Architecting an Active Defense in a Network specifically with Mikrotik

-

Automating OpenCanary Honeypot Integration with MikroTik

In the modern cybersecurity landscape, relying solely on static firewall rules to drop packets is a failing strategy. Automated botnets and malicious actors constantly probe network perimeters. To truly secure an infrastructure—whether it is a complex enterprise environment or an advanced homelab—we need a system that actively fights back. Today, we are building an automated "Active Defense" pipeline that turns reconnaissance attempts into instant hardware-level bans.


Network Security Topology - Honeypot to MikroTik Router Automation Flow

1. Core Concepts: The Deep Dive

Before deploying code, it is critical to understand the architecture and why we select specific tools to make this setup completely "idiot-proof."

  • The Honeypot (Decoy Concept): A honeypot is an intentionally vulnerable system placed on your network. It serves no legitimate business purpose. Therefore, any traffic directed at it is, by definition, malicious reconnaissance.
  • OpenCanary (High-Interaction Sensor): Unlike basic port scanners that simply listen, OpenCanary actively emulates services (SSH, FTP, HTTP, SQL). When an attacker tries to brute-force the fake SSH service, OpenCanary captures their exact intent, providing high-fidelity, zero-false-positive alerts.
  • MikroTik Bouncer: This is our custom automation engine. It acts as the bridge between the OpenCanary logs and the MikroTik hardware firewall, parsing threats and executing commands in real-time.

The Essential Automation Tools

  • grepcidr (The Safety Net): If you automate bans, the biggest risk is locking yourself out. grepcidr is a specialized utility that checks IP addresses against entire subnets (CIDR notation) in milliseconds. We use it to ensure the Bouncer script never blocks our trusted management subnets.
  • sshpass (The Authenticator): MikroTik requires authentication for SSH. Because our script runs in the background without human intervention, sshpass allows our script to securely pass credentials to the router and execute the ban command instantly.
  • Systemd: We utilize Linux's native service manager to ensure our honeypot and bouncer scripts survive reboots, network drops, and unexpected crashes without requiring manual restarts.

2. Infrastructure Preparation (Debian 12 LXC)

We begin with a clean Debian 12 LXC container. Run the following command to install the required dependency stack:

apt update && apt upgrade -y
apt install -y python3-pip python3-venv git nano net-tools iproute2 sshpass grepcidr build-essential

Note: We include python3-venv to isolate our honeypot environment, preventing Python package conflicts with the host OS.

3. OpenCanary Installation & Configuration

We deploy OpenCanary inside a virtual environment. We must also change its default SSH port so it does not clash with the LXC container's actual management SSH.

# Create and activate the virtual environment
mkdir -p /opt/opencanary
python3 -m venv /opt/opencanary
source /opt/opencanary/bin/activate

# Install OpenCanary
pip install --upgrade pip
pip install opencanary scapy rdpy-rdp-victim

# Initialize configuration
opencanaryd --init

Next, edit the configuration file (/etc/opencanaryd/opencanary.conf). Change the ssh.port to 2222 and ensure ssh.enabled is set to true.

4. MikroTik Router Configuration: The Enforcer

We need to configure the router to securely accept commands from the honeypot, and route attacker traffic into the trap.


MikroTik Router User Setup and Key Authentication

A. The Automation User (Least Privilege)

Never use the `admin` account for scripts. Create a restricted user that is only allowed to connect from the IP of your LXC container (e.g., 192.168.50.4).

/user group add name=bouncer-group policy=read,write,policy,test
/user add name=oc-bouncer group=bouncer-group password=YourSecurePassword
/user set [find name=oc-bouncer] allowed-address=192.168.50.4/32

B. Traffic Redirection (DST-NAT)

Redirect incoming public SSH probes to the OpenCanary trap on port 2222.

/ip firewall nat add chain=dstnat dst-port=22 protocol=tcp action=dst-nat to-addresses=192.168.50.4 to-ports=2222

5. The Bouncer Script

Create the automation engine at /opt/opencanary/mikrotik-bouncer.sh. This script continuously monitors the logs, verifies the IP against your whitelist using grepcidr, and executes the ban.

#!/bin/bash
# Configuration
MIKROTIK_USER="oc-bouncer"
MIKROTIK_IP="192.168.50.1"
WHITELIST_FILE="/etc/opencanaryd/whitelist.txt"

# Continuously read the log file
tail -F /var/tmp/opencanary.log | while read line
do
    # Extract the source IP from the JSON log
    SRC_IP=$(echo $line | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -n 1)

    # Validate against whitelist using grepcidr
    if [[ ! -z "$SRC_IP" ]] && ! echo "$SRC_IP" | grepcidr -f "$WHITELIST_FILE" > /dev/null; then
        echo "Malicious intent detected. Quarantining $SRC_IP..."
        
