search

thinkst / opencanary

Modular and decentralised honeypot
http://opencanary.org
BSD 3-Clause "New" or "Revised" License
2.27k stars 355 forks source link

SQLFactory does not log any activity #257

Closed hkelley closed 1 year ago

hkelley commented 1 year ago

The SQL listener is active on port 1433 but it never fires the webhook on connection attempts (or at least I can't find evidence of it). I do see the logs in /var/tmp/opencanary.log. My samba and RDP configs are working for both the local log and the webhook, so I believe the config file is valid. 

2023-06-20T01:50:59+0000 [-] Removing stale pidfile /home/<ME>/twistd.pid
2023-06-20T01:50:59+0000 [-] Loading /home/<ME>/env/bin/opencanary.tac...
2023-06-20T01:51:09+0000 [-] Loaded.
2023-06-20T01:51:09+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 22.8.0 (/home/<ME>/env/bin/python 3.8.10) starting up.
2023-06-20T01:51:09+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
2023-06-20T01:51:09+0000 [-] CanaryRDP starting on 3389
2023-06-20T01:51:09+0000 [opencanary.modules.rdp.CanaryRDP#info] Starting factory <opencanary.modules.rdp.CanaryRDP object at 0x7f3f9dc58730>
2023-06-20T01:51:09+0000 [-] CanaryRedis starting on 6379
2023-06-20T01:51:09+0000 [opencanary.modules.redis.CanaryRedis#info] Starting factory <opencanary.modules.redis.CanaryRedis object at 0x7f3f9f514d60>
2023-06-20T01:51:09+0000 [-] SQLFactory starting on 1433
2023-06-20T01:51:09+0000 [opencanary.modules.mssql.SQLFactory#info] Starting factory <opencanary.modules.mssql.SQLFactory object at 0x7f3f9f52b4c0>

From the temp file

cat /var/tmp/opencanary.log | grep 1433
{"dst_host": "10.99.4.103", "dst_port": 1433, "local_time": "2023-06-20 01:06:35.907668", "local_time_adjusted": "2023-06-20 01:06:35.907705", "logdata": {"PASSWORD": "", "USERNAME": ""}, "logtype": 9002, "node_id": "xxx", "src_host": "10.99.44.40", "src_port": 58818, "utc_time": "2023-06-20 01:06:35.907699"}

Config for version 0.9.0 on Ubuntu 20.04.6 LTS

{
    "device.node_id": "xxx",
    "ip.ignorelist": [  ],
    "git.enabled": false,
    "git.port" : 9418,
    "ftp.enabled": false,
    "ftp.port": 21,
    "ftp.banner": "FTP server ready",
    "http.banner": "Apache/2.2.22 (Ubuntu)",
    "http.enabled": false,
    "http.port": 80,
    "http.skin": "nasLogin",
    "https.enabled": false,
    "https.port": 443,
    "https.skin": "nasLogin",
    "https.certificate": "/etc/ssl/opencanary/opencanary.pem",
    "https.key": "/etc/ssl/opencanary/opencanary.key",
    "httpproxy.enabled" : false,
    "httpproxy.port": 8080,
    "httpproxy.skin": "squid",
    "logger": {
        "class": "PyLogger",
        "kwargs": {
            "formatters": {
                "plain": {
                    "format": "%(message)s"
                },
                "syslog_rfc": {
                    "format": "opencanaryd[%(process)-5s:%(thread)d]: %(name)s %(levelname)-5s %(message)s"
                }
            },
            "handlers": {
                "console": {
                    "class": "logging.StreamHandler",
                    "stream": "ext://sys.stdout"
                },
                "file": {
                    "class": "logging.FileHandler",
                    "filename": "/var/tmp/opencanary.log"
                },
                                "Webhook": {
                                        "class": "opencanary.logger.WebhookHandler",
                                        "url": "https://http-inputs.xxx.splunkcloud.com/services/collector",
                                        "headers": {
                                                "Authorization": "Splunk xxxx",
                                                "Content-Type": "application/json"
                                        },
                                        "method": "POST",
                                        "data": {"event": "%(message)s"}
                                }
            }
        }
    },
    "portscan.enabled": true,
    "portscan.ignore_localhost": false,
    "portscan.logfile":"/var/log/kern.log",
    "portscan.synrate": 5,
    "portscan.nmaposrate": 5,
    "portscan.lorate": 3,
    "smb.auditfile": "/var/log/samba-audit.log",
    "smb.enabled": true,
    "mysql.enabled": false,
    "mysql.port": 3306,
    "mysql.banner": "5.5.43-0ubuntu0.14.04.1",
    "ssh.enabled": false,
    "ssh.port": 22,
    "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
    "redis.enabled": true,
    "redis.port": 6379,
    "rdp.enabled": true,
    "rdp.port": 3389,
    "sip.enabled": false,
    "sip.port": 5060,
    "snmp.enabled": false,
    "snmp.port": 161,
    "ntp.enabled": false,
    "ntp.port": 123,
    "tftp.enabled": false,
    "tftp.port": 69,
    "tcpbanner.maxnum":10,
    "tcpbanner.enabled": false,
    "tcpbanner_1.enabled": false,
    "tcpbanner_1.port": 8001,
    "tcpbanner_1.datareceivedbanner": "",
    "tcpbanner_1.initbanner": "",
    "tcpbanner_1.alertstring.enabled": false,
    "tcpbanner_1.alertstring": "",
    "tcpbanner_1.keep_alive.enabled": false,
    "tcpbanner_1.keep_alive_secret": "",
    "tcpbanner_1.keep_alive_probes": 11,
    "tcpbanner_1.keep_alive_interval":300,
    "tcpbanner_1.keep_alive_idle": 300,
    "telnet.enabled": false,
    "telnet.port": 23,
    "telnet.banner": "",
    "telnet.honeycreds": [
        {
            "username": "admin",
            "password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA"
        },
        {
            "username": "admin",
            "password": "admin1"
        }
    ],
    "mssql.enabled": true,
    "mssql.version": "2012",
    "mssql.port":1433,
    "vnc.enabled": false,
    "vnc.port":5000
}
hkelley commented 1 year ago

Seems to be working now (now running as root under systemd using instructions from #73 ).