OpenCanary Documentation

Similar documents
Trunk Player Documentation

Windows Subsystem for Linux Guide Documentation

PyZabbixObj Documentation

Using RDP with Azure Linux Virtual Machines

crane Documentation Release Globo.com

ManageEngine EventLog Analyzer Quick Start Guide

Advanced Computer Networking. CYBR 230 Jeff Shafer University of the Pacific. Honeypots

Bitnami ProcessMaker Community Edition for Huawei Enterprise Cloud

Licensing the Application CHAPTER

Lab - Examining Telnet and SSH in Wireshark

Setting up VPS on Ovh public cloud and installing lamp server on Ubuntu instance

McAfee Enterprise Security Manager. Authentication Content Pack Documentation

Bitnami OSQA for Huawei Enterprise Cloud

Purpose. Target Audience. Install SNMP On The Remote Linux Machine. Nagios XI. Monitoring Linux Using SNMP

Cisco Unity Express Windows and Menus

Linux Systems Security. Logging and Network Monitoring NETS1028 Fall 2016

Bitnami Dolibarr for Huawei Enterprise Cloud

Network Monitoring & Management. A few Linux basics

Helsinki 19 Jan Practical course in genome bioinformatics DAY 0

Bitnami Coppermine for Huawei Enterprise Cloud

JAMF Software Server Installation and Configuration Guide for Linux. Version 9.31

Using PCF Ops Manager to Deploy Hyperledger Fabric

Bitnami Phabricator for Huawei Enterprise Cloud

AuditConfigurationArchiveandSoftwareManagementChanges (Network Audit)

District 90 Toastmasters Gmail Setup Guide

Python web frameworks

Bitnami Open Atrium for Huawei Enterprise Cloud

Bitnami Moodle for Huawei Enterprise Cloud

JupyterHub Documentation

Bitnami Pimcore for Huawei Enterprise Cloud

JAMF Software Server Installation and Configuration Guide for Linux. Version 9.97

JAMF Software Server Installation and Configuration Guide for Linux. Version 9.9

Nortridge Loan System

Bitnami DokuWiki for Huawei Enterprise Cloud

How to Configure And Text Notifications

RSA NetWitness Logs. EMC Ionix Unified Infrastructure Manager. Event Source Log Configuration Guide

Twilio Elastic SIP Trunk Provisioning

syslog-ng Apache Kafka destination

akkadian Global Directory 3.0 System Administration Guide

Managing Broadband Access Center

The Balabit s Privileged Session Management 5 F5 Azure Reference Guide

JAMF Software Server Installation and Configuration Guide for Linux. Version 9.72

First Aid. For All Mediatrix units. v

CENG 334 Computer Networks. Laboratory I Linux Tutorial

Installing Open Project on Ubuntu AWS with Apache and Postgesql

Gunnery Documentation

First Aid. For All Mediatrix units. v

NETCONF Client GUI. Client Application Files APPENDIX

OWIZA 1.0 U S E R ' S G U I D E. Owiza 1.0. User s Guide. Copyright Ositcom LTD. All rights reserved.

bootmachine Documentation

Verteego VDS Documentation

Perform Backup and Restore

Bitnami Mantis for Huawei Enterprise Cloud

MarketC - Masternode Setup Guide

Setting up the Seagate D4 NAS with Hard Disk Sentinel Pro. By Gary Ryan. Adapted from:

Jamf Pro Installation and Configuration Guide for Linux. Version

BLUEPRINT TEAM REPOSITORY. For Requirements Center & Requirements Center Test Definition

yagmail Documentation

The Wonderful World of Services VINCE

User Guide. Twilio SMS Notification. Extension for Magento by Azaleasoft. Support: (

Since all the features provided in this utility are core system management only, it is available only to System User, which is only 1 user.

HP IDOL Site Admin. Software Version: Installation Guide

turbo-hipster Documentation

Getting Started with the Google Cloud SDK on ThingsPro 2.0 to Publish Modbus Data and Subscribe to Cloud Services

Best Practices: Server Security Hardening

iptables and ip6tables An introduction to LINUX firewall

Creating a Yubikey MFA Service in AWS

Setting up PuTTY. Software* Download PuTTY 6/9/18. Microsoft Windows 7 (64-bit) PuTTY 0.70 (64-bit) PuTTYgen 0.70 (64-bit) WinSCP 5.13.

Quick Start Guide to Compute Canada Cloud Service

2016 OPSWAT, Inc. All rights reserved. OPSWAT, MetadefenderTM and the OPSWAT logo are trademarks of OPSWAT, Inc.All other trademarks, trade names,

Lab Exercises: Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open Source Tools

USER MANUAL. SEO Suite TABLE OF CONTENTS. Version: 1.4

Implementing a Primary Domain Controller for Windows 2000 Clients using Samba

Xcalenets Console Setup Guide. Xcalenets Console Setup Guide (Standalone version)

Storage Manager 2018 R1. Installation Guide

Zend Framework. Jerome Hughes Consultant

SPECCHIO Administrators

EventSentry Quickstart Guide

Webcart Documentation

DCLI User's Guide. Data Center Command-Line Interface 2.7.0

Linux Postfix Smtp (mail Server) Ssl Certificate Installation And Configuration

Apache Manual Install Ubuntu Php Mysql. Phpmyadmin No >>>CLICK HERE<<<

Bitnami OroCRM for Huawei Enterprise Cloud

First Aid. For All Mediatrix units. Revision

Ftp Get Command Line Linux Proxy Settings

Bambu API Documentation

MULTI FACTOR AUTHENTICATION USING THE NETOP PORTAL. 31 January 2017

Dell Storage Manager 2016 R3 Installation Guide

Red Hat Enterprise Linux Atomic Host 7 Getting Started with Cockpit

Installing QuickBooks Enterprise Solutions Database Manager On Different Linux Servers

JAMF Software Server Installation and Configuration Guide for Mac. Version 9.97

First Aid. For all Mediatrix units. Revision

Arigi Handbook

I hate money. Release 1.0

VERTIV. Avocent ACS8xxx Advanced Console System Release Notes VERSION 2.4.2, AUGUST 24, Release Notes Section Outline. 1 Update Instructions

Buzztouch Server 2.0 with Amazon EC2

Below are the steps to install Orangescrum Self Hosted version of Cloud Edition in Ubuntu Server Last Updated: OCT 18, 2018

Bitnami JRuby for Huawei Enterprise Cloud

GFI EventsManager 8 ReportPack. Manual. By GFI Software Ltd.

Developer Training for Apache Spark and Hadoop: Hands-On Exercises

Transcription:

OpenCanary Documentation Release 0.1 Thinkst Applied Research Aug 05, 2017

Contents 1 Getting Started 3 2 Services 7 3 Alerting 11 4 Indices and tables 13 i

ii

Welcome to the OpenCanary guide. OpenCanary is a daemon that runs canary services, which trigger alerts when (ab)used. The alerts can be sent to a variety of sources, including syslog, emails and a companion daemon opencanary-correlator. The Correlator coalesces multiple related events (eg. individual brute-force login attempts) into a single alert sent via email or SMS. Contents 1

2 Contents

CHAPTER 1 Getting Started The first section will get you quickly up and running with canary services sending alerts. OpenCanary Getting Started To get started create a virtual environment to play in: $ virtualenv env $. env/bin/activate Inside the virtualenv, install OpenCanary following the instructions in the README. OpenCanary ships with a default config, which we ll copy and edit to get started. The config is a single JSON dictionary. $ opencanaryd --copyconfig $ $EDITOR ~/.opencanary.conf In the config file we ll change device.node_id which must be unique for each instance of opencanaryd, and we ll configure logger to log alerts to a file. "device.node_id": "Your-very-own-unique-name", [...] "logger": "class" : "PyLogger", "kwargs" : "handlers": "file": "class": "logging.filehandler", "filename": "/var/tmp/opencanary.log" 3

[...] With that in place, we can run the daemon, and test that it logs a failed FTP login attempt to the log file. $ opencanaryd --start [...] $ ftp localhost [...] $ cat /var/tmp/opencanary.log [...] "dst_host": "127.0.0.1", "dst_port": 21, "local_time": "2015-07-20 13:38:21.281259", "logdata": "PASSWORD": "default", "USERNAME": "admin", "logtype": 2000, "node_id ": "opencanary-0", "src_host": "127.0.0.1", "src_port": 49635 Troubleshooting The tool JQ can be used to check that the config file is well-formed JSON. $ jq. ~/.opencanary.conf Run opencanaryd in the foreground to see more error messages. $ sudo env/bin/twistd -noy env/bin/opencanary.tac Correlator Getting Started To get started create a virtual environment to play in: $ virtualenv env $. env/bin/activate Inside the virtualenv, install OpenCanary Correlator following the instructions in the README. The correlator runs with a default config, which we ll copy and edit to get started. $ opencanary-correlator Warning: no config file specified. Using the template config: /[...]/opencanary_correlator.conf $ cp /[...]/opencanary_correlator.conf opencanary-correlator.conf In the config file, fill the twilio or mandrill details (or both), and the notification addresses for both. "console.sms_notification_enable": true, "console.sms_notification_numbers": ["+336522334455"], "console.email_notification_enable": true, 4 Chapter 1. Getting Started

"console.email_notification_address": ["notifications@opencanary.org"], "twilio.auth_token": "fae9206628714fb2ce00f72e94f2258f", "twilio.from_number": ""+1201253234"", "twilio.sid": "BD742385c0810b431fe2ddb9fc327c85ad", "console.mandrill_key": "9HCjwugWjibxww7kPFej", "scans.network_portscan_horizon": 1000, With that in place, ensure that redis is running and then run the correlator daemon. $ pgrep redis-server echo 'Redis is not running!' $ opencanary-correlator --config=./opencanary-correlator.conf To configure OpenCanary daemons to send their events to correlator, edit the logger field in its config and restart the daemon to reload the config. "logger": "class" : "PyLogger", "kwargs" : "handlers": "json-tcp": "class": "opencanary.logger.socketjsonhandler", "host": "127.0.0.1", # change to correlator IP "port": 1514 Troubleshooting You can test that the Correlator alerts are working be sending an event direclty to it (without using OpenCanary). echo '"dst_host": "9.9.9.9", "dst_port": 21, "local_time": "2015-07-20 13:38:21. 281259", "logdata": "PASSWORD": "default", "USERNAME": "admin", "logtype": 2000, "node_id": "AlertTest", "src_host": "8.8.8.8", "src_port": 49635' nc -v localhost 1514 The tool JQ can be used to check that the config file is well-formed JSON. $ jq../opencanary-correlator.conf 1.2. Correlator 5

6 Chapter 1. Getting Started

CHAPTER 2 Services Try these out in the OpenCanary configs for more typical server personalities. Linux Web Server Inside ~/.opencanary.conf: "ftp.banner": "FTP server ready", "ftp.enabled": true, "ftp.port":21, "http.banner": "Apache/2.2.22 (Ubuntu)", "http.enabled": true, "http.port": 80, "http.skin": "naslogin", "http.skin.list": [ "desc": "Plain HTML Login", "name": "basiclogin", "desc": "Synology NAS Login", "name": "naslogin" ], "ssh.enabled": true, "ssh.port": 8022, "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4", [..] # logging configuration 7

Windows Server The Samba and RDP modules require an extra installation steps. It s a good idea to consult the README before trying this out. Inside ~/.opencanary.conf: "smb.auditfile": "/var/log/samba-audit.log", "smb.configfile": "/etc/samba/smb.conf", "smb.domain": "corp.thinkst.com", "smb.enabled": true, "smb.filelist": [ "name": "2016-Tender-Summary.pdf", "type": "PDF", "name": "passwords.docx", "type": "DOCX" ], "smb.mode": "workgroup", "smb.netbiosname": "FILESERVER", "smb.serverstring": "Windows 2003 File Server", "smb.sharecomment": "Office documents", "smb.sharename": "Documents", "smb.sharepath": "/changeme", "smb.workgroup": "OFFICE", "rdp.enabled": true, "rdp.port", 3389, [..] # logging configuration MySQL Server Inside ~/.opencanary.conf: "mysql.banner": "5.5.43-0ubuntu0.14.04.1", "mysql.enabled": true, "mysql.port": 3306, "ssh.enabled": true, "ssh.port": 22, "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4", [..] # logging configuration MSSQL Server Inside ~/.opencanary.conf: 8 Chapter 2. Services

"mssql.enabled": true, "mssql.port": 1433, "mssql.version": "2012", "rdp.enabled": true, "rdp.port", 3389, [..] # logging configuration 2.4. MSSQL Server 9

10 Chapter 2. Services

CHAPTER 3 Alerting Getting Started walks through two different ways to configure alerting: logging directly to a file, and sending alerts to the Correlator for email and SMS alerts. Other possibilities are below: Email Alerts To have an OpenCanary daemon directly send email alerts edit the logger section of the ~/.opencanary.conf. The file format is JSON. In the configurations below, set these configuration variables: mailhost - The SMTP mailhost and port. fromaddr - The from address. Usually does not have to exist. toaddres - An array of addresses that will receive the alert. Keep it short. subject - The email s subject. credentials - Optional parameter, if the SMTP server requires authentication. More information can be found on the PyLogger page. Send to a GMail address [..] # Services configuration "logger": "class" : "PyLogger", "kwargs" : "handlers": "SMTP": "class": "logging.handlers.smtphandler", "mailhost": ["smtp.gmail.com", 25], "fromaddr": "noreply@yourdomain.com", 11

"toaddrs" : ["youraddress@gmail.com"], "subject" : "OpenCanary Alert" Send with SMTP authentication [..] # Services configuration "logger": "class" : "PyLogger", "kwargs" : "handlers": "SMTP": "class": "logging.handlers.smtphandler", "mailhost": ["authenticated.mail.server", 25], "fromaddr": "canary@yourdomain.com", "toaddrs" : ["youraddress@yourdomain.com"], "subject" : "OpenCanary Alert", "credentials" : ["myusername", "password1"] HPFeeds OpenCanary can be used directly (without the Correlator) with daemons supporting the hpfeeds protocol. To enable hpfeeds add the following to the logging section of settings.json: "hpfeeds": "class": "opencanary.logger.hpfeedshandler", "host": "127.0.0.1", "port": 10000, "ident": "test", "secret":"12345", "channels":["test.events"] 12 Chapter 3. Alerting

CHAPTER 4 Indices and tables genindex modindex search 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback