To setup your Canary, you'll need:
- An Ethernet cable and network point.
- A workstation (with bluetooth) to configure the Canary.
- IP information for your Canary's deployment, including a DNS server which can resolve public DNS.
- Credentials for your hosted console.
Plug the Canary into the Network
Connect your Canary to your network with an Ethernet cable.
Power up your Canary
Plug the USB power cable into any USB socket or 5 Volt, 2 Amp power adaptor.
Wait for the blue status LED
As your Canary boots, the status LED will change colour. When it turns blue, it's waiting to be setup.
Pair with your Canary over bluetooth
Use your workstation's Bluetooth tool to discover and pair with the Canary Device. Connect to the Bluetooth network once paired.
If you pairing using a Windows machine, click here.
Surf to your Canary
In your browser login to your Canary console.
In another tab surf to http://setup.canary.tools.
If your browser cannot contact the site, click here.
Configure the Canary
Give your Canary a name and record where it'll be installed, configure its IP settings (either static or DHCP), select a device personality and Save.
For more configuration options, click here.
Smile! You're almost there!
Register your Canary
Your configured canary now needs to register itself with your console. Open another browser tab to your console and login. This will allow the canary to register automatically.
If automatic registration fails, click here for information about offline registration.
Approve the Canary registration
In your hosted console, you'll get a popup notification with the details of your newly registered Canary. Carefully verify the details and approve the registration.
Deploy into production
With your Canary setup, move it to its production environment and power it up. When the status LED goes Green, the Canary is live.
I want to reconfigure a Canary
Your Canary can be reconfigured from your console, using the remote configuration editor or over bluetooth. To configure your Canary over bluetooth, the device needs to be in Bluetooth configuration mode. A brand new, pristine Canary boots automatically into config mode (which can be determined by the pretty blue LED). If the device has already been configured, it boots to live mode (where the LED will burn green or red).
To re-enter config mode, disconnect the power supply and then reconnect it. While the device is booting hold down the button (LED) on top of the device until the status LED lights up. After a short while, the LED will go blue, at which point the config interface on http://setup.canary.tools will be accessible again.
What configuration options are supported?
A name for the device, can contain only alphanumeric characters. Use this to provide a unique identifier for your Canary.
Remind yourself where the Canary is deployed (or use it as a more general descriptor field).
A device personality combines an OS personality with services you'd expect to find on that OS. This will select services on your behalf.
OS IP stack personality
Tell the Canary's IP stack to imitate a different OS.
Enable or disable portscan detection on this Canary.
Enable or disable DHCP networking on your Canary.
Canary IP Address
IP Address for deployed Canary.
Netmask for deployed Canary.
IP Address of the default gateway. Your Canary does not require direct Internet access, but without a default route it will only be accessible to attackers on the local network segment.
DNS Server 1
IP Address of a DNS server reachable from the deployed network address. The DNS server is required, and must be able to resolve external queries otherwise your Canary will not be able to communicate with the console.
DNS Server 2
Provide a second DNS server for redundancy. If only one is is available, enter the same IP address in this field.
Windows File Share
File Share enabled
Check to enable the File Share module, uncheck to disable.
Select between "Workgroup" for a standalone file share server, or "Domain member" to join an Active Directory domain.
In "Workgroup" mode, provide a name for the Windows Workgroup (e.g. "OFFICE").
Fully Qualified Active Directory Domain Name
In "Domain Member" mode, provide the full Active Directory domain name (e.g. "corp.thinkst.com").
Configure the NetBIOS Name advertised to the network.
Set the comment shown next to servers in the server listing.
Name the share exposed on the Canary.
Set the comment shown next to share in the share listing.
Files in the Share
Add new files to the share by clicking the + button. Give the files a name, and choose their type.
Check to enable the HTTP module, uncheck to disable.
The port number on which to listen for HTTP connections.
HTTP Page Skin
Select the Login page you want to serve to attackers.
Check to enable the SSH module, uncheck to disable.
Choose the port on which to run the SSH service.
Provide an SSH version string.
Check to enable the FTP module, uncheck to disable.
Choose the port on which to run the FTP service.
Provide an FTP banner.
- Bluetooth pairing on a Windows Machine
What are the detection modules?
Your Canary ships with six types of detection modules:
Host port scan
Detects whether a Canary was subjected to a port scan from a single originator.
Network port scan
Detects when an attacker scans across your network for a particular port. This requires multiple Canaries on your network.
Exposes a web-based login page, and reports when login attempts are made.
