-
Notifications
You must be signed in to change notification settings - Fork 365
OpenCanary Wiki
Thanks for taking an interest in OpenCanary. We are excited to share this work with everyone and hope that you will be encouraged to contribute.
Please head over to our dedicated page on this topic over here.
Please head over to our dedicated page on this topic over here.
We have had discussions about this in the issue thread over here. It may be useful to read through it as there are a few interesting solutions that folks suggested.
I have included a default opencanary.service
file in the OpenCanary repo. If you would like to go this route simply follow these steps (please ensure you have run opencanaryd --start
once to get the config setup to how you want it):
- copy the service file into
/etc/systemd/system/opencanary.service
. - edit
/etc/systemd/system/opencanary.service
and add the full path of your virtual environment; replacing the<VIRTUAL_ENV_PATH>
in the service file. - reboot your system and check that
opencanaryd
is starting on start-up. You can check usingsystemctl status opencanary
.
Port 631
is the default port for the CUPS (standards-based, open source printing system). We found a few workarounds:
- installing the CUPS service stopped the port 631 scans coming from
127.0.0.1
. - try
systemctl stop cups && systemctl disable cups
. - add the line
load printers = no
to your Samba configuration file (/etc/samba/smb.conf
). You can read about it over here
We have seen that in some cases the environment that you install your OpenCanary into via pip does not place opencanaryd
into the $PATH. You will need to find where your installed OpenCanary. We highly recommend creating a virtual environment for it (using virtualenv env
) and installing your OpenCanary into that environment (using pip install opencanary
once you have activated the virtual environment using . env/bin/activate
).
If you avoiding a virtual environment, please check your $PATH variable and ensure that opencanaryd
is in one of the $PATH directories; otherwise add it.
The portscan
feature of OpenCanary relies on the use of iptables
.
- Docker does not support the use of
iptables
so theportscan
feature of OpenCanary is currently not supported in the dockerised version of OpenCanary - Newer versions of Linux based OSes use
nftables
by default and notiptables
.nftables
syntax is very different toiptables
and so the necessary portscaniptables
rules don't work. In order to fix this, we would recommend removingnftables
and installingiptables
.
Debian 12 has removed system logging to files such as /var/log/kern.log
to instead use systemd-journald
(journalctl
). This means that the logfile that our portscan
module monitors for iptables
events doesn't exist.
The following steps should get you up and running:
- Install rsyslog
sudo apt update && sudo apt install rsyslog
- Restart rsyslog
systemctl restart rsyslog
- Check that
/var/log/kern.log
exists and is getting messages.
less /var/log/kern.log
- Make sure that your Opencanary is using the default
portscan.logfile
which is/var/log/kern.log
.
For Dockerised OpenCanary to report the correct IP of the attacker, it must be running on a linux based OS (not Windows or MacOS). The reason for this is that to get the correct IP of the attacker, we need to specify the host
parameter for Docker's network_mode
. This allows us to see the traffic straight from the host's interface instead of the traffic being NAT through the Docker network stack.