        # Push attacker to MikroTik Honeypot_Blacklist
        sshpass -e ssh -o StrictHostKeyChecking=no $MIKROTIK_USER@$MIKROTIK_IP \
        "/ip firewall address-list add list=Honeypot_Blacklist address=$SRC_IP timeout=1d comment='Blocked by OpenCanary'"
    fi
done

Don't forget to populate your /etc/opencanaryd/whitelist.txt with your trusted subnets (e.g., 192.168.50.0/24)!

6. Systemd Persistence & Fixing The "Loop"

To ensure OpenCanary spawns correctly in the background, we must use Type=forking in our systemd service file (/etc/systemd/system/opencanary.service):

[Unit]
Description=OpenCanary Daemon
After=network.target

[Service]
Type=forking
User=root
WorkingDirectory=/etc/opencanaryd
ExecStart=/opt/opencanary/bin/opencanaryd --start --allow-run-as-root --config=/etc/opencanaryd/opencanary.conf
ExecStop=/opt/opencanary/bin/opencanaryd --stop
Restart=always

[Install]
WantedBy=multi-user.target

Testing & The DNS Flood Protection Fix

During our deployment testing, we discovered a common MikroTik quirk: if your Bouncer script establishes too many rapid SSH connections to the router, MikroTik's native DNS/Connection Flood Protection might accidentally flag the LXC container as an attacker!

To fix this, we implement a strict exclusion rule in the MikroTik firewall. We tell the flood protection rule to ignore our trusted management subnet:

/ip firewall filter set [find comment="DNS Flood Protection"] src-address-list=!Trusted_LAN

Once applied, you can test the system by injecting a fake log entry (echo '{"src_host": "1.2.3.4"}' >> /var/tmp/opencanary.log). You should immediately see the IP populate in your MikroTik Address Lists.


Here is the attack and blocking in action

Conclusion

By shifting from reactive manual blocking to an automated, honeypot-integrated response, you significantly reduce operational overhead while hardening your perimeter. This architecture demonstrates that enterprise-grade active defense is highly achievable using open-source tools and robust networking hardware.

Comments

Post a Comment

Popular posts from this blog

Suricata on Mikrotik(IDS+IPS) = Part 4 - Configuration of the IPS Part

-
Image
  Configuration Disclaimer:  this one again is only for  ubuntu 18.04  and login as  root  user to be sure Make sure you have a good understanding of the suricata rules before doing this This might cause some disconnection from the site or services you are visiting and even the internet if not properly configured. In the real environment it is best not to run as root user but for the sake of just testing it I opted to run as root configure the following rules on your mikrotik router: /ip firewall filter add action=drop chain=input comment="Block bad actors" src-address-list=Blocked /ip firewall filter add action=drop chain=forward comment="Drop any traffic going to bad actors" dst-address-list=Blocked create a user group with all policies checked except telnet create a user allowing your local addresses with the group you created earlier Lets Start ... 1.      Install PHP         apt install php -y 2.   Navigate...
Read more

AdGuard Home DNS for Newbies - Part 3

-
Image
🧩 Part 3: Connecting Your Network to AdGuard Home Configure Your Router or Devices to Use AdGuard Home Why This Step Matters Now that AdGuard Home is installed and running, it’s time to make your network actually  use  it. Right now, your devices are probably still asking Google’s (8.8.8.8), Cloudflare’s (1.1.1.1), or your ISP’s DNS servers for website lookups — which means no ad-blocking, no caching, and no privacy benefits yet. Connecting your network to AdGuard Home means rerouting those DNS lookups through your own local resolver — one you control. This unlocks: Ad-blocking and tracking protection  for every device on your network. Faster lookups  thanks to local caching. Full visibility  into what domains your devices are contacting. And don’t worry — you can test all of this safely, one step at a time. Method 1: Set DNS via Your Router (Whole-Network Filtering) This is the recommended setup because it’s  set-and-forget . Every device that joins your ...
Read more

DHCP for Dummies: How Your Devices Get Online Without You Lifting a Finger

-
Image
DHCP for Dummies: How Your Devices Get Online Without You Lifting a Finger Introduction Ever wondered how your phone, laptop, or smart TV connects to the internet without you having to do anything? One minute you’re tapping "Connect to Wi-Fi," and the next, boom—you’re online. That magic? It’s all thanks to DHCP. DHCP (Dynamic Host Configuration Protocol) is what hands out IP addresses to your devices, kind of like a hotel receptionist giving guests room keys. It’s automatic, invisible, and keeps everything running smoothly—until something breaks. In this guide, you’ll learn: ✔️ What DHCP is (in plain English). ✔️ How it works behind the scenes. ✔️ Why it’s better than manually assigning IP addresses. ✔️ How to fix common DHCP problems without calling IT. By the end, you’ll have a solid grip on DHCP—even if tech stuff usually makes your head hurt. Let’s go! --- What is DHCP? (The No-Nonsense Explanation) Okay, imagine you walk into a hotel. You don’t pick a room or set up a k...
Read more