Hi,

I was testing the logging of events of the OpenCanary, checking both the file and the correlator, when I noticed that during an nmap scan, while nmap reported all the open ports, the logger only checked in the log referred to port 8022. It didn't happen the first time, but since then it haven't logged again the other ports packets activity, and happens the same with the replicas I had created.
How I can troubleshoot this in order to know the cause? I have just configured the correlator logging apart from the installation steps. For the record, the OpenCanary is on a Debian 8 VM.

Thanks in advance and great job!

P.S. Also I noticed that the ssh failed attempts were not logged but I though the real ssh might be colliding with the fake ssh, I don't know the real issue either.

I have a Samba share setup. Whenever someone accesses it, I could see the activity by looking at it at 'var/log/samba-audit.log'. This is working, however, I thought it was supposed to send an e-mail alert also? It's currently not. However, if they access the fake synology page, by inputting the IP into a browser, I get an e-mail alert. Been stuck on this for a while & would appreciate some help. If any files need to be looked at, please let me know & I'll post them.

Hi there,

I was trying to get opencanary running on my OpenBSD, but then I realized, opencanary is using iptables and OpenBSD is using pf.

Are there any known "workarounds" or hints to change the iptables command so it'll work with OpenBSD ?

(portscan.py):
`os.system('sudo /sbin/iptables -t mangle -D PREROUTING -p tcp {dst} --syn -j LOG --log-level=warning --log-prefix="canaryfw: " -m limit --limit="{synrate}/second"'
.format(dst=(('--destination '+self.listen_addr) if len(self.listen_addr) else ''),
synrate=self.synrate))

os.system('sudo /sbin/iptables -t mangle -A PREROUTING -p tcp {dst} --syn -j LOG --log-level=warning --log-prefix="canaryfw: " -m limit --limit="{synrate}/second"'
.format(dst=(('--destination '+self.listen_addr) if len(self.listen_addr) else ''),
synrate=self.synrate))`

I don't have much experience regarding this issue.

Best regards
Klara

We have a couple of monitoring servers (Spiceworks and Solarwinds) that scan subnets to check server status and port status of IP's. Other than excluding the opencanary server in each monitoring server from scanning, is there a way to "whitelist" a couple of IP's from triggering alerts?

How to make these stop? In the config, I don't see any service which is running on this port, yet I receive an email about this every 10 minutes or less. Everything is default, except almost all services are on.

{"dst_host": "127.0.0.1", "dst_port": "631", "local_time": "2019-01-02 12:20:54.170414", "logdata": {"DF": "", "ID": "57201", "IN": "lo", "LEN": "60", "MAC": "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "RES": "0x00", "SYN": "", "TOS": "0x00", "TTL": "64", "URGP": "0", "WINDOW": "43690"}, "logtype": 5001, "node_id": "opencanary-1", "src_host": "127.0.0.1", "src_port": "52442"}

root@myvm:/home/localadmin# /srv/opencanary/venv/bin/opencanaryd --start
[-] Failed to open opencanary.conf for reading ([Errno 2] No such file or directory: 'opencanary.conf')
[-] Using config file: /root/.opencanary.conf
Invalid logging config
<type 'exceptions.ValueError'>
Unable to configure handler u'hpfeeds': global name 'hpfeeds' is not defined

Removing the hpfeeds section from the configuration resolves the issue.

I can't find any good tutorials on making smb work in the config. Maybe I am confused about how the config actually works. I can get the synology page on port 80 but I can't find the server in my network places and cannot figure out where an intruder would come cross the files 2016-Tender-summary.pdf and the password.docx listed in the .opencanary.conf file. Am I missing something?

I am trying to send logs to another device via tcp. The other end is receiving the logs but I get this alert:

"Dropping log message due to too many failed sends"

I am not exactly sure why, i see in the logger.py file where the error is but i cant figuer out why its happening on my device.

