| Both sides previous revision Previous revision Next revision | Previous revision |
| docs:guide-user:services:honeypots [2024/03/28 15:32] – minor update tklengyel | docs:guide-user:services:honeypots [2024/12/16 08:44] (current) – formatting stokito |
|---|
| |
| ===== Installation ===== | ===== Installation ===== |
| First, you have to setup [[:docs:guide-user:virtualization:docker_host|OpenWrt as a Docker host]]. Pay particular attention to install dockerd and docker-compose before installing luci-app-dockerman. It is recommended to attach an [[:docs:guide-user:storage:usb-drives|external storage]] to store your Docker containers, thus after you installed Docker, under the Configuration tab you can specify your external storage as Docker Root Dir. | First, you have to setup [[:docs:guide-user:virtualization:docker_host|OpenWrt as a Docker host]]. Pay particular attention to install ''dockerd'' and ''docker-compose'' before installing ''luci-app-dockerman''. It is recommended to attach an [[:docs:guide-user:storage:usb-drives|external storage]] to store your Docker containers, thus after you installed Docker, under the Configuration tab you can specify your external storage as Docker Root Dir. |
| |
| While luci-app-dockerman provides a WebUI to pull Docker images, it is recommended to ssh into OpenWrt and pull the image by running "docker pull thinkst/opencanary". | While the ''luci-app-dockerman'' provides a WebUI to pull Docker images, it is recommended to ssh into OpenWrt and pull the image by running ''docker pull thinkst/opencanary''. |
| |
| Now in LuCI navigate to the Containers and click Add. Name the container opencanary and pick thinkst/opencanary:latest as the Docker Image. Under Bind mount add the config from your external storage device to the container, for example "/mnt/opencanary/.opencanary.conf:/root/.opencanary.conf", and make sure to click on the + sign next to it! Leave all other options unselected and use the defaults (interactive/tty/exposed ports). | Now in LuCI navigate to the Containers and click Add. Name the container opencanary and pick ''thinkst/opencanary:latest'' as the Docker Image. Under Bind mount add the config from your external storage device to the container, for example ''/mnt/opencanary/.opencanary.conf:/root/.opencanary.conf'', and make sure to click on the + sign next to it! Leave all other options unselected and use the defaults (interactive/tty/exposed ports). |
| |
| Once the container is configured you need to create an OpenCanary configuration file at /mnt/opencanary/.opencanary.conf according the [[https://opencanary.readthedocs.io/en/latest/starting/configuration.html|OpenCanary documentation]]. It is easiest by logging into OpenWrt using SSH and editing the file using nano (opkg install nano). Here is a simple example configuration that enables an FTP honeypot and logs to the stdout of the Docker container: | Once the container is configured you need to create an OpenCanary configuration file at ''/mnt/opencanary/.opencanary.conf'' according the [[https://opencanary.readthedocs.io/en/latest/starting/configuration.html|OpenCanary documentation]]. It is easiest by logging into OpenWrt using SSH and editing the file using nano (''opkg install nano''). Here is a simple example configuration that enables an FTP honeypot and logs to the stdout of the Docker container: |
| |
| <code> | <code yaml> |
| { | { |
| "device.node_id": "openwrt", | "device.node_id": "openwrt", |
| At this point you can start the Container through Docker -> Containers -> select opencanary -> Start. | At this point you can start the Container through Docker -> Containers -> select opencanary -> Start. |
| |
| To control how traffic reaches the Honeypot, edit the firewall rules under Network -> Firewall and click on Edit for the docker Zone. Specify Input as Drop, Output as accept, Forward as drop. Select MSS clamping and allow forwarding to the "lan" zone. Leave everything else with defaults and click Save. Now, under Network -> Firewall -> Port forwards click on Add. Name the rule "ftp honeypot", source zone "lan", external port 21, destination zone "docker" and write the container's IP into the custom field (for example 172.17.0.2). The first time you add a rule for your honeypot the container's IP won't be in the list, in subsequent firewall rules you should be able to find it in the list. | To control how traffic reaches the Honeypot, edit the firewall rules under Network -> Firewall and click on Edit for the docker Zone. Specify Input as Drop, Output as accept, Forward as drop. Select MSS clamping and allow forwarding to the ''lan'' zone. Leave everything else with defaults and click Save. Now, under Network -> Firewall -> Port forwards click on Add. Name the rule "ftp honeypot", source zone ''lan'', external port 21, destination zone "docker" and write the container's IP into the custom field (for example 172.17.0.2). The first time you add a rule for your honeypot the container's IP won't be in the list, in subsequent firewall rules you should be able to find it in the list. |
