In the ever-evolving landscape of cybersecurity, one tool that has garnered attention for its ingenuity and effectiveness is the honeypot. At its core, a honeypot is a decoy system set up to lure cyber attackers away from legitimate targets within a network. Designed to mimic real systems, honeypots act as sacrificial lambs—enticing hackers to interact with them rather than the actual valuable assets, thereby revealing the tactics, techniques, and procedures employed by the attackers.

The primary purpose of a honeypot is to gain insights into how unauthorized users interact with systems, thereby helping to understand the types of threats an organization is most likely to face. This information is invaluable for improving the organization’s security posture. By studying the interactions with the honeypot, cybersecurity professionals can refine existing security measures and develop new defenses against emerging threats.
Honeypots are widely utilized for various reasons. First, they act as an early warning system by identifying malicious activities and alerting administrators. Second, they divert attackers from critical assets, helping to minimize the potential damage to an organization’s real infrastructure. Third, the data collected can be used for educational purposes, threat analysis, or even legal action against the perpetrators.
In summary, honeypots serve as a powerful tool for understanding and combating cyber threats, providing a proactive approach to security by ensnaring attackers and studying their methods.

Honeypots can also function as « canaries, » named after the « canary in a coal mine » concept. In this mode, the honeypot is not just used for studying attacker behavior but also for immediate alerting. The moment an unauthorized user interacts with the honeypot, it can trigger alerts that notify system administrators or security teams of the intrusion. This provides an early warning system that allows for quicker reaction times to potential security incidents, enabling organizations to respond proactively rather than reactively.
Adding a canary functionality means that the honeypot can serve as a real-time monitoring tool, not just a research instrument. This is especially useful in high-security environments where immediate action is required to protect sensitive data and systems.

So, in addition to serving as a trap and research mechanism, honeypots can act as a frontline sentinel, providing immediate alerts and thereby enhancing an organization’s overall cybersecurity strategy.

Opencanary installation
OpenCanary is a multiprotocol network honeypot designed to catch hackers once they have breached non-public networks. It is written in Python and can be deployed on various platforms, including Raspberry Pi.
you can find it here :
https://github.com/thinkst/opencanary
Here’s a summary of the steps to install OpenCanary on a Raspberry Pi with a virtual environment, I personally used a raspberry pi 0w 2 for this project with fresh updated Raspberry Pi OS install.
after having done the basic configuration and you are connected to the wifi network :
Install dependencies:
sudo apt-get install python3-dev python3-pip python3-virtualenv python3-venv python3-scapy libssl-dev libpcap-dev
Create a Virtual Environment:
virtualenv env source env/bin/activate
Install OpenCanary:
pip install opencanary
Create Initial Configuration:
opencanaryd --copyconfig
This creates a configuration file at /etc/opencanaryd/opencanary.conf
that you will need to edit to enable the services and logging options you want. You just need to change to true all the service you want to see on your honeypot. You can also configure the way the server responds on different service when someone try to bannergrab your port.
Start OpenCanary:
opencanaryd --start
Check that all is good :
use another machine to nmap and check open port or use netstat -paunt.

if you see your configured port open :

Opencanary now log any connection try with username and password used.
Visualize the data
If you want to visualize the generated log easily I made a bash script for this :
https://github.com/7h30th3r0n3/OpenCanaryChecker
this script list :
- Unique Usernames
- Unique Passwords
- Visited ports and how many times
- IP Addresses
- Top 5 attacking IPs
- Top 10 most used username and password pairs
- Last 10 login attempts
- Source Countries
you can use it has a real time monitor using :
watch ./OpenCanaryChecker.sh
Example of output that the script generate after 24 hours of running (with IP redacted) :

Laisser un commentaire