thinkst / canarytokens-docker Goto Github PK

This is the error i get when i run while running docker-compose up

Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-P5Plug/twilio/
ERROR: Service 'frontend' failed to build: The command '/bin/sh -c pip install --no-cache-dir twilio==4.4.0' returned a non-zero code: 1

Hi,

I have setup my zone likes this:
A * x.x.x.x 600 sec
NS @ ns20.domaincontrol.com 1 hour
NS @ ns40.domaincontrol.com 1 hour
SOA @ main nameserver: ns29.domaincontrol.com. 1 hour

The setup of my env files are the below
Frontend.env
CANARY_DOMAINS=domain.com
CANARY_NXDOMAINS=domain.com

CANARY_GOOGLE_API_KEY=MY_API_KEY_HERE

CANARY_WEB_IMAGE_UPLOAD_PATH=/uploads
CANARY_MAX_UPLOAD_SIZE=1024102410

LOG_FILE=frontend.log

Switchboard.end:
#CANARY_MAILGUN_DOMAIN_NAME=
#CANARY_MAILGUN_API_KEY=
#CANARY_MANDRILL_API_KEY=
CANARY_SENDGRID_API_KEY=my_sendgrid_api_here
CANARY_PUBLIC_IP=x.x.x.x
CANARY_PUBLIC_DOMAIN=domain.com
CANARY_ALERT_EMAIL_FROM_ADDRESS=[email protected]
CANARY_ALERT_EMAIL_FROM_DISPLAY="Canary Token Alert"
CANARY_ALERT_EMAIL_SUBJECT="Canarytoken"

CANARY_TOKEN_RETURN=fortune

CANARY_WEB_IMAGE_UPLOAD_PATH=/uploads

LOG_FILE=switchboard.log

If i create a pdf i don't get any alert but if i do the following:

nslookup domain.com my_ip_address_hosting_canarytokens

I get the alert.

Through wireshark i see that when i open the pdf two DNS requests are performing:
192.168.1.10 ----> 8.8.8.8 sc918xzqauaebct8z05t4ln7a.domain.com
8.8.8.8 ----> 192.168.1.10 A Record A x.x.x.x

I used your online service to create a pdf and then i inspected the network traffic via wireshark. Same dns requests are performed.

Hey Thinkst Team,

Is there a way to convert the switchboard.log file into a JSON output? I am having to perform a work around due to no STARTTLS capability and I am looking to implement the swithboard.log file into my SIEM to receive real time alerts when a token is fired. However, I am having difficulty decoding the swithboard.log