Windows shared files
Provides a fully functional Windows file share complete with actual files named by you. Alerts whenever someone tries to open the files. Includes the ability to join Active Directories.
Provides an authentication-only SSH daemon. All login attempts are recorded.
Provides an authentication-only FTP daemon. All login attempts are recorded.
I want to join a Windows Active Directory
Good choice! Joining your Canary to AD means it is easier for snoopers to find since it'll show up in the AD tree, and you'll have authentication information.
Before we start, you will need valid Active Directory credentials for a user who is allowed to join machines to the AD. This user is often a domain administrator, but doesn't have to be (see Resolution→Method 2 on this Microsoft page).
Secondly, if you want your Canary to be placed in a specific OU, then you'll need to pre-create the Computer account in the right OU, before joining the AD. (See Resolution→Method 1 on the same page). The Canary's NetBIOS name must match the AD's Computer account name.
Lastly, the Canary must be on a network segment that can reach domain controllers. When the Canary enters config mode, in addition to the 188.8.131.52 address it also tries to obtain a second address via DHCP. This address, if present, is used to join the domain. If no DHCP address was obtained, domain join will fail.
- Under your Canary's Windows File Share configuration section, enable File Share and fill in computer and share details.
- Ensure "Mode" is set to "Domain member".
- Ensure that the full qualified name of the AD is entered correctly.
- Click Save.
- You are shown a preparation screen which describes what is about to happen.
- Click Join domain. The Canary will perform sanity checks, including looking up domain details. If any of these fail, you will be notified and the join process will halt. Resolve the failures before trying again.
- If the tests pass, then you will be prompted for credentials of a user who is allowed to join machines to the domain. Enter the credentials then click Join domain.
- After successfully joining the domain, Continue.
What are HTTP skins?
The HTTP module reports login attempts on a website hosted by the Canary. To make the login appear legitimate, we let you pick from a range of fake websites that might be found on internal networks. The skin only holds the login page.
In some cases, the Canary's automatic registration can fail. Typically this occurs when the user configuring the Canary is not also logged into their hosted console, perhaps because the user does not have external web access at that time.
Canaries support an offline or manual registration flow too. This process requires you to copy data from the Canary's config interface to the hosted console, and vice versa. Here are the steps:
- After trying the Canary's automatic registration, you see this error:
- Copy the blob of data from the textfield.
- Log in to your hosted console, and click Setup located in your navbar.
- Paste the blob copied from the Canary into the text area.
- Click Import. This will register the Canary with your console.
- The second part of the process is to register the console with the Canary. Copy the data blob shown in the hosted console to your clipboard.
- Then switch back to your Canary's config screen and paste the console blob into the text field and click Submit:
- A successful import on the Canary shows this message, click Finish to reboot into production mode:
- On your hosted Console, click Take me to Approval.
- Finally, approve your new Canary to complete the registration.
- Your Canary is now registered, you can unplug it and move it to its production location.
I want to configure notifications
Your hosted console supports two types of notifications, SMS and email, and you can configure one, both or neither. Browse the Setup link to configure your hosted console.
To enable email notifications, click the On button, and in the text field that appears enter the email address that will received alerts. You can include multiple addresses, simply separate them with a comma.
To enable SMS notifications, click the On button, and in the text field that appears enter the phone numbers that will received alerts. Numbers must start with "+
" and, apart from the "+", only consist of digits. You can include multiple numbers, simply separate them with a comma.
I want to enable 2FA on my console
Your hosted console supports Google Authenticator's time-based OTPs:
- To enable 2FA, click the On button.
- A configuration QR-code is shown. Open your Google Authenticator app, tap Settings then tap Scan a barcode.
- Alternatively, if you don't want to scan the barcode then manually enter the key. Tap Enter provided key and input the key string shown under the QR-code along with an account name. Ensure that Time based is selected, then tap Add.
- To use your 2FA, on the login select I use a second factor.
What do the LED colours mean?
The status LED provides feedback about the Canary's current state, using colour and flashing.
Canary software has not run, power is likely off.
Booting into config mode.
Config mode is running.
Booting into live mode.
Canary is running in live mode, in contact with the server.
Canary is running in live mode, but cannot contact the server.
Canary software has exited. Reboot your Canary.
What counts as an incident?
Your console doesn't simply report on every trigger, it bundles events together to form incidents if they are related. For example, if an attacker launches a brute-force attempt against your FTP server, you want to receive a single alert about the attack, not one per username tried.
Incidents are defined as duplicated events from the same source against the same target service within a time period.
Of course, we still record every event and when you open up an incident, you will be provided with the data about each event that makes up the incident.