Let’s Set Up a Free and Open-Source Network Honeypot
Use a Raspberry Pi and OpenCanary to help detect network intruders
If you’re a high-risk individual like a whistleblower, lawyer, or journalist, you may rightfully want to make sure your home or work network is safe from intruders. Setting up a honeypot on a Raspberry Pi is an easy and effective way to help you learn if there’s anyone on your network who shouldn’t be.
In this tutorial, we’ll set up an OpenCanary honeypot by Thinkst.
Hardware Requirements
- Raspberry Pi 3/4/5/Zero
Step 1: Prepare Your MicroSD Card
First, we’ll use the newest version of Raspberry Pi OS Lite. Use the Raspberry Pi Imager to flash a new MicroSD card.
Make sure to set login credentials in the Imager settings, and when complete, insert the card into your Pi and power it up.
Step 2: Install Software
We’re going to use OpenCanary from Thinkst. After logging in, enter sudo su then update the system:
apt update
apt -y dist-upgradeAfter updating, install the necessary system-wide software:
apt install -y python3-dev python3-pip python3-virtualenv python3-venv python3-scapy libssl-dev libpcap-dev samba iptables ftpEnter a development environment where we’ll install more software:
virtualenv env/
source env/bin/activateNow we’ll install OpenCanary and dependent software!
pip install opencanary
pip install scapy pcapy-ngStep 3: Configure OpenCanary
Create a new opencanary.conf file for your settings:
mkdir /etc/opencanaryd/
nano /etc/opencanaryd/opencanary.confCopy the contents from the file here and paste it into opencanary.conf. Update the services you want your honeypot to mimic, and update the SMTP information so you receive notifications in case of detection. It’s also here:
{
"device.node_id": "opencanary-1",
"ip.ignorelist": [ ],
"logtype.ignorelist": [ ],
"git.enabled": false,
"git.port" : 9418,
"ftp.enabled": true,
"ftp.port": 21,
"ftp.banner": "FTP server ready",
"ftp.log_auth_attempt_initiated": false,
"http.banner": "Apache/2.2.22 (Ubuntu)",
"http.enabled": false,
"http.port": 80,
"http.skin": "nasLogin",
"http.log_unimplemented_method_requests": false,
"http.log_redirect_request": false,
"https.enabled": false,
"https.port": 443,
"https.skin": "nasLogin",
"https.certificate": "/etc/ssl/opencanary/opencanary.pem",
"https.key": "/etc/ssl/opencanary/opencanary.key",
"httpproxy.enabled" : false,
"httpproxy.port": 8080,
"httpproxy.skin": "squid",
"llmnr.enabled": false,
"llmnr.query_interval": 60,
"llmnr.query_splay": 5,
"llmnr.hostname": "DC03",
"llmnr.port": 5355,
"logger": {
"class": "PyLogger",
"kwargs": {
"formatters": {
"plain": {
"format": "%(message)s"
},
"syslog_rfc": {
"format": "opencanaryd[%(process)-5s:%(thread)d]: %(name)s %(levelname)-5s %(message)s"
}
},
"handlers": {
"console": {
"class": "logging.StreamHandler",
"stream": "ext://sys.stdout"
},
"file": {
"class": "logging.FileHandler",
"filename": "/var/tmp/opencanary.log"
},
"SMTP": {
"class": "logging.handlers.SMTPHandler",
"mailhost": ["mail.riseup.net", 587],
"fromaddr": "artvandelay@riseup.net",
"toaddrs" : ["artvandelay@riseup.net"],
"subject" : "OpenCanary Alert",
"credentials" : ["artvandelay@riseup.net", "my-password"],
"secure" : []
}
}
}
},
"portscan.enabled": true,
"portscan.ignore_localhost": true,
"portscan.logfile":"/var/log/kern.log",
"portscan.synrate": 5,
"portscan.nmaposrate": 5,
"portscan.lorate": 3,
"portscan.ignore_ports": [ ],
"smb.auditfile": "/var/log/samba-audit.log",
"smb.enabled": false,
"mysql.enabled": false,
"mysql.port": 3306,
"mysql.banner": "5.5.43-0ubuntu0.14.04.1",
"mysql.log_connection_made": false,
"ssh.enabled": true,
"ssh.port": 2222,
"ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
"redis.enabled": false,
"redis.port": 6379,
"rdp.enabled": false,
"rdp.port": 3389,
"sip.enabled": false,
"sip.port": 5060,
"snmp.enabled": false,
"snmp.port": 161,
"ntp.enabled": false,
"ntp.port": 123,
"tftp.enabled": false,
"tftp.port": 69,
"tcpbanner.maxnum":10,
"tcpbanner.enabled": false,
"tcpbanner_1.enabled": false,
"tcpbanner_1.port": 8001,
"tcpbanner_1.datareceivedbanner": "",
"tcpbanner_1.initbanner": "",
"tcpbanner_1.alertstring.enabled": false,
"tcpbanner_1.alertstring": "",
"tcpbanner_1.keep_alive.enabled": false,
"tcpbanner_1.keep_alive_secret": "",
