Setting up OpenCanary with Docker Swarm
Introduction
As a freelance security consultant, I was tasked by my client to replace their outdated honeypot solution, which was not only costly but also required dedicated physical hardware or a virtual machine per installation. After researching various options, I chose to use Docker Swarm for its self-healing functionalities and scalability. OpenCanary was selected as the honeypot implementation due to its industry-standard reputation and versatility. This blog outlines how I set up OpenCanary using Docker Swarm, enhancing both security and scalability while leveraging the orchestration capabilities of Docker.
Honeypot
Honeypots are decoy systems that are intentionally made vulnerable to detect and study the attacks. However, the security of the honeypot itself is paramount as any compromise could lead to significant risks. Therefore, setting up OpenCanary securely is essential to ensure that it serves its purpose without becoming a liability.
Setting Up OpenCanary with Docker Swarm
Prerequisites
- A non-root user account for running services, enhancing the security of your honeypot deployment.
Step-by-Step Setup
Install Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
Configure User and Permissions
adduser opencanary
groupadd docker
usermod -aG docker opencanary
mkdir /opt/opencanary
chmod -R 700 /opt/opencanary
chown -R opencanary:opencanary /opt/opencanary
Edit OpenCanary configuration
Switch to the opencanary user and navigate to the setup directory:
su opencanary
cd /opt/opencanary
Edit the data/.opencanary.conf file to enable, disable or customize the services that will run.
Edit the ports section of the docker-compose.yml file to enable/disable the desired ports based on the services.
Initialize Docker Swarm
To turn your server into a Docker Swarm manager, use:
docker swarm init
This command configures Docker to manage multiple containers across different nodes.
Deploy OpenCanary
Deploy your OpenCanary service with the following command:
docker stack deploy -c docker-compose.yml opencanary
This deploys OpenCanary according to the settings defined in your docker-compose.yml file, enabling easy scaling and management of your honeypot deployment.
Scaling OpenCanary replicas
Using Docker Swarm, you can easily scale the number of OpenCanary replicas to increase the distribution and fault tolerance of your honeypot environment. The following command allows you to scale the number of OpenCanary instances in your Docker Swarm setup to three containers:
docker service scale opencanary_latest=3
Security Considerations
- Rootless limitations: Current Linux system designs limit rootless operations, especially concerning Docker Swarm's default use of overlay networking, which involves creating virtual IPs and modifying iptables. As documented in Docker's own limitations on rootless containers (see Docker Rootless Known Limitations), it is not feasible to achieve full control over Linux networking in a rootless environment at this level.
- Run as non-root: While running Docker containers as non-root users is still a best practice for security, the rootless mode's limitations in managing networking aspects necessitate running Docker in root mode for certain functionalities, like Swarm. However, using Docker's User Namespaces, even when the Docker daemon runs as root, containers themselves do not.
- Enhanced user security: Implementing User Namespaces is an effective way to lock down Docker. This configuration allows
dockerdto run as root, but the containers operate under a non-root user, mitigating potential system-wide breaches. - Configuring container defaults: Adjusting the default user within containers to a non-root user further secures your deployments. Detailed steps and recommendations for securing Docker can be found in Bret Fisher's Docker security recommendations.
Conclusion
By adopting these recommended security practices, you can establish a more secure environment for running OpenCanary in Docker Swarm. Although rootless Docker presents certain limitations in network management, leveraging User Namespaces and setting non-root defaults within containers provide substantial security enhancements for your honeypot deployment.