After the install, I ran opencanaryd --copyconfig and got this error:

cp: cannot stat ‘/usr/local/bin/../lib/python2.7/site-packages/opencanary/data/settings.json’: No such file or directory

A quick search finds the file:

(venv)liam@ubuntu:/venv$ sudo find / -name 'settings.json'
/usr/local/lib/python2.7/dist-packages/opencanary/data/settings.json

Currently, by default settings, when a login is attempted, the password that was tried is logged:

{"dst_host": "IP ADDRESS", "dst_port": 80, "local_time": "2018-07-05 22:38:04.891977", "logdata": {"HOSTNAME": "HOSTNAME", "PASSWORD": "PASSWORD", "PATH": "/index.html", "SKIN": "nasLogin", "USERAGENT": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36", "USERNAME": "USERNAME"}, "logtype": 3001, "node_id": "opencanary-1", "src_host": "SRC IP", "src_port": 61898}

An e-mail is sent wi/ this information. What I'm hoping to accomplish is if there's any way the password could be omitted from this? If a user accidentally tries logging into it, it'd be more beneficial not seeing their password.

Hi

I am setting up OpenCanary for a school assesment.
But when i want to execute the scripts like logger.py in the opencanary directory, the import commands are not found.

Is there something i need to do first to execute this scripts?

Hello all. I've been wrestling with getting this up and running. When I issue "/usr/bin/opencanaryd --start" I get this:

--- ---
File "/usr/lib/python2.7/site-packages/Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/application/app.py", line 452, in getApplication
application = service.loadApplication(filename, style, passphrase)
File "/usr/lib/python2.7/site-packages/Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/application/service.py", line 405, in loadApplication
application = sob.loadValueFromFile(filename, 'application', passphrase)
File "/usr/lib/python2.7/site-packages/Twisted-14.0.2-py2.7-linux-x86_64.egg/twisted/persisted/sob.py", line 210, in loadValueFromFile
exec fileObj in d, d
File "/usr/bin/opencanary.tac", line 5, in
pkg_resources.run_script('opencanary==0.3.1', 'opencanary.tac')
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 537, in run_script
name = ns['name']
exceptions.KeyError: 'name'

Failed to load application: 'name'

I believe I've installed all the dependencies but am not sure what this error is telling me. Not a programmer. Any help would be much appreciated!

I've tried on Ubuntu and CentOS 7.

Hi,

I have got http, telent and FTP working and logging locally, however when I enable SSH i am getting an error when starting ;

{"dst_host": "", "dst_port": -1, "local_time": "2019-03-19 15:37:57.272196", "logdata":
{"msg":
{"logdata": "Failed to add service from class CanarySSH in opencanary.modules.ssh.
Traceback (most recent call last):\n

File "/home/ubuntu/env/bin/opencanary.tac", line 88, in start_mod\n service = obj.getService()\n

File "/home/ubuntu/env/local/lib/python2.7/site-packages/opencanary/modules/ssh.py", line 374, in getService\n rsa_pubKeyString, rsa_privKeyString = getRSAKeys()\n

File "/home/ubuntu/env/local/lib/python2.7/site-packages/opencanary/modules/ssh.py", line 300, in getRSAKeys\n publicKeyString = keys.Key(rsaKey).public().toString('openssh')\n

File "/home/ubuntu/env/local/lib/python2.7/site-packages/twisted/conch/ssh/keys.py", line 794, in public\n return Key(self._keyObject.public_key())\n

File "/home/ubuntu/env/local/lib/python2.7/site-packages/Crypto/PublicKey/RSA.py", line 126, in getattr\n raise AttributeError("%s object has no %r attribute" % (self.class.name, attrname,))\nAttributeError: _RSAobj object has no 'public_key' attribute\n"}}, "logtype": 1001, "node_id": "foobar.com", "src_host": "", "src_port": -1}

Hi!

First of all, thank you for you work on this OpenCanary!

I have one question concerning the configuration of OpenCanary: is it possible to make it listen to only one interface?

If yes, can you point me where I can modify this?

Thank you for your time

What is the opensource License of the opencanary?

Hi there,

I've got my canary up and running and used the readthedocs PDF to setup authenticated email alerts similar to your example:

[..] # Services configuration
"logger": {
"class" : "PyLogger",
"kwargs" : {
"handlers": {
"SMTP": {
"class": "logging.handlers.SMTPHandler",
"mailhost": ["authenticated.mail.server", 25],
"fromaddr": "[email protected]",
"toaddrs" : ["[email protected]"],
"subject" : "OpenCanary Alert",
"credentials" : ["myusername", "password1"]
}
}
}
}

At this point, should connection attempts that get logged in /var/tmp/opencanary.log send alerts to me? The FTP/telnet/etc. attempts are definitely getting logged, but I wasn't understanding if I also needed Correlator to actually send the alerts, or if the alerts should be sending "direct" now?

