Skip to main content

OpenCanary daemon

Project description

Release @ PyPI Linux build @ Travis CI Docs @ RTD BSD License


Thinkst Applied Research


OpenCanary is a daemon that runs several canary versions of services that alerts when a service is (ab)used. It's a low interaction honeypot intended to be run on internal networks.


  • Python 2.7+
  • [Optional] Samba module needs a working installation of samba


Installation on Ubuntu:

$ sudo apt-get install python-dev python-pip python-virtualenv
$ virtualenv env/
$ . env/bin/activate
$ pip install patron-it-opencanary[rdp,snmp,remote_logging]  # rdp, snmp and remote_logging are optional extras

Ubuntu users installing rdpy should run the following before installing OpenCanary:

$ sudo apt-get install -y build-essential libssl-dev libffi-dev python-dev

Installation OS X needs an extra step, as multiple OpenSSL versions may exist which confounds the python libraries using to it.

$ virtualenv env/
$ . env/bin/activate

Macports users should then run:

$ sudo port install openssl
$ env ARCHFLAGS="-arch x86_64" LDFLAGS="-L/opt/local/lib" CFLAGS="-I/opt/local/include" pip install cryptography

Alternatively homebrew users run:

$ brew install openssl
$ env ARCHFLAGS="-arch x86_64" LDFLAGS="-L/usr/local/opt/openssl/lib" CFLAGS="-I/usr/local/opt/openssl/include" pip install cryptography

Now installation can run as usual:

$ pip install patron-it-opencanary[rdp,snmp]

To install from source, instead of running pip do the following:

$ git clone
$ cd opencanary
$ pip install .

If you are looking to get OpenCanary working on OpenBSD, take a look at


OpenCanary is started by running:

$ . env/bin/activate
$ opencanaryd --start

On the first run, instructions are printed that will get to a working config.

Samba Setup (optional)

The Samba OpenCanary module monitors a log file produced by the Samba full_audit VFS module. Setup relies on:

  • Having Samba installed.
  • A modified Samba config file, to write file events to syslog's LOCAL7 facility.
  • A modified syslog file, to output LOCAL7 to a samba-audit.log file.

As template Samba config, modify the following and install it to the right location (often /etc/samba/smb.conf). The lines you'll likely want to change are:

  • path
  • workgroup
  • server string
  • netbios name
  • [myshare]
  • comment
       workgroup = WORKGROUP
       server string = blah
       netbios name = SRV01
       dns proxy = no
       log file = /var/log/samba/log.all
       log level = 0
       syslog only = yes
       syslog = 0
       vfs object = full_audit
       full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D
       full_audit:success = pread
       full_audit:failure = none
       full_audit:facility = local7
       full_audit:priority = notice
       max log size = 100
       panic action = /usr/share/samba/panic-action %d

       #samba 4
       server role = standalone server

       #samba 3
       #security = user

       passdb backend = tdbsam
       obey pam restrictions = yes
       unix password sync = no
       map to guest = bad user
       usershare allow guests = yes
       comment = All the stuff!
       path = /home/demo/share
       guest ok = yes
       read only = yes
       browseable = yes
       #vfs object = audit

Configure syslog to write the Samba logs out to the file that OpenCanary monitors. With rsyslog, adding these two lines to /etc/rsyslog will do that:

$FileCreateMode 0644
local7.*            /var/log/samba-audit.log

For other syslog implementations similar lines might work.

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

patron-it-opencanary-0.7.1.tar.gz (3.1 MB view hashes)

Uploaded Source

Built Distribution

patron_it_opencanary-0.7.1-py2.py3-none-any.whl (3.2 MB view hashes)

Uploaded Python 2 Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page