Configuring alerts when ports other than 23 are accessed by Telnet clients

[InfraEngineer999]

Hi there :) Great system so far, really easy to do the initial setup! Noticed that we get alerted on attempts on the standard port 23 when a Telnet Client accesses the port, but when probing any other port using Telnet that's configured e.g. 80/445/1433 there's no alert - any way to set up alerting for something like this? Would another logger possibly be able to do the job?

[HybridAU]

If you're wanting to listen for telnet connections on other ports, you can do that by changing the telnet.port in the settings file. When OpenCanary starts it looks for config files in the following order:

1. ./opencanary.conf (i.e. the directory where OpenCanary is installed)
2. ~/.opencanary.conf (i.e. the home directory of the user, usually this will be root so /root/.opencanary.conf)
3. /etc/opencanary/opencanary.conf

But the ports you have listed are used by some pretty common protocols (you can of course run anything on any port if you really want) but OpenCanry does have a http service that listens of port 80 it's disabled by default, but you can enable it and it will emulate a NAS.

There isn't currently a service that handles HTTPS (443) or MSSQL (1433), although there is a MySQL service that listens on 3306.

[InfraEngineer999]

Thanks for the input HybridAU!

I see the reasoning, but won't this just move the port that OpenCanary uses to listen for Telnet activity to another configured port? Essentially, if it were configured as such, I'd not be made aware of attempts at the actual Telnet port, as I understand. I wonder, for the telnet.port config, would it be able to add a range of ports or is it exclusively meant for port 23 activity, or whichever other singular port is configured for it?

Everything else working as intended luckily, think I might have to set up PortSentry alongside OpenCanary for something like this then.

[InfraEngineer999]

To note, I do think there is a service handling MSSQL activity, below's an example of the output I believe:

{"dst_host": "[redacted]", "dst_port": 1433, "local_time": "2022-09-08 05:43:42.120301", "local_time_adjusted": "2022-09-08 07:43:42.120376", "logdata": {"AppName": "Microsoft SQL Server Management Studio", "CltIntName": ".Net SqlClient Data Provider", "Database": "", "HostName": "[redacted]", "Language": "", "ServerName": "[redacted]", "UserName": "testing"}, "logtype": 9001, "node_id": "opencanary-1", "src_host": "192.168.104.6", "src_port": 11026, "utc_time": "2022-09-08 05:43:42.120358"}

[HybridAU]

Ah, you're right, there is MSSQL, not sure how I missed that.

Yes, if you changed the telnet port, it would no longer be listening on port 23 and I don't believe it would be possible to pass a list of ports.

If you're running OpenCanary inside a docker container you could do something funky with the port mapping where you map multiple ports on the host to a single port on the container e.g docker compose run -p 23:23 -p 80:23 -p 443:23 -p 1433:23 stable

[InfraEngineer999]

Thanks for the suggestion! Will give it a go once I've figured Docker out :) Will keep that port mapping trick in mind for future reference 👍

[jayjb]

Thanks for the input @HybridAU.

@InfraEngineer999, I think what you may be looking for is the portscan module (portscan). This will notify you anytime someone scans your device (you can configure the number of ports until an alert is created).

So if someone probes a few different ports, you will be notified.

[InfraEngineer999]

Thanks for the feedback @jayjb !

Will play around with it and see if it can do what's needed, thank you 🙏

[jayjb]

Closing issue due to lack of activity. Please re-open if you still have the same issue.