Thanks,
Brian

I've been working on getting OpenCanary running under Python 3. At the moment it starts running without error in Python 3 but it runs into issue #28 with the SSH module (SSH is fine with Python 2). I still have a few more modules to test but it's almost there.

I've generally made each commit very small changing only a few lines in each commit to make it clear what each change is for. Would you be happy with a pull request like that, or would you rather all changes in a single commit for Python 3 support?

Hi,
I am using OpenBSD 6.3.
I've installed opencanary with pip ,(after uninstalling) with Git and encountered the same problem.

cd /usr/local/bin/ | ls -l | grep opencanaryd
-rwxr-xr-x 1 root wheel 2484 May 8 14:52 opencanaryd

opencanary --copyconfig
opencanary --start
opencanary --help
ksh: opencanaryd: No such file or directory

The installation didn't show any errors.
What am I missing ?

Best regards
Klara

When I run python setup.py install the opencanary.tac file doesn't seem to copy across to the bin folder. I'm not really sure what's happening but I think it might be setuptools trying to do something fancy like trying to compile it and then link to the compiled .pyc file.

When I look at ~/env/bin/opencanary.tac it contains

#!/home/pi/canary-env/bin/python
# EASY-INSTALL-SCRIPT: 'opencanary==0.3.2','opencanary.tac'
__requires__ = 'opencanary==0.3.2'
__import__('pkg_resources').run_script('opencanary==0.3.2', 'opencanary.tac')

and running opencanaryd --start results in

Unhandled Error
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Twisted-14.0.2-py2.7-linux-armv7l.egg/twisted/application/app.py", line 642, in run
    runApp(config)
  File "/usr/local/lib/python2.7/dist-packages/Twisted-14.0.2-py2.7-linux-armv7l.egg/twisted/scripts/twistd.py", line 23, in runApp
    _SomeApplicationRunner(config).run()
  File "/usr/local/lib/python2.7/dist-packages/Twisted-14.0.2-py2.7-linux-armv7l.egg/twisted/application/app.py", line 376, in run
    self.application = self.createOrGetApplication()
  File "/usr/local/lib/python2.7/dist-packages/Twisted-14.0.2-py2.7-linux-armv7l.egg/twisted/application/app.py", line 441, in createOrGetApplication
    application = getApplication(self.config, passphrase)
--- <exception caught here> ---
  File "/usr/local/lib/python2.7/dist-packages/Twisted-14.0.2-py2.7-linux-armv7l.egg/twisted/application/app.py", line 452, in getApplication
    application = service.loadApplication(filename, style, passphrase)
  File "/usr/local/lib/python2.7/dist-packages/Twisted-14.0.2-py2.7-linux-armv7l.egg/twisted/application/service.py", line 405, in loadApplication
    application = sob.loadValueFromFile(filename, 'application', passphrase)
  File "/usr/local/lib/python2.7/dist-packages/Twisted-14.0.2-py2.7-linux-armv7l.egg/twisted/persisted/sob.py", line 210, in loadValueFromFile
    exec fileObj in d, d
  File "/usr/local/bin/opencanary.tac", line 4, in <module>
    __import__('pkg_resources').run_script('opencanary==0.3.2', 'opencanary.tac')
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 531, in run_script
    name = ns['__name__']
exceptions.KeyError: '__name__'

Failed to load application: '__name__'

Simply running cp bin/opencanary.tac ~/env/bin/opencanary.tac after installing fixes the issue.

