A canary for the LAN on a spare server: OpenCanary honeypot deployment notes
Internal network security has a brutal truth: the firewall stops outsiders, but once something gets in (a phished user, a compromised host), the lateral-movement phase is essentially invisible. Commercial EDR/NDR too expensive? There’s a classic zero-budget answer: the honeypot.
The honeypot logic: fake services, real alarms
Place a machine on the LAN that looks valuable, running fake SSH, SMB, MSSQL, FTP. The key insight:
No legitimate business process ever touches it. So anything scanning it or attempting a login is a high-confidence bad signal — either an attacker probing laterally, or malware on some machine sweeping the subnet.
False-positive rate approaches zero — the most elegant property a detection control can have, in a world of alert fatigue.
The canary’s value isn’t in blocking anyone — it’s the high-confidence “touched = trouble” signal
Zero-budget deployment: VirtualBox + Ubuntu + OpenCanary
No dedicated hardware — find a Windows server with spare capacity and spin up a small VM:
- VM: Ubuntu Server 18.04, a small virtual disk, 1 GB RAM is plenty (honeypots do no heavy lifting);
- Network mode: Bridged Adapter — the decision that matters. Under NAT the honeypot hides behind the host and the LAN can’t “see” it; bridged, it appears on the real LAN with its own IP, a peer among servers, a genuine target when an attacker sweeps the subnet;
- Install OpenCanary (docs.opencanary.org): a lightweight Python honeypot framework — enable the fake services you want (SSH/SMB/MSSQL/HTTP/FTP…) in its config and point logs/alerts at email or a webhook;
- Auto-start the VM with the host — a honeypot’s worst enemy is “forgot to start it after the reboot.” Use VirtualBox autostart or a scheduled task.
Two operational points
- The alert channel must reach a human: a honeypot might cry once a year, but that once is real. Alerts into an unread mailbox equal no honeypot;
- Give it a tempting name: a hostname like
FILESRV-BACKUPcatches far more thanHONEYPOT-01. You’re fishing for scanning behavior — bait should look like bait.
Lessons
- A small team’s detection capability isn’t bought, it’s designed — one afternoon of honeypot work buys a nearly false-positive-free internal sentinel;
- “Minor” options like bridged vs NAT decide whether the design works at all: the honeypot must live on the real segment;
- Add the honeypot’s IP to your own asset inventory with a note — or your next vulnerability scan will page you about your own trap.