| |
| If you are not sure which IP is your honeypot's IP, go to Docker -> Containers -> click on Edit next to the opencanary container. Now under the "Inspect" tab you can see the detailed configuration of your container, that will list the IP (for example, "IPAddress": "172.17.0.2"). | If you are not sure which IP is your honeypot's IP, go to Docker -> Containers -> click on Edit next to the opencanary container. Now under the "Inspect" tab you can see the detailed configuration of your container, that will list the IP (for example, "IPAddress": "172.17.0.2"). |
| |
| Now create the file /usr/libexec/rpcd/opencanary with the following content, make sure to change AUTH_TOKEN to something unique: | Now create the file /usr/libexec/rpcd/opencanary with the following content, make sure to change AUTH_TOKEN to something unique: |
| <code> | <code bash /usr/libexec/rpcd/opencanary> |
| #!/bin/sh | #!/bin/sh |
| |
| To make this script accessible through OpenWrt's [[:docs:techref:ubus#access_to_ubus_over_http|REST API with UBUS]] we need to create an authorization so this interface can be called by our container. We can't easily make OpenCanary authanticate itself according the regular UBUS authentication schemes, so the interface requires a "magic" field to be passed by the caller, which is effectively the authorization token to interact with the interface (the magic & AUTH_TOKEN variables in the previous script). | To make this script accessible through OpenWrt's [[:docs:techref:ubus#access_to_ubus_over_http|REST API with UBUS]] we need to create an authorization so this interface can be called by our container. We can't easily make OpenCanary authanticate itself according the regular UBUS authentication schemes, so the interface requires a "magic" field to be passed by the caller, which is effectively the authorization token to interact with the interface (the magic & AUTH_TOKEN variables in the previous script). |
| |
| Create the file /usr/share/rpcd/acl.d/opencanary.json with the following content: | Create the file ''/usr/share/rpcd/acl.d/opencanary.json'' with the following content: |
| <code> | <code yaml /usr/share/rpcd/acl.d/opencanary.json> |
| { | { |
| "unauthenticated": { | "unauthenticated": { |
| This method allows anyone to call the interface but only with the correct MAGIC tag will the interface do anything. Now add the following to the OpenCanary configuration: | This method allows anyone to call the interface but only with the correct MAGIC tag will the interface do anything. Now add the following to the OpenCanary configuration: |
| |
| <code> | <code yaml> |
| "logger": { | "logger": { |
| "class": "PyLogger", | "class": "PyLogger", |
| "url": "https://172.17.0.1/ubus", | "url": "https://172.17.0.1/ubus", |
| "method": "POST", | "method": "POST", |
| "data": { "jsonrpc": "2.0", "id": 1, "method": "call", "params": ["00000000000000000000000000000000", "opencanary", "add",{"magic":"specify_a_unique_string_here", "message": "%(message)s"}] }, "status_code": 200, | "data": { "jsonrpc": "2.0", "id": 1, "method": "call", "params": ["00000000000000000000000000000000", "opencanary", "add",{"magic":"specify_a_unique_string_here", "message": "%(message)s"}] }, |
| | "status_code": 200, |
| "verify": false, | "verify": false, |
| "headers": { "Content-Type": "application/json" } | "headers": { "Content-Type": "application/json" } |
| Add a firewall traffic rule under Network -> Firewall -> Traffic rules. Name: opencanary webhook, Source zone: docker, source address: container's IP (for example 172.17.0.2), destination zone: Input, destination IP: openwrt's IP (for example 172.17.0.1), destination port: 443, action: accept. | Add a firewall traffic rule under Network -> Firewall -> Traffic rules. Name: opencanary webhook, Source zone: docker, source address: container's IP (for example 172.17.0.2), destination zone: Input, destination IP: openwrt's IP (for example 172.17.0.1), destination port: 443, action: accept. |
| |
| Restart rpcd with "/etc/init.d/rpcd restart" and then restart the OpenCanary container. Now connection attempts to the honeypots will show up in the OpenWrt system log and offending clients from WiFi network will automatically be added to the MAC blacklist. | Restart rpcd with ''/etc/init.d/rpcd restart'' and then restart the OpenCanary container. Now connection attempts to the honeypots will show up in the OpenWrt system log and offending clients from WiFi network will automatically be added to the MAC blacklist. |