[-] Failed to open opencanary.conf for reading ([Errno 2] No such file or directory: 'opencanary.conf')
[-] Using config file: /home/ubuntu/.opencanary.conf
{"dst_host": "", "dst_port": -1, "local_time": "2018-07-31 07:17:04.528828", "logdata": {"msg": {"logdata": "Added service from class Telnet in opencanary.modules.telnet to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-07-31 07:17:04.532023", "logdata": {"msg": {"logdata": "Added service from class CanaryHTTP in opencanary.modules.http to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-07-31 07:17:04.532878", "logdata": {"msg": {"logdata": "Added service from class CanaryFTP in opencanary.modules.ftp to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-07-31 07:17:04.535660", "logdata": {"msg": {"logdata": "Added service from class CanarySSH in opencanary.modules.ssh to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-07-31 07:17:04.536533", "logdata": {"msg": {"logdata": "Added service from class CanaryMySQL in opencanary.modules.mysql to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-07-31 07:17:04.537040", "logdata": {"msg": {"logdata": "Added service from class CanaryTftp in opencanary.modules.tftp to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-07-31 07:17:04.537537", "logdata": {"msg": {"logdata": "Added service from class CanaryNtp in opencanary.modules.ntp to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-07-31 07:17:04.538014", "logdata": {"msg": {"logdata": "Added service from class CanarySIP in opencanary.modules.sip to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-07-31 07:17:04.538440", "logdata": {"msg": "Canary running!!!"}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}

Hello,

I was try to install opencanary in my alpine linux machine.
When i was install opencanary then there is not any problem but when I am going to install rdpy then it required pyasn1<0.5.0,>=0.4.1 after that i have install 0.4.1 version of pyasn1. then I have seen error that,
opencanary 0.4 has requirement pyasn1==0.1.7, but you'll have pyasn1 0.4.1 which is incompatible.

So which version I need to keep because both required different version at same time.

Thanks
Prashant vidka

Is anyone having issues in running the RDP service in opencanary. It works fine when i run it on my VM instance and the port is enabled and I can do an RDP from my windows machine using mstsc and alert gets generated. But the same does not work when i try to set it up on my AWS Ubuntu Desktop instance, i dont even see the RDP service running.

Hi,

I installed and configured OpenCanary to send mails to my GMail account, however, every few seconds I receive a mail with this message:
{"dst_host": "0.0.0.0", "dst_port": 69, "local_time": "2016-04-06 15:07:37.544263", "logdata": {"FILENAME": "host.cfg", "MODE": "octet", "OPCODE": "READ"}, "logtype": 10001, "node_id": "opencanary-test-config", "src_host": "172.16.253.59", "src_port": 7700}

I am using Raspbian on a Raspberry B+

Cheers,
Marvin

when i start the opencanary and then type the ftp local host command, my connection could not be established. the following error is comming:
ftp localhost: connection refused

I used to have the samba events handled by opencanary logger but it does not seem to be the case anymore.

twistd has a file descriptor for this file, so the configuration seems ok:

root@a8de6856982e:/# lsof /var/log/samba-audit.log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
twistd 1 root 11r REG 8,1 392 1971342 /var/log/samba-audit.log
rsyslogd 46 root 6w REG 8,1 392 1971342 /var/log/samba-audit.log

After opening a file on the share, the samba-audit.log size is 1312B:

root@a8de6856982e:/# ls -al /var/log/samba-audit.log
-rw-r--r-- 1 root adm 1312 Feb 27 10:35 /var/log/samba-audit.log

root@a8de6856982e:/# cat /var/log/samba-audit.log
Feb 27 10:33:24 a8de6856982e liblogging-stdlog: [origin software="rsyslogd" swVersion="8.24.0" x-pid="46" x-info="http://www.rsyslog.com"] start
Feb 27 10:33:25 a8de6856982e liblogging-stdlog: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted.
Feb 27 10:33:25 a8de6856982e liblogging-stdlog: activation of module imklog failed [v8.24.0 try http://www.rsyslog.com/e/2145 ]
Feb 27 10:35:07 a8de6856982e smbd_audit: john|10.91.1.242|172.18.0.3|wks222|accounting|acc-server|SMB3_11|OSX|2019/02/27 10:35:07|ACC-SERVER|pread|ok|2015-ACC-Salaries-NB92.docx
(...)

But the twistd file descriptor position is still 146 (end of the first line):
root@a8de6856982e:/# cat /proc/1/fdinfo/11
pos: 146
flags: 0100000
mnt_id: 208

It seems that the FileSystemWatcher object is stuck at the first line and I have no clues why.

opencanary is running in a docker container from a debian 9.8 with Python 2.7.15

what is the user name and password for ftp and how can i do that?

