I attended a business gathering the other day and someone asked me who our ideal customer would be.  Our ideal customer is a small business owner that is concerned about cybersecurity, wants to do something about it, but doesn't know what to do. 

The solutions we offer recognize that small businesses don't have endless dollars to throw at security.  With that in mind, I love Thinkst Canaries but $5000 for two of them immediately pushes up against that cost barrier.  As an alternative, we can use OpenCanary installed on some modest hardware and drive the cost down significantly.

In your arsenal of goodies, canaries are useful because unlike most other devices on the network which have thresholds, canaries alert off of a single hit.  And for a good reason because there's no reasonable explanation why this box should be touched unless someone is up to no good.  

I've seen a number of articles on how to install OpenCanary and this isn't much different except that I've installed it in /opt instead of a user or root directory.  I've also installed it as a service but I may edit this post in the near future because I've had some intermittent issues with the service staying alive.  And finally, there were some issues that arose from those other instructions and I've addressed them along the way.

This is the brainless part:

mkdir /opt/canaries
cd /opt/canaries
sudo apt-get install python-dev python-pip python-virtualenv
virtualenv env/
. env/bin/activate
pip install opencanary

The next two items are optional, scapy and pcapy.  I couldn't get the latter installed and I've yet to discover a problem from NOT having it.  The former can be installed with:

pip install scapy

sudo apt-get install -y build-essential libssl-dev libffi-dev python-dev

Something I've added:

pip install pyasn1

With Ubuntu 18, we have pyasn1 version 0.4.5 and this will take it to 0.4.7 which eliminates the error from this next item:

pip install rdpy

Without the upgrade to pyans1 0.4.7, we get an error stating that we need to be higher than 0.4.5 and lower than 0.5.0 (I think).

cd /opt/canaries/env
opencanaryd --copyconfig
sudo mv ~/.opencanary.conf /root/
sudo nano /root/.opencanary.conf

When we open the config file, by default, FTP is enabled.  





If you want to make this more attractive, you can change the banner to "vsftpd 2.3.4" which is the version with the backdoor but that might be too obvious.

Searching through the config, you'll find other services set to false which you can set to true.  Be warned that you can't just indiscriminately set everything to true.  For setup and testing purposes, let's just leave it with FTP.  

For email alerts, personally, I like the idea of removing this from the in house mail server and I don't like the idea of using Gmail.  In my setup here, I'm routing it through an outbound host that relays without credentials.  Lots of providers offering this type of service, this one charges $5/month.  In addition to relaying messages from the canaries, it can also relay messages from in house copiers.

"SMTP": {
"class": "logging.handlers.SMTPHandler",
"mailhost": ["YOUR RELAY HOST", 25],
"fromaddr": "YOUR FROM ADDRESS",
"toaddrs" : ["YOUR TO ADDRESS"],
"subject" : "OpenCanary Alert",
"secure" : []
},

Take note of the original formatting and also take note of the trailing comma.  You can drop SMTP in after file but then file must have the trailing comma and SMTP would no longer need it.

At this point, we are set.  In order to start OpenCanary:

opencanaryd --start

If you've setup the SMTP functionality, you should receive an email from OpenCanary stating that it's been started.

If we attempt to FTP:





We should receive an email regarding the attempted login:






While this is functional, it's less than ideal because if / when the server reboots, we need to manually start OpenCanary.  

Setting it up as a service:

sudo nano /etc/systemd/system/opencanary.service

I've seen a couple of posts regarding setting OpenCanary up as a service and I've made a couple of mods to the service config:

[Unit]
Description=OpenCanary
After=syslog.target
After=network.target
StartLimitIntervalSec=0

[Service]
User=root
Restart=on-failure
RestartSec=5
Environment=VIRTUAL_ENV=/opt/canaries/env/
Environment=PATH=$VIRTUAL_ENV/bin:/usr/bin:$PATH
WorkingDirectory=/opt/canaries/env/bin
ExecStart=/opt/canaries/env/bin/opencanaryd --start

[Install]
WantedBy=multi-user.target

Save the file, exit, then:

sudo systemctl enable opencanary.service

Assuming OpenCanary is still running from when we started it manually, we need to either reboot or stop it manually:

opencanaryd --stop

If you rebooted, it should start on its own.  If you stopped it manually, we can start the service:

sudo service opencanary start

That's a wrap.  You have your first canary!  Hopefully it never sings!!