### Start Daemon and Verify Logging Source: https://opencanary.readthedocs.io/en/latest/starting/opencanary.html Commands to start the daemon, simulate an FTP login, and inspect the resulting log entry. ```bash $ opencanaryd --start [...] $ ftp localhost [...] $ cat /var/tmp/opencanary.log [...] {"dst_host": "127.0.0.1", "dst_port": 21, "local_time": "2015-07-20 13:38:21.281259", "logdata": {"PASSWORD": "default", "USERNAME": "admin"}, "logtype": 2000, "node_id": "opencanary-0", "src_host": "127.0.0.1", "src_port": 49635} ``` -------------------------------- ### Create Virtual Environment and Install OpenCanary Source: https://opencanary.readthedocs.io/en/latest/starting/correlator.html Set up a virtual environment and install the OpenCanary Correlator. Ensure you activate the environment before proceeding. ```bash virtualenv env . env/bin/activate ``` -------------------------------- ### Configure Samba smb.conf Source: https://opencanary.readthedocs.io/en/latest/services/windows.html Example configuration for Samba to enable full_audit logging. ```ini [global] workgroup = WORKGROUP server string = NBDocs netbios name = SRV01 dns proxy = no log file = /var/log/samba/log.all log level = 0 max log size = 100 panic action = /usr/share/samba/panic-action %d server role = standalone passdb backend = tdbsam obey pam restrictions = yes unix password sync = no map to guest = bad user usershare allow guests = yes load printers = no vfs object = full_audit full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D full_audit:success = flistxattr full_audit:failure = none full_audit:facility = local7 full_audit:priority = notice [myshare] comment = All the stuff! path = /samba guest ok = yes read only = yes browseable = yes ``` -------------------------------- ### OpenCanary Configuration Structure Source: https://opencanary.readthedocs.io/en/latest/starting/opencanary.html Example JSON structure for the OpenCanary configuration file, including node identification and logger settings. ```json { "device.node_id": "Your-very-own-unique-name", // ... "logger": { "class": "PyLogger", "kwargs": { "handlers": { "file": { "class": "logging.FileHandler", "filename": "/var/tmp/opencanary.log" } } } } // ... } ``` -------------------------------- ### Run OpenCanary Correlator Daemon Source: https://opencanary.readthedocs.io/en/latest/starting/correlator.html Ensure Redis is running and then start the OpenCanary Correlator daemon with the specified configuration file. This process listens for and correlates security events. ```bash pgrep redis-server || echo 'Redis is not running!' opencanary-correlator --config=./opencanary-correlator.conf ``` -------------------------------- ### Generate and Edit Configuration Source: https://opencanary.readthedocs.io/en/latest/starting/opencanary.html Create a default configuration file and open it for editing. ```bash $ opencanaryd --copyconfig $ $EDITOR ~/.opencanary.conf ``` -------------------------------- ### Initialize Virtual Environment Source: https://opencanary.readthedocs.io/en/latest/starting/opencanary.html Create and activate a Python virtual environment for OpenCanary. ```bash $ virtualenv env $ . env/bin/activate ``` -------------------------------- ### Validate Configuration with JQ Source: https://opencanary.readthedocs.io/en/latest/starting/opencanary.html Use the JQ utility to verify that the configuration file is valid JSON. ```bash $ jq . ~/.opencanary.conf ``` -------------------------------- ### Configure MySQL Server in OpenCanary Source: https://opencanary.readthedocs.io/en/latest/services/mysql.html Add these settings to the ~/.opencanary.conf file to enable the MySQL listener and define its banner and port. ```json { "mysql.banner": "5.5.43-0ubuntu0.14.04.1", "mysql.enabled": true, "mysql.port": 3306, "ssh.enabled": true, "ssh.port": 22, "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4", // [..] # logging configuration } ``` -------------------------------- ### Initialize and Copy OpenCanary Correlator Configuration Source: https://opencanary.readthedocs.io/en/latest/starting/correlator.html Run the OpenCanary Correlator to generate a template configuration file, then copy it for editing. This configures notification settings and other parameters. ```bash opencanary-correlator Warning: no config file specified. Using the template config: /[...]/opencanary_correlator.conf cp /[...]/opencanary_correlator.conf opencanary-correlator.conf ``` -------------------------------- ### Configure MSSQL and RDP in OpenCanary Source: https://opencanary.readthedocs.io/en/latest/services/mssql.html Add these settings to the ~/.opencanary.conf file to enable the MSSQL and RDP services. ```json { "mssql.enabled": true, "mssql.port": 1433, "mssql.version": "2012", "rdp.enabled": true, "rdp.port", 3389, // [..] # logging configuration } ``` -------------------------------- ### Configure OpenCanary Samba Settings Source: https://opencanary.readthedocs.io/en/latest/services/windows.html Add these settings to your ~/.opencanary.conf file to enable Samba auditing. ```json { "smb.auditfile": "/var/log/samba-audit.log", "smb.enabled": true } ``` -------------------------------- ### Upgrade OpenCanary in Virtual Environment Source: https://opencanary.readthedocs.io/en/latest Commands to activate the virtual environment, upgrade the package, and optionally regenerate the configuration file. ```bash $ . env/bin/activate ``` ```bash $ pip install opencanary --upgrade ``` ```bash $ opencanaryd --copyconfig ``` -------------------------------- ### Generate Default Configuration Source: https://opencanary.readthedocs.io/en/latest/starting/configuration.html Command to generate the default OpenCanary configuration file at /etc/opencanary/opencanary.conf. ```bash $ opencanaryd --copyconfig ``` -------------------------------- ### Run Daemon in Foreground Source: https://opencanary.readthedocs.io/en/latest/starting/opencanary.html Execute the daemon in development mode to display verbose error messages. ```bash $ opencanaryd --dev ``` -------------------------------- ### Reference Environment Variable in Config Source: https://opencanary.readthedocs.io/en/latest/starting/configuration.html Reference exported environment variables in the configuration file by prefixing the variable name with a dollar sign ($). For Windows, use the percent sign (%). ```json "telnet.honeycreds": [ { "username": "admin", "password": "$TELNET_PASSWORD" } ] ``` -------------------------------- ### Configure OpenCanary Correlator Settings Source: https://opencanary.readthedocs.io/en/latest/starting/correlator.html Edit the copied configuration file to set up notification details for Twilio, Mandrill, and Slack, as well as network scan horizons. ```json { "console.sms_notification_enable": true, "console.sms_notification_numbers": ["+336522334455"], "console.email_notification_enable": true, "console.email_notification_address": ["notifications@opencanary.org"], "console.slack_notification_enable": true, "console.slack_notification_webhook": ["https://hooks.slack.com/services/example/webhookdata"], "twilio.auth_token": "fae9206628714fb2ce00f72e94f2258f", "twilio.from_number": "+1201253234", "twilio.sid": "BD742385c0810b431fe2ddb9fc327c85ad", "console.mandrill_key": "9HCjwugWjibxww7kPFej", "scans.network_portscan_horizon": 1000 } ``` -------------------------------- ### Default Configuration File Structure Source: https://opencanary.readthedocs.io/en/latest/starting/configuration.html The default JSON configuration file for OpenCanary, defining settings for various services, logging, and honeypot features. ```json { "device.node_id": "opencanary-1", "ip.ignorelist": [ ], "git.enabled": false, "git.port" : 9418, "ftp.enabled": true, "ftp.port": 21, "ftp.banner": "FTP server ready", "http.banner": "Apache/2.2.22 (Ubuntu)", "http.enabled": false, "http.port": 80, "http.skin": "nasLogin", "http.skin.list": [ { "desc": "Plain HTML Login", "name": "basicLogin" }, { "desc": "Synology NAS Login", "name": "nasLogin" } ], "https.enabled": false, "https.port": 443, "https.skin": "nasLogin", "https.certificate": "/etc/ssl/opencanary/opencanary.pem", "https.key": "/etc/ssl/opencanary/opencanary.key", "httpproxy.enabled" : false, "httpproxy.port": 8080, "httpproxy.skin": "squid", "httproxy.skin.list": [ { "desc": "Squid", "name": "squid" }, { "desc": "Microsoft ISA Server Web Proxy", "name": "ms-isa" } ], "logger": { "class": "PyLogger", "kwargs": { "formatters": { "plain": { "format": "%(message)s" } }, "handlers": { "console": { "class": "logging.StreamHandler", "stream": "ext://sys.stdout" }, "file": { "class": "logging.FileHandler", "filename": "/var/tmp/opencanary.log" } } } }, "portscan.enabled": false, "portscan.logfile":"/var/log/kern.log", "portscan.synrate": 5, "portscan.nmaposrate": 5, "portscan.lorate": 3, "smb.auditfile": "/var/log/samba-audit.log", "smb.enabled": false, "mysql.enabled": false, "mysql.port": 3306, "mysql.banner": "5.5.43-0ubuntu0.14.04.1", "ssh.enabled": false, "ssh.port": 22, "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4", "redis.enabled": false, "redis.port": 6379, "rdp.enabled": false, "rdp.port": 3389, "sip.enabled": false, "sip.port": 5060, "snmp.enabled": false, "snmp.port": 161, "ntp.enabled": false, "ntp.port": "123", "tftp.enabled": false, "tftp.port": 69, "tcpbanner.maxnum":10, "tcpbanner.enabled": false, "tcpbanner_1.enabled": false, "tcpbanner_1.port": 8001, "tcpbanner_1.datareceivedbanner": "", "tcpbanner_1.initbanner": "", "tcpbanner_1.alertstring.enabled": false, "tcpbanner_1.alertstring": "", "tcpbanner_1.keep_alive.enabled": false, "tcpbanner_1.keep_alive_secret": "", "tcpbanner_1.keep_alive_probes": 11, "tcpbanner_1.keep_alive_interval":300, "tcpbanner_1.keep_alive_idle": 300, "telnet.enabled": false, "telnet.port": "23", "telnet.banner": "", "telnet.honeycreds": [ { "username": "admin", "password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA" }, { "username": "admin", "password": "admin1" } ], "mssql.enabled": false, "mssql.version": "2012", "mssql.port":1433, "vnc.enabled": false, "vnc.port":5000 } ``` -------------------------------- ### Export Environment Variable Source: https://opencanary.readthedocs.io/en/latest/starting/configuration.html Export sensitive information like passwords or tokens as environment variables on the host machine. This is a common practice for securing credentials. ```bash export TELNET_PASSWORD=TopsyKretts ``` -------------------------------- ### Test Correlator Alerts Directly Source: https://opencanary.readthedocs.io/en/latest/starting/correlator.html Send a test event directly to the correlator's listening port (1514) using netcat to verify alert functionality without involving OpenCanary daemons. ```bash echo '{"dst_host": "9.9.9.9", "dst_port": 21, "local_time": "2015-07-20 13:38:21.281259", "logdata": {"PASSWORD": "default", "USERNAME": "admin"}, "logtype": 2000, "node_id": "AlertTest", "src_host": "8.8.8.8", "src_port": 49635}' | nc -v localhost 1514 ``` -------------------------------- ### OpenCanary Linux Web Server Configuration Source: https://opencanary.readthedocs.io/en/latest/services/webserver.html Defines service ports, banners, and skins for FTP, HTTP, HTTPS, and SSH protocols within the opencanary.conf file. ```json { "ftp.banner": "FTP server ready", "ftp.enabled": true, "ftp.port":21, "http.banner": "Apache/2.2.22 (Ubuntu)", "http.enabled": true, "http.port": 80, "http.skin": "nasLogin", "http.skin.list": [ { "desc": "Plain HTML Login", "name": "basicLogin" }, { "desc": "Synology NAS Login", "name": "nasLogin" } ], "https.enabled": true, "https.port": 443, "https.skin": "nasLogin", "https.certificate": "/etc/ssl/opencanary/opencanary.pem", "https.key": "/etc/ssl/opencanary/opencanary.key", "ssh.enabled": true, "ssh.port": 8022, "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4", // [..] # logging configuration } ``` -------------------------------- ### Validate Correlator Configuration File Source: https://opencanary.readthedocs.io/en/latest/starting/correlator.html Use the JQ tool to check if the OpenCanary Correlator configuration file is valid JSON. This helps ensure the configuration is correctly formatted before running the correlator. ```bash $ jq . ./opencanary-correlator.conf ``` -------------------------------- ### Configure rsyslog for Samba Audit Logs Source: https://opencanary.readthedocs.io/en/latest/services/windows.html Add these lines to /etc/rsyslog.conf to redirect Samba audit logs to the file monitored by OpenCanary. ```text $FileCreateMode 0644 local7.* /var/log/samba-audit.log ``` -------------------------------- ### Configure OpenCanary Logger Source: https://opencanary.readthedocs.io/en/latest/starting/configuration.html Defines various logging handlers and formatters for OpenCanary. Supports console, file, syslog, SMTP, Slack, Teams, and Webhook handlers. Ensure correct paths and credentials are set. ```json "logger": { "class": "PyLogger", "kwargs": { "formatters": { "plain": { "format": "% (message)s" }, "syslog_rfc": { "format": "opencanaryd[%(process)-5s:%(thread)d]: %(name)s %(levelname)-5s %(message)s" } }, "handlers": { "console": { "class": "logging.StreamHandler", "stream": "ext://sys.stdout" }, "file": { "class": "logging.FileHandler", "filename": "/var/tmp/opencanary.log" }, "syslog-unix": { "class": "logging.handlers.SysLogHandler", "formatter":"syslog_rfc", "address": [ "localhost", 514 ], "socktype": "ext://socket.SOCK_DGRAM" }, "json-tcp": { "class": "opencanary.logger.SocketJSONHandler", "host": "127.0.0.1", "port": 1514 }, "SMTP": { "class": "logging.handlers.SMTPHandler", "mailhost": ["smtp.yourserver.com", 25], "fromaddr": "noreply@yourdomain.com", "toaddrs" : ["youraddress@gmail.com"], "subject" : "OpenCanary Alert" }, "slack":{ "class":"opencanary.logger.SlackHandler", "webhook_url":"https://hooks.slack.com/services/..." }, "teams": { "class": "opencanary.logger.TeamsHandler", "webhook_url":"https://my-organisation.webhook.office.com/webhookb2/..." }, "Webhook": { "class": "opencanary.logger.WebhookHandler", "url": "http://domain.example.com/path", "method": "POST", "data": {"message": "% (message)s"}, "status_code": 200 } } } } ``` -------------------------------- ### Restart OpenCanary Service Source: https://opencanary.readthedocs.io/en/latest/starting/opencanary.html Command to restart the running OpenCanary service. ```bash $ opencanaryd --restart ``` -------------------------------- ### Pass Environment Variable to Docker Container Source: https://opencanary.readthedocs.io/en/latest/starting/configuration.html When using Docker, pass environment variables to the container using the `-e` flag in the `docker run` command. ```bash docker run -e TELNET_PASSWORD ... ``` -------------------------------- ### Configure OpenCanary Daemons to Send Events Source: https://opencanary.readthedocs.io/en/latest/starting/correlator.html Modify the 'logger' field in the OpenCanary daemon configuration to direct events to the correlator via TCP. Restart the daemon to apply changes. ```json "logger": { "class": "PyLogger", "kwargs": { "handlers": { "json-tcp": { "class": "opencanary.logger.SocketJSONHandler", "host": "127.0.0.1", // change to correlator IP "port": 1514 } } } } ``` -------------------------------- ### Define Environment Variable in Docker Compose Source: https://opencanary.readthedocs.io/en/latest/starting/configuration.html For Docker Compose deployments, define environment variables within the service definition in your `docker-compose.yml` file. ```yaml service: opencanary: image: "..." environment: - TELNET_PASSWORD ... ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.