Hello all. I posted something about this yesterday but am unsure about what is wrong with the .opencanary.conf file. Basically, I removed the hpfeeds section in the logger section as advised:

"logger": {
"class" : "PyLogger",
"kwargs" : {
    "formatters": {
    "plain": {
        "format": "%(message)s"
    }
    },
    "handlers": {
    "console": {
        "class": "logging.StreamHandler",
        "stream": "ext://sys.stdout"
    },
    "file": {
        "class": "logging.FileHandler",
        "filename": "/var/tmp/opencanary.log"
    },
    "syslog-unix": {
        "class": "logging.handlers.SysLogHandler",
        "address": ["localhost", 514],
        "socktype": "ext://socket.SOCK_DGRAM"
    },
    "json-tcp": {
        "class": "opencanary.logger.SocketJSONHandler",
        "host": "127.0.0.1",
        "port": 1514
    },
    }
}
},

I then try to run it and get this:

[-] Failed to open opencanary.conf for reading ([Errno 2] No such file or directory: 'opencanary.conf')
[-] Using config file: /root/.opencanary.conf
[-] Failed to decode json from /root/.opencanary.conf (Expecting property name: line 59 column 6 (char 1302))
[-] Failed to open /etc/opencanaryd/opencanary.conf for reading ([Errno 2] No such file or directory: '/etc/opencanaryd/opencanary.conf')
Error: config does not have 'logger' section

Line 59 is the second } after "port": 1514. I don't see any syntax issues, so I'm very confused. I'm also not a programmer so getting this honeypot up and running is a challenge.

It was suggested I us JQ for testing. I'm on the online version trying to figure that out right now. If someone could let me know if there's something obvious I'm missing here, it would be greatly appreciated.

Hello,
I started to play with OpenCanary and I really like it.
I searched through the documentation and did not find a answer to the following question:

Is is possible to define multiple ports for a protocol?
Ex: for Telnet, I'd like to listen for incoming traffic on ports 23,2323,5679, etc...

KR,
/x

Performing the following on a clean install of Rehat 7:

yum install git gcc make python-devel python2-pip python-virtualenv
virtualenv env/
. env/bin/activate
pip install opencanary
pip install scapy pcapy
git clone https://github.com/thinkst/opencanary
cd opencanary/
python setup.py install
opencanaryd --copyconfig
opencanaryd --start

Produces the following error message:

(env)[root@camtest1 ~]# opencanaryd --start
Unhandled Error
Traceback (most recent call last):
  File "/root/env/lib/python2.7/site-packages/twisted/application/app.py", line 642, in run
    runApp(config)
  File "/root/env/lib/python2.7/site-packages/twisted/scripts/twistd.py", line 23, in runApp
    _SomeApplicationRunner(config).run()
  File "/root/env/lib/python2.7/site-packages/twisted/application/app.py", line 376, in run
    self.application = self.createOrGetApplication()
  File "/root/env/lib/python2.7/site-packages/twisted/application/app.py", line 441, in createOrGetApplication
    application = getApplication(self.config, passphrase)
--- <exception caught here> ---
  File "/root/env/lib/python2.7/site-packages/twisted/application/app.py", line 452, in getApplication
    application = service.loadApplication(filename, style, passphrase)
  File "/root/env/lib/python2.7/site-packages/twisted/application/service.py", line 405, in loadApplication
    application = sob.loadValueFromFile(filename, 'application', passphrase)
  File "/root/env/lib/python2.7/site-packages/twisted/persisted/sob.py", line 210, in loadValueFromFile
    exec fileObj in d, d
  File "/root/env/bin/opencanary.tac", line 5, in <module>
    pkg_resources.run_script('opencanary==0.3.2', 'opencanary.tac')
  File "/root/env/lib/python2.7/site-packages/pkg_resources.py", line 537, in run_script
    name = ns['__name__']
exceptions.KeyError: '__name__'

Failed to load application: '__name__'

Any help would be appreciated

Hi. I've installed opencanary on virtualenv following instructions on both Debian x86 / 64. I've done the configuration on json file however when I type opencanaryd --start, the shell says /usr/local/bin/opencanaryd: line 23: sudo: command not found. I opened the opencanaryd file and see that there is no opencanaryd.pid file maybe the problem is that. Thanks.

i had a fully functional pi2 until i tested this app
i installed it following a guide on linux mag .. I didn't expect that my pi would be hurting this bad though.
i mv the opencanary.conf. to opencanaryd/opencanary.conf.bkp , i had switched all daemon params to false anyways but i'm still not able to reboot the pi
i did so by mounting the ms card onto another pi3 ,so i couldn't exactly query htop or ps to halt any services . i'm searching for any services or binaries installed elsewhere other than the ~/.virtualenv/Canary-env dir ..

i could use some advice as to what where should be edited to stop any services from strting up at boot time ..raspbian is stuck on raspi.config.service
. it can't be a power issue cause it was running just fine before
so far nothing in etc/systemd/system ..

but i did find in dbus logs :

$ sudo tail -n 80 var/log/daemon.log
Sep 14 06:02:43 raspberrypi01 systemd-udevd[151]: Process '/usr/sbin/th-cmd --socket /var/run/thd.socket --passfd --udev' failed with exit code 1.
Sep 14 06:02:43 raspberrypi01 systemd[1]: Failed to subscribe to NameOwnerChanged signal for 'org.freedesktop.DisplayManager': Connection timed out
Sep 14 06:02:43 raspberrypi01 systemd[1]: Failed to subscribe to NameOwnerChanged signal for 'org.freedesktop.login1': Connection timed out
Sep 14 06:02:43 raspberrypi01 systemd[1]: Failed to subscribe to NameOwnerChanged signal for 'org.bluez': Connection timed out
Sep 14 06:02:43 raspberrypi01 systemd[1]: Failed to subscribe to NameOwnerChanged signal for 'org.freedesktop.Avahi': Connection timed out
Sep 14 06:02:43 raspberrypi01 systemd[1]: Failed to subscribe to NameOwnerChanged signal for 'org.freedesktop.ModemManager1': Connection timed out
Sep 14 06:02:43 raspberrypi01 systemd[1]: Failed to subscribe to activation signal: Connection timed out
Sep 14 06:02:43 raspberrypi01 systemd[1]: Failed to register name: Connection timed out
Sep 14 06:02:43 raspberrypi01 systemd[1]: Failed to set up API bus: Connection timed out
Sep 14 06:02:43 raspberrypi01 systemd[1]: Failed to start Avahi mDNS/DNS-SD Stack.
Sep 14 06:03:07 raspberrypi01 systemd[1]: systemd-logind.service: Main process exited, code=exited, status=1/FAILURE
Sep 14 06:03:07 raspberrypi01 systemd[1]: Failed to start Login Service.

NameOwnerChanged ??

thanks for any assistance

Hi,

During some tests, we found that an unwanted udp port is opened by opencanary

netstat -antup | grep python
udp 0 0 0.0.0.0:40151 0.0.0.0:* 21907/python

With 21907 the process ID of opencanaryd.

We don't find where this bind comes from.

Is it possible to highlight the source of that? And moreover, how to disable this bind?

Thank you.

I have a Ubuntu 15.10 installation running in my VirtualBox and have followed the installation guide from the readme.

• pip install pcapy does not work
  => error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
• $ sudo /path/to/venv/bin/opencanary --start
  => does not work at all
  I guess it should be: $sudo opencanaryd --start
  brings the message: "No config file found"
  $sudo opencanaryd --copyconfig should do the trick but brings next error:
  cp: cannot state /usr/local/bin/../lib/python2.7/site-packages/opencanary/data/setting.json: no such file or directory.

I checkted the directory and python2.7/site-package/ is empty!

what should I do?

Do we need to install any dependencies for new services (SIP, Git), i tried multiple tools to generate traffic for these services on server but i'm not getting logs and alerts. Could you please share some information how we can test these services or which dependencies are required to function these services.

Aside from conflicts with OSX, is there any real need to run in the Python Virtualenv?