"tcpbanner_1.keep_alive_probes": 11,
"tcpbanner_1.keep_alive_interval":300,
"tcpbanner_1.keep_alive_idle": 300,
"telnet.enabled": false,
"telnet.port": 23,
"telnet.banner": "",
"telnet.honeycreds": [
{
"username": "admin",
"password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA"
},
{
"username": "admin",
"password": "admin1"
}
],
"telnet.log_tcp_connection": false,
"mssql.enabled": false,
"mssql.version": "2012",
"mssql.port":1433,
"vnc.enabled": false,
"vnc.port":5000
}Update the file’s permissions:
chmod 644 /etc/opencanaryd/opencanary.conf
chown root:root /etc/opencanaryd/opencanary.confStep 4: Enable and Start the Honeypot
Now, we’ll create a service file so OpenCanary automatically starts when your device boots up. Create a new file:
nano /etc/systemd/system/opencanary.serviceAdd the contents from this file, or paste from below:
[Unit]
Description=OpenCanary
After=syslog.target
After=network-online.target
[Service]
User=root
Type=simple
RemainAfterExit=yes
Restart=always
RestartSec=10s
ExecStart=/home/microphone/env/bin/opencanaryd --start
ExecStop=/home/microphone/env/bin/opencanaryd --stop
[Install]
WantedBy=multi-user.targetNow we’ll enable and start the service:
systemctl daemon-reload
systemctl enable opencanary.service
systemctl start opencanary.serviceFinally, check the status!
systemctl status opencanary.serviceYou should see an output that looks like this:
(env) root@vault:/home/microphone# sudo systemctl status opencanary.service
● opencanary.service - OpenCanary
Loaded: loaded (/etc/systemd/system/opencanary.service; enabled; preset: enabled)
Active: active (exited) since Sun 2024-12-29 17:36:16 PST; 21min ago
Main PID: 14878 (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 3916)
CPU: 3.635s
CGroup: /system.slice/opencanary.service
└─14934 /home/microphone/env/bin/python /home/microphone/env/bin/twistd -y /home/microphone/env/bin/opencanary.tac --pidfile /home/microphone/env/bin/opencanaryd.pid >
Dec 29 17:36:21 vault opencanaryd[14881]: {"dst_host": "", "dst_port": -1, "local_time": "2024-12-30 01:36:21.618306", "local_time_adjusted": "2024-12-29 17:36:21.618370", "logdat>
Dec 29 17:36:22 vault opencanaryd[14881]: {"dst_host": "", "dst_port": -1, "local_time": "2024-12-30 01:36:22.221773", "local_time_adjusted": "2024-12-29 17:36:22.221869", "logdat>
Dec 29 17:36:22 vault opencanaryd[14881]: [-] Loading /home/microphone/env/bin/opencanary.tac...
Dec 29 17:36:22 vault opencanaryd[14881]: [-] Loaded.
Dec 29 17:36:22 vault opencanaryd[14881]: [-] twistd 22.8.0 (/home/microphone/env/bin/python 3.11.2) starting up.
Dec 29 17:36:22 vault opencanaryd[14881]: [-] reactor class: twisted.internet.epollreactor.EPollReactor.
Dec 29 17:36:22 vault opencanaryd[14934]: [-] FTPFactory starting on 21
Dec 29 17:36:22 vault opencanaryd[14934]: [-] Starting factory <twisted.protocols.ftp.FTPFactory object at 0x7f9816aa90>
Dec 29 17:36:22 vault opencanaryd[14934]: [-] HoneyPotSSHFactory starting on 2222
Dec 29 17:36:22 vault opencanaryd[14934]: [-] Starting factory <opencanary.modules.ssh.HoneyPotSSHFactory object at 0x7f97b11550>Step 5: Test it!
We’ll do a quick test from the command line to see if our honeypot detects us! We’ll use FTP — enter:
ftp localhostYou’ll see something like:
(env) root@vault:/home/microphone# ftp localhost
Trying [::1]:21 ...
ftp: Can't connect to `::1:21': Connection refused
Trying 127.0.0.1:21 ...
Connected to localhost.
220 FTP server ready
Name (localhost:microphone): Enter a Name and Password:
Name (localhost:microphone): test
331 Password required for test.
Password:
530 Sorry, Authentication failed.
ftp: Login failed
ftp>Now check the email address you set up in opencanary.conf, and you should see a notification of your attempted FTP login!
You can tell it’s an FTP attempt from a couple of key pieces of information. First, the destination port tells us the attempt was on port 21, FTP’s default port, also set in our configuration file:
"ftp.enabled": true,
"ftp.port": 21,We also see "logotype": 2000 which OpenCanary’s documentation tells us is an FTP Login Attempt:
Finishing Up
🎉 Congratulations! You’ve just set up a honeypot for your network! Now, if someone tries to access the ports you’ve configured on this device, you’ll get a notification in your email!
