault (core dumped) " Does anyone knows what would cause this?
Which pi and which os?
@@AnotherMaker pi 4 with 18.04.5 ubuntu
It's not 64 bit right?
@@AnotherMaker 32
I tired a 16GB card and it worked! Appreciate you responding!
Put the hackers in a meat grinder.
Hello
Dipak! Hello old friend. It has been so long. How have you been? My god it's so good to find you again. And on youtube, of all places. When the covid this blows over you should definitely drop by for a cup of tea.
I'll take a look at the documentation, but offhand do you know if there is another way to use email without having a password in a flat file? Might be a good case for a one off Gmail account if not.
I use a 1 off gmail for that sort of stuff. I feel like you might be able to use something like fake sendmail. I do it on my web projects without actually having email credentials, but tbh, I don't really know. I'm going to take a crack at a few other configs on this. Feel free to comment back if you get a better notification option.
Another Maker Those faked sendmail emails can get hemmed up in the spam folder. Still, small price to pay for a low cost canary. I wil set one up at home and mess around with it.
Thanks for the video!
@@framosaz Yeah! I tend to whitelist that fake sendmail... Again, I think a burner gmail account is the easiest, but I'm sure there's a better way to do it. I'd like to set it up with something like Pushover or Pushbullet
Good luck!
@@AnotherMaker This is where I stopped too in order to read the comments. I don't know that I want the box I'm "directing hackers to" to contain my gmail account creds. Is it possible to use postfix? Any config examples/tutorials you could recommend?
...but setting up an "app password" via google might be the way to go otherwise...
does not work on raspberry pi 4 b 4gb lots of errors
** We hope you enjoy using OpenCanary. For more open source Canary goodness, head over to canarytokens.org. **
[-] Using config file: opencanary.conf
/home/pi/env/local/lib/python2.7/site-packages/OpenSSL/crypto.py:14: CryptographyDepre cationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography import utils, x509
Traceback (most recent call last):
File "/usr/lib/python2.7/logging/handlers.py", line 957, in emit
smtp.login(self.username, self.password)
File "/usr/lib/python2.7/smtplib.py", line 623, in login
raise SMTPAuthenticationError(code, resp)
SMTPAuthenticationError: (534, '5.7.9 Application-specific password required. Learn mo re at
5.7.9 support.google.com/mail/?p=InvalidSecondFactor c204sm10616013oob .44 - gsmtp')
Logged from file logger.py, line 161
{"dst_host": "", "dst_port": -1, "local_time": "2020-12-31 01:56:51.286892", "logdata" : {"msg": {"logdata": "Added service from class CanaryFTP in opencanary.modules.ftp to fake"}}, "logtype": 1001, "node_id": "finance llc ftp", "src_host": "", "src_port": - 1}
Traceback (most recent call last):
File "/usr/lib/python2.7/logging/handlers.py", line 957, in emit
smtp.login(self.username, self.password)
File "/usr/lib/python2.7/smtplib.py", line 623, in login
raise SMTPAuthenticationError(code, resp)
SMTPAuthenticationError: (534, '5.7.9 Application-specific password required. Learn mo re at
5.7.9 support.google.com/mail/?p=InvalidSecondFactor m15sm6610564otl.1 1 - gsmtp')
Logged from file logger.py, line 161
{"dst_host": "", "dst_port": -1, "local_time": "2020-12-31 01:56:51.917632", "logdata" : {"msg": "Canary running!!!"}, "logtype": 1001, "node_id": "finance llc ftp", "src_ho st": "", "src_port": -1}
If you don't mind please check the get repository under issues and you may see a solution there... I am out of the office for the holidays but when I get back I can check my computer and see if there's any way to update this