Open in app

Sign in

Write

Sign in

Let’s Set Up a Free and Open-Source Network Honeypot

Use a Raspberry Pi and OpenCanary to help detect network intruders

Science & Design
5 min readDec 30, 2024

If you’re a high-risk individual like a whistleblower, lawyer, or journalist, you may rightfully want to make sure your home or work network is safe from intruders. Setting up a honeypot on a Raspberry Pi is an easy and effective way to help you learn if there’s anyone on your network who shouldn’t be.

In this tutorial, we’ll set up an OpenCanary honeypot by Thinkst.

Hardware Requirements

  • Raspberry Pi 3/4/5/Zero

Step 1: Prepare Your MicroSD Card

First, we’ll use the newest version of Raspberry Pi OS Lite. Use the Raspberry Pi Imager to flash a new MicroSD card.

Make sure to set login credentials in the Imager settings, and when complete, insert the card into your Pi and power it up.

Step 2: Install Software

We’re going to use OpenCanary from Thinkst. After logging in, enter sudo su then update the system:

apt update
apt -y dist-upgrade

After updating, install the necessary system-wide software:

apt install -y python3-dev python3-pip python3-virtualenv python3-venv python3-scapy libssl-dev libpcap-dev samba iptables ftp

Enter a development environment where we’ll install more software:

virtualenv env/
source env/bin/activate

Now we’ll install OpenCanary and dependent software!

pip install opencanary
pip install scapy pcapy-ng

Step 3: Configure OpenCanary

Create a new opencanary.conf file for your settings:

mkdir /etc/opencanaryd/
nano /etc/opencanaryd/opencanary.conf

Copy the contents from the file here and paste it into opencanary.conf. Update the services you want your honeypot to mimic, and update the SMTP information so you receive notifications in case of detection. It’s also here:

{
    "device.node_id": "opencanary-1",
    "ip.ignorelist": [  ],
    "logtype.ignorelist": [  ],
    "git.enabled": false,
    "git.port" : 9418,
    "ftp.enabled": true,
    "ftp.port": 21,
    "ftp.banner": "FTP server ready",
    "ftp.log_auth_attempt_initiated": false,
    "http.banner": "Apache/2.2.22 (Ubuntu)",
    "http.enabled": false,
    "http.port": 80,
    "http.skin": "nasLogin",
    "http.log_unimplemented_method_requests": false,
    "http.log_redirect_request": false,
    "https.enabled": false,
    "https.port": 443,
    "https.skin": "nasLogin",
    "https.certificate": "/etc/ssl/opencanary/opencanary.pem",
    "https.key": "/etc/ssl/opencanary/opencanary.key",
    "httpproxy.enabled" : false,
    "httpproxy.port": 8080,
    "httpproxy.skin": "squid",
    "llmnr.enabled": false,
    "llmnr.query_interval": 60,
    "llmnr.query_splay": 5,
    "llmnr.hostname": "DC03",
    "llmnr.port": 5355,
    "logger": {
        "class": "PyLogger",
        "kwargs": {
            "formatters": {
                "plain": {
                    "format": "%(message)s"
                },
                "syslog_rfc": {
                    "format": "opencanaryd[%(process)-5s:%(thread)d]: %(name)s %(levelname)-5s %(message)s"
                }
            },
            "handlers": {
                "console": {
                    "class": "logging.StreamHandler",
                    "stream": "ext://sys.stdout"
                },
                "file": {
                    "class": "logging.FileHandler",
                    "filename": "/var/tmp/opencanary.log"
                },
   "SMTP": {
                   "class": "logging.handlers.SMTPHandler",
                   "mailhost": ["mail.riseup.net", 587],
                   "fromaddr": "artvandelay@riseup.net",
                   "toaddrs" : ["artvandelay@riseup.net"],
                   "subject" : "OpenCanary Alert",
             "credentials" : ["artvandelay@riseup.net", "my-password"],
                   "secure" : []
                }
            }
        }
    },
    "portscan.enabled": true,
    "portscan.ignore_localhost": true,
    "portscan.logfile":"/var/log/kern.log",
    "portscan.synrate": 5,
    "portscan.nmaposrate": 5,
    "portscan.lorate": 3,
    "portscan.ignore_ports": [ ],
    "smb.auditfile": "/var/log/samba-audit.log",
    "smb.enabled": false,
    "mysql.enabled": false,
    "mysql.port": 3306,
    "mysql.banner": "5.5.43-0ubuntu0.14.04.1",
    "mysql.log_connection_made": false,
    "ssh.enabled": true,
    "ssh.port": 2222,
    "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
    "redis.enabled": false,
    "redis.port": 6379,
    "rdp.enabled": false,
    "rdp.port": 3389,
    "sip.enabled": false,
    "sip.port": 5060,
    "snmp.enabled": false,
    "snmp.port": 161,
    "ntp.enabled": false,
    "ntp.port": 123,
    "tftp.enabled": false,
    "tftp.port": 69,
    "tcpbanner.maxnum":10,
    "tcpbanner.enabled": false,
    "tcpbanner_1.enabled": false,
    "tcpbanner_1.port": 8001,
    "tcpbanner_1.datareceivedbanner": "",
    "tcpbanner_1.initbanner": "",
    "tcpbanner_1.alertstring.enabled": false,
    "tcpbanner_1.alertstring": "",
    "tcpbanner_1.keep_alive.enabled": false,
    "tcpbanner_1.keep_alive_secret": "",
    "tcpbanner_1.keep_alive_probes": 11,
    "tcpbanner_1.keep_alive_interval":300,
    "tcpbanner_1.keep_alive_idle": 300,
    "telnet.enabled": false,
    "telnet.port": 23,
    "telnet.banner": "",
    "telnet.honeycreds": [
        {
            "username": "admin",
            "password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA"
        },
        {
            "username": "admin",
            "password": "admin1"
        }
    ],
    "telnet.log_tcp_connection": false,
    "mssql.enabled": false,
    "mssql.version": "2012",
    "mssql.port":1433,
    "vnc.enabled": false,
    "vnc.port":5000
}

Update the file’s permissions:

chmod 644 /etc/opencanaryd/opencanary.conf
chown root:root /etc/opencanaryd/opencanary.conf

Step 4: Enable and Start the Honeypot

Now, we’ll create a service file so OpenCanary automatically starts when your device boots up. Create a new file:

nano /etc/systemd/system/opencanary.service

Add the contents from this file, or paste from below:

[Unit]
Description=OpenCanary
After=syslog.target
After=network-online.target

[Service]
User=root
Type=simple
RemainAfterExit=yes
Restart=always
RestartSec=10s
ExecStart=/home/microphone/env/bin/opencanaryd --start
ExecStop=/home/microphone/env/bin/opencanaryd --stop

[Install]
WantedBy=multi-user.target

Now we’ll enable and start the service:

systemctl daemon-reload
systemctl enable opencanary.service 
systemctl start opencanary.service

Finally, check the status!

systemctl status opencanary.service

You should see an output that looks like this:

(env) root@vault:/home/microphone# sudo systemctl status opencanary.service
● opencanary.service - OpenCanary
     Loaded: loaded (/etc/systemd/system/opencanary.service; enabled; preset: enabled)
     Active: active (exited) since Sun 2024-12-29 17:36:16 PST; 21min ago
   Main PID: 14878 (code=exited, status=0/SUCCESS)
      Tasks: 1 (limit: 3916)
        CPU: 3.635s
     CGroup: /system.slice/opencanary.service
             └─14934 /home/microphone/env/bin/python /home/microphone/env/bin/twistd -y /home/microphone/env/bin/opencanary.tac --pidfile /home/microphone/env/bin/opencanaryd.pid >

Dec 29 17:36:21 vault opencanaryd[14881]: {"dst_host": "", "dst_port": -1, "local_time": "2024-12-30 01:36:21.618306", "local_time_adjusted": "2024-12-29 17:36:21.618370", "logdat>
Dec 29 17:36:22 vault opencanaryd[14881]: {"dst_host": "", "dst_port": -1, "local_time": "2024-12-30 01:36:22.221773", "local_time_adjusted": "2024-12-29 17:36:22.221869", "logdat>
Dec 29 17:36:22 vault opencanaryd[14881]: [-] Loading /home/microphone/env/bin/opencanary.tac...
Dec 29 17:36:22 vault opencanaryd[14881]: [-] Loaded.
Dec 29 17:36:22 vault opencanaryd[14881]: [-] twistd 22.8.0 (/home/microphone/env/bin/python 3.11.2) starting up.
Dec 29 17:36:22 vault opencanaryd[14881]: [-] reactor class: twisted.internet.epollreactor.EPollReactor.
Dec 29 17:36:22 vault opencanaryd[14934]: [-] FTPFactory starting on 21
Dec 29 17:36:22 vault opencanaryd[14934]: [-] Starting factory <twisted.protocols.ftp.FTPFactory object at 0x7f9816aa90>
Dec 29 17:36:22 vault opencanaryd[14934]: [-] HoneyPotSSHFactory starting on 2222
Dec 29 17:36:22 vault opencanaryd[14934]: [-] Starting factory <opencanary.modules.ssh.HoneyPotSSHFactory object at 0x7f97b11550>

Step 5: Test it!

We’ll do a quick test from the command line to see if our honeypot detects us! We’ll use FTP — enter:

ftp localhost

You’ll see something like:

(env) root@vault:/home/microphone# ftp localhost
Trying [::1]:21 ...
ftp: Can't connect to `::1:21': Connection refused
Trying 127.0.0.1:21 ...
Connected to localhost.
220 FTP server ready
Name (localhost:microphone):

Enter a Name and Password:

Name (localhost:microphone): test
331 Password required for test.
Password: 
530 Sorry, Authentication failed.
ftp: Login failed
ftp>

Now check the email address you set up in opencanary.conf, and you should see a notification of your attempted FTP login!

You can tell it’s an FTP attempt from a couple of key pieces of information. First, the destination port tells us the attempt was on port 21, FTP’s default port, also set in our configuration file:

"ftp.enabled": true,
"ftp.port": 21,

We also see "logotype": 2000 which OpenCanary’s documentation tells us is an FTP Login Attempt:

Finishing Up

🎉 Congratulations! You’ve just set up a honeypot for your network! Now, if someone tries to access the ports you’ve configured on this device, you’ll get a notification in your email!

Honeypot
Tutorial
Network
Security
Raspberry Pi

--

--

Science & Design
Science & Design

Written by Science & Design

9 Followers
6 Following

👋 We’re a non-profit design and software development organization. Let’s make something great together! https://scidsg.org

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams