OpenCanary - HackMD

--- tags: ccdc --- # OpenCanary ## Install ### Setup Docker ##### Debian ``` bash apt install -y docker.io jq ``` ### Docker Install - CD ISO 1. Attach iso to VM (Actions > Edit Settings > CD > Datastore ISO > docker.opencanary.iso) 2. Use the GUI to mount the CD Drive. 3. Open a root terminal in the CD Drive mount directory. 4. Run `docker load < *.tar` Move the host ssh server port: ``` bash nano /etc/ssh/sshd_config ``` Change the port line: ``` diff - #Port 22 + Port 65534 ``` Restart the ssh server. ``` bash service ssh restart ``` Start Docker container ``` bash docker run -dit -p 21:21 -p 22:22 -p 23:23 -p 80:80 -p 3306:3306 --name opencanary-app opencanary ``` ### Docker Install - Online Get package from github: ``` bash git clone https://github.com/trigat/Docker-OpenCanary.git && cd Docker-OpenCanary ``` Edit the enabled services with: ``` bash nano conf/opencanary.conf ``` Use `ctrl+w` to search the config and make sure the following are all set to true: `"ftp.enabled":` `"http.enabled":` `"mysql.enabled":` `"ssh.enabled":` `"telnet.enabled":` Edit the Dockerfile with: ``` bash nano Dockerfile ``` Change the first line: ``` diff - FROM amd64/ubuntu:latest + FROM amd64/ubuntu:18.04 ``` Remove these lines: ``` diff - # use this if you want to use RDP for honeypot - RUN pip install rdp ``` Save and close the file. Move the host ssh server port: ``` bash nano /etc/ssh/sshd_config ``` Change the port line: ``` diff - #Port 22 + Port 65534 ``` Restart the ssh server. ``` bash service ssh restart ``` Build Docker image and start container ``` bash docker build --rm -t opencanary . docker run -dit -p 21:21 -p 22:22 -p 23:23 -p 80:80 -p 3306:3306 --name opencanary-app opencanary ``` ## Usage ### View the log ``` bash docker exec -it opencanary-app bash -c 'cat /var/tmp/opencanary.log' ``` ### Watch the log ``` bash docker exec -it opencanary-app bash -c 'tail -f /var/tmp/opencanary.log' ``` ### See Top Uniq attackers ``` bash docker exec -it opencanary-app bash -c 'cat /var/tmp/opencanary.log' | jq ".src_host" | awk -F '"' '{print $2}' | grep . | sort | uniq -c | sort -n -k 1 -r ``` ### See Top Uniq attackers by service attacked ``` bash docker exec -it opencanary-app bash -c 'cat /var/tmp/opencanary.log' | jq '.src_host + " attacked port: " + (.dst_port|tostring)' | grep -v "\-1" | awk -F '"' '{print $2}' | sort | uniq -c | sort -n -k 1 -r ``` #### Watch it: ``` bash watch "docker exec -it opencanary-app bash -c 'cat /var/tmp/opencanary.log' | jq '.src_host + \" attacked port: \" + (.dst_port|tostring)' | grep -v \"\-1\" | awk -F '\"' '{print $2}' | sort | uniq -c | sort -n -k 1 -r" ```