-
Notifications
You must be signed in to change notification settings - Fork 363
OpenCanary Wiki
Thanks for taking an interest in OpenCanary. We are excited to share this work with everyone and hope that you will be encouraged to contribute.
Please head over to our dedicated page on this topic over here.
Please head over to our dedicated page on this topic over here.
We have had discussions about this in the issue thread over here. It may be useful to read through it as there are a few interesting solutions that folks suggested.
I have included a default opencanary.service file in the OpenCanary repo. If you would like to go this route simply follow these steps (please ensure you have run opencanaryd --start once to get the config setup to how you want it):
- copy the service file into
/etc/systemd/system/opencanary.service. - edit
/etc/systemd/system/opencanary.serviceand add the full path of your virtual environment; replacing the<VIRTUAL_ENV_PATH>in the service file. - reboot your system and check that
opencanarydis starting on start-up. You can check usingsystemctl status opencanary.
Port 631 is the default port for the CUPS (standards-based, open source printing system). We found a few workarounds:
- installing the CUPS service stopped the port 631 scans coming from
127.0.0.1. - try
systemctl stop cups && systemctl disable cups. - add the line
load printers = noto your Samba configuration file (/etc/samba/smb.conf). You can read about it over here
We have seen that in some cases the environment that you install your OpenCanary into via pip does not place opencanaryd into the $PATH. You will need to find where your installed OpenCanary. We highly recommend creating a virtual environment for it (using virtualenv env) and installing your OpenCanary into that environment (using pip install opencanary once you have activated the virtual environment using . env/bin/activate).
If you avoiding a virtual environment, please check your $PATH variable and ensure that opencanaryd is in one of the $PATH directories; otherwise add it.
The portscan feature of OpenCanary relies on the use of iptables.
- Docker does not support the use of
iptablesso theportscanfeature of OpenCanary is currently not supported in the dockerised version of OpenCanary - Newer versions of Linux based OSes use
nftablesby default and notiptables.nftablessyntax is very different toiptablesand so the necessary portscaniptablesrules don't work. In order to fix this, we would recommend removingnftablesand installingiptables.
Debian 12 has removed system logging to files such as /var/log/kern.log to instead use systemd-journald (journalctl). This means that the logfile that our portscan module monitors for iptables events doesn't exist.
The following steps should get you up and running:
- Install rsyslog
sudo apt update && sudo apt install rsyslog
- Restart rsyslog
systemctl restart rsyslog
- Check that
/var/log/kern.logexists and is getting messages.
less /var/log/kern.log
- Make sure that your Opencanary is using the default
portscan.logfilewhich is/var/log/kern.log.
For Dockerised OpenCanary to report the correct IP of the attacker, it must be running on a linux based OS (not Windows or MacOS). The reason for this is that to get the correct IP of the attacker, we need to specify the host parameter for Docker's network_mode. This allows us to see the traffic straight from the host's interface instead of the traffic being NAT through the Docker network stack.