Papa Labs

A canary for the LAN on a spare server: OpenCanary honeypot deployment notes

Internal network security has a brutal truth: the firewall stops outsiders, but once something gets in (a phished user, a compromised host), the lateral-movement phase is essentially invisible. Commercial EDR/NDR too expensive? There’s a classic zero-budget answer: the honeypot.

The honeypot logic: fake services, real alarms

Place a machine on the LAN that looks valuable, running fake SSH, SMB, MSSQL, FTP. The key insight:

No legitimate business process ever touches it. So anything scanning it or attempting a login is a high-confidence bad signal — either an attacker probing laterally, or malware on some machine sweeping the subnet.

False-positive rate approaches zero — the most elegant property a detection control can have, in a world of alert fatigue.

Honeypot concept: legitimate traffic never touches it, so any touch is worth an alarm

The canary’s value isn’t in blocking anyone — it’s the high-confidence “touched = trouble” signal

Zero-budget deployment: VirtualBox + Ubuntu + OpenCanary

No dedicated hardware — find a Windows server with spare capacity and spin up a small VM:

  1. VM: Ubuntu Server 18.04, a small virtual disk, 1 GB RAM is plenty (honeypots do no heavy lifting);
  2. Network mode: Bridged Adapter — the decision that matters. Under NAT the honeypot hides behind the host and the LAN can’t “see” it; bridged, it appears on the real LAN with its own IP, a peer among servers, a genuine target when an attacker sweeps the subnet;
  3. Install OpenCanary (docs.opencanary.org): a lightweight Python honeypot framework — enable the fake services you want (SSH/SMB/MSSQL/HTTP/FTP…) in its config and point logs/alerts at email or a webhook;
  4. Auto-start the VM with the host — a honeypot’s worst enemy is “forgot to start it after the reboot.” Use VirtualBox autostart or a scheduled task.

Two operational points

  1. The alert channel must reach a human: a honeypot might cry once a year, but that once is real. Alerts into an unread mailbox equal no honeypot;
  2. Give it a tempting name: a hostname like FILESRV-BACKUP catches far more than HONEYPOT-01. You’re fishing for scanning behavior — bait should look like bait.

Lessons

  1. A small team’s detection capability isn’t bought, it’s designed — one afternoon of honeypot work buys a nearly false-positive-free internal sentinel;
  2. “Minor” options like bridged vs NAT decide whether the design works at all: the honeypot must live on the real segment;
  3. Add the honeypot’s IP to your own asset inventory with a note — or your next vulnerability scan will page you about your own trap.
← All posts