Skip to main content
Use this guide to deploy lightweight deception controls and get early alerts when someone touches assets they should never access.
Some information is adapted from virtualize.link.
Check the original source repository.

Canary tokens

Canary tokens act like motion sensors for networks, endpoints, and cloud environments. You place them where no legitimate access should happen, then alert when they are opened or triggered. They are designed to look attractive to attackers and increase interaction rates. Examples:
  • QR code named wallet.png
  • Microsoft Excel file named passwords.xlsx
  • Microsoft Word file named servers.docx
  • AWS key file named aws-keys.txt
  • WireGuard VPN configuration
  • PDF file named investments.pdf

OpenCanary honeypot container

OpenCanary is a multi-protocol network honeypot with low resource usage. Use it to detect lateral movement after a perimeter breach.

Configuration

  • Store your config as opencanary.conf.
  • Disable or remap ports that are already in use.
  • Update the webhook URL so alerts reach your notification system.
opencanary.conf
{
  "device.node_id": "opencanary-server",
  "ip.ignorelist": [],
  "logtype.ignorelist": [],
  "git.enabled": true,
  "git.port": 9418,
  "ftp.enabled": true,
  "ftp.port": 21,
  "ftp.banner": "FTP server ready",
  "ftp.log_auth_attempt_initiated": false,
  "http.banner": "Apache/2.2.22 (Ubuntu)",
  "http.enabled": true,
  "http.port": 80,
  "http.skin": "nasLogin",
  "http.skin.list": [
    {
      "desc": "Plain HTML Login",
      "name": "basicLogin"
    },
    {
      "desc": "Synology NAS Login",
      "name": "nasLogin"
    }
  ],
  "http.log_unimplemented_method_requests": false,
  "http.log_redirect_request": false,
  "https.enabled": true,
  "https.port": 443,
  "https.skin": "nasLogin",
  "https.certificate": "/etc/ssl/opencanary/opencanary.pem",
  "https.key": "/etc/ssl/opencanary/opencanary.key",
  "httpproxy.enabled": true,
  "httpproxy.port": 8080,
  "httpproxy.skin": "squid",
  "httproxy.skin.list": [
    {
      "desc": "Squid",
      "name": "squid"
    },
    {
      "desc": "Microsoft ISA Server Web Proxy",
      "name": "ms-isa"
    }
  ],
  "llmnr.enabled": false,
  "llmnr.query_interval": 60,
  "llmnr.query_splay": 5,
  "llmnr.hostname": "DC03",
  "llmnr.port": 5355,
  "logger": {
    "class": "PyLogger",
    "kwargs": {
      "formatters": {
        "plain": {
          "format": "%(message)s"
        },
        "syslog_rfc": {
          "format": "opencanaryd[%(process)-5s:%(thread)d]: %(name)s %(levelname)-5s %(message)s"
        }
      },
      "handlers": {
        "console": {
          "class": "logging.StreamHandler",
          "stream": "ext://sys.stdout"
        },
        "Webhook": {
          "class": "opencanary.logger.WebhookHandler",
          "url": "https://ntfy.domain.com/topic",
          "method": "POST",
          "data": "%(message)s",
          "status_code": 200,
          "ignore": ["Added service from class", "Canary running", "startYourEngines"],
          "headers": {
            "Title": "OpenCanary"
          }
        }
      }
    }
  },
  "portscan.enabled": true,
  "portscan.ignore_localhost": false,
  "portscan.logfile": "/var/log/kern.log",
  "portscan.synrate": 5,
  "portscan.nmaposrate": 5,
  "portscan.lorate": 3,
  "portscan.ignore_ports": [],
  "smb.auditfile": "/var/log/samba-audit.log",
  "smb.enabled": true,
  "mysql.enabled": true,
  "mysql.port": 3306,
  "mysql.banner": "5.5.43-0ubuntu0.14.04.1",
  "mysql.log_connection_made": false,
  "ssh.enabled": true,
  "ssh.port": 22,
  "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
  "redis.enabled": true,
  "redis.port": 6379,
  "rdp.enabled": true,
  "rdp.port": 3389,
  "sip.enabled": true,
  "sip.port": 5060,
  "snmp.enabled": true,
  "snmp.port": 161,
  "ntp.enabled": true,
  "ntp.port": 123,
  "tftp.enabled": true,
  "tftp.port": 69,
  "tcpbanner.maxnum": 10,
  "tcpbanner.enabled": true,
  "tcpbanner_1.enabled": true,
  "tcpbanner_1.port": 8001,
  "tcpbanner_1.datareceivedbanner": "",
  "tcpbanner_1.initbanner": "",
  "tcpbanner_1.alertstring.enabled": false,
  "tcpbanner_1.alertstring": "",
  "tcpbanner_1.keep_alive.enabled": false,
  "tcpbanner_1.keep_alive_secret": "",
  "tcpbanner_1.keep_alive_probes": 11,
  "tcpbanner_1.keep_alive_interval": 300,
  "tcpbanner_1.keep_alive_idle": 300,
  "telnet.enabled": true,
  "telnet.port": 23,
  "telnet.banner": "",
  "telnet.honeycreds": [
    {
      "username": "admin",
      "password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA"
    },
    {
      "username": "admin",
      "password": "admin1"
    }
  ],
  "telnet.log_tcp_connection": false,
  "mssql.enabled": true,
  "mssql.version": "2012",
  "mssql.port": 1433,
  "vnc.enabled": true,
  "vnc.port": 5000
}

Docker Compose

  • Remove or remap ports that are already in use.
  • Update the mounted path to your local opencanary.conf.
compose.yaml
services:
  opencanary:
    image: thinkst/opencanary
    container_name: opencanary
    volumes:
      - /path/to/opencanary/opencanary.conf:/root/.opencanary.conf
    ports:
      # FTP
      - "21:21"
      # SSH
      - "22:22"
      # Telnet
      - "23:23"
      # TFTP
      - "69:69"
      # HTTP
      - "80:80"
      # NTP
      - "123:123"
      # SNMP
      - "161:161"
      # HTTPS
      - "443:443"
      # MSSQL
      - "1433:1433"
      # MYSQL
      - "3306:3306"
      # RDP
      - "3389:3389"
      # VNC
      - "5000:5000"
      # SIP
      - "5060:5060"
      # REDIS
      - "6379:6379"
      # TCP Banner
      - "8001:8001"
      # HTTP Proxy
      - "8080:8080"
      # Git
      - "9418:9418"
    restart: unless-stopped