Line 47 and 48 of portscan.py allow you to insert some shell commands using the "portscan.synrate" configuration line. For example, touching a file:

(canarytest)[bryan@dickbutt bin]$ ls /tmp
systemd-private-b606444044104f089cb407d0fd120480-ntpd.service-NFtTi0 tmux-1000
(canarytest)[bryan@dickbutt bin]$ grep portscan opencanary.conf
"portscan.synrate": "5/second";touch /tmp/"",
"portscan.enabled": true
(canarytest)[bryan@dickbutt bin]$ opencanaryd --start
[-] Using config file: opencanary.conf
{"dst_host": "", "dst_port": -1, "local_time": "2015-09-02 14:26:13.534200", "logdata": {"msg": "Loaded module portscan"}, "logtype": 1001, "node_id": "dickbutt", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2015-09-02 14:26:13.562252", "logdata": {"msg": "Start module portscan"}, "logtype": 1001, "node_id": "dickbutt", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2015-09-02 14:26:13.562593", "logdata": {"msg": "Canary running!!!"}, "logtype": 1001, "node_id": "dickbutt", "src_host": "", "src_port": -1}
(canarytest)[bryan@dickbutt bin]$ ls /tmp
second systemd-private-b606444044104f089cb407d0fd120480-ntpd.service-NFtTi0 tmux-1000

Pretty minor because someone would have to add this to a config, which probably already implies shell access, but I ran across it and thought you'd like to know.

my system is Ubuntu 16.04.4 LTS.

When i run 'opencanaryd --start',hava an error:Failed to add service from class CanarySSH in opencanary.modules.ssh.There was no error in the previous installation process.

I am trying to get the logs from opencanary.log to be sent to my monitoring system.The logs locally are working but i want to send them out. Is this possible to send over. Maybe getting it into syslog and sending it like that or another way. Help please!!

Can Someone help me please. I have an issue when starting the opencanary. I'm not a programmer so can't handle this issue on my behalf.

I'd like to send the samba logs to the json-tcp logger. is this possible? current instructions use the syslog way. right now no events are being written to my opencanary.log file

Trying to set up opencanary. However, when I get to this step:

pip install scapy pcapy # optional

After running it, it seems like scapy installs fine, but pcapy always fails wi/ this error:

'Failed building wheel for pcapy'

Command "/root/env/bin/python2.7 -u -c "import setuptools, tokenize;file='/tmp/pip-install-aPcW_X/pcapy/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record /tmp/pip-record-Y3V2nc/install-record.txt --single-version-externally-managed --compile --install-headers /root/env/include/site/python2.7/pcapy" failed with error code 1 in /tmp/pip-install-aPcW_X/pcapy/

Would I be missing any dependencies/packages? For the most part, I installed Python 2.7 using:

sudo apt install python-minimal

& ran:

sudo apt-get install python-dev python-pip python-virtualenv

to begin the configuration process.

Hello,
I have a fresh install of opencanary running on Ubuntu 14.04. I attached a screen shot of the error when I run opencanaryd --start. Do you have any suggestions on where to look to correct this issue?

I believe I got the Samba share working. Whenever a file is accessed by myself or another person, I get an e-mail alert. However, it will send multiple alerts of the same thing. For example, this is what it says in all the e-mails following the initial alert e-mail:

Is there any way to resolve this or do I have something configured incorrectly?

when I run the canary and try to connect with SSH I always get this, I think it has to do with old ciphers that are no longer supported - what can I do to fix this on the canary?

xxx:~$ ssh canary.lab
Received disconnect from 10.0.0.9 port 22:3: couldn't match all kex parts
Disconnected from 10.0.0.9 port 22

Hi,
I am planning to configure a subject as shown below in my opencanary.conf file so that when i receive an alert I can identify from which machine the alert is being generated.
"handlers": {
"SMTP": {
"class": "logging.handlers.SMTPHandler",
"mailhost": ["20.20.20.20", 25],
"fromaddr": "[email protected]",
"toaddrs" : ["[email protected]"],
"subject" : "Honeypot HTTP alert on $device.node_id"

For example when I receive the mail subject should look like "Honeypot HTTP alert on WEBSERVER".

Is this possible?

Thanks

I get this message when I run opencanaryd --start. I don't know how to fix it

Hi,

I have enabled email alerts and every time I start OpenCanary it produces some logs that are sent as emails. These are the logs I'm talking about:

{"dst_host": "", "dst_port": -1, "local_time": "2018-08-01 10:44:18.914888", "logdata": {"msg": {"logdata": "Added service from class Telnet in opencanary.modules.telnet to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-08-01 10:44:19.081700", "logdata": {"msg": {"logdata": "Added service from class CanaryHTTP in opencanary.modules.http to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-08-01 10:44:19.212972", "logdata": {"msg": {"logdata": "Added service from class CanaryFTP in opencanary.modules.ftp to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-08-01 10:44:19.311152", "logdata": {"msg": {"logdata": "Added service from class CanarySSH in opencanary.modules.ssh to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-08-01 10:44:19.389432", "logdata": {"msg": {"logdata": "Added service from class CanaryMySQL in opencanary.modules.mysql to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-08-01 10:44:19.483347", "logdata": {"msg": {"logdata": "Added service from class CanaryTftp in opencanary.modules.tftp to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-08-01 10:44:19.523974", "logdata": {"msg": {"logdata": "Added service from class CanaryNtp in opencanary.modules.ntp to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-08-01 10:44:19.599323", "logdata": {"msg": {"logdata": "Added service from class CanarySIP in opencanary.modules.sip to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-08-01 10:44:20.232800", "logdata": {"msg": {"logdata": "Added service from class CanaryRDP in opencanary.modules.rdp to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-08-01 10:44:20.331103", "logdata": {"msg": {"logdata": "Added service from class CanarySNMP in opencanary.modules.snmp to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}
{"dst_host": "", "dst_port": -1, "local_time": "2018-08-01 10:44:20.421496", "logdata": {"msg": "Canary running!!!"}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1}

Can this be suppressed directly from the software?

I've got opencanaryd running on a OS X 10.10 and while I have the .conf with RDP set to true, I'm unable to create a "fake session" . Can you provide additional steps if require to setup the RDP module?

Here is my current .conf file:

{
"device.node_id": "opencanary-1",
"ftp.banner": "FTP server ready",
"ftp.enabled": true,
"ftp.port":21,
"http.banner": "Apache/2.2.22 (Ubuntu)",
"http.enabled": true,
"http.port": 80,
"http.skin": "nasLogin",
"http.skin.list": [
{
"desc": "Plain HTML Login",
"name": "basicLogin"
},
{
"desc": "Synology NAS Login",
"name": "nasLogin"
}
],
"httpproxy.port": 8080,
"httpproxy.skin": "squid",
"httproxy.skin.list": [
{
"desc": "Squid",
"name": "squid"
},
{
"desc": "Microsoft ISA Server Web Proxy",
"name": "ms-isa"
}
],
"logger": {
"class" : "PyLogger",
"kwargs" : {
"formatters": {
"plain": {
"format": "%(message)s"
}
},
"handlers": {
"console": {
"class": "logging.StreamHandler",
"stream": "ext://sys.stdout"
},
"file": {
"class": "logging.FileHandler",
"filename": "/var/tmp/opencanary.log"
},
"syslog-unix": {
"class": "logging.handlers.SysLogHandler",
"address": ["localhost", 514],
"socktype": "ext://socket.SOCK_DGRAM"
},
"json-tcp": {
"class": "opencanary.logger.SocketJSONHandler",
"host": "127.0.0.1",
"port": 1514
}
}
}
},
"portscan.synrate": "5",
"mysql.banner": "5.5.43-0ubuntu0.14.04.1",
"mysql.port": 3306,
"mysql.enabled": true,
"ssh.enabled": true,
"ssh.port": 8022,
"ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
"rdp.enabled": true,
"sip.enabled": true,
"snmp.enabled": false,
"ntp.enabled": false,
"tftp.enabled": true,
"ntp.port": "123",
"telnet.port": "23",
"telnet.enabled": false,
"telnet.banner": "",
"telnet.honeycreds" : [
{
"username" : "admin",
"password" : "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA"

},
{
    "username" : "admin",
    "password" : "admin1"
}
]

}

Hello,

I have installed open-canary in my vmware and enabled VNC service in conf file on 5000 port.

if I connect from other Ubuntu machine from same network then it is generating alert.

But from Mac Os sierra10.12 it is not working using default VNC client screen sharing, but when I used realvnc third party client in mac then it also generate alert.

why mac default VNC client not generating alert?

Thanks & Regards

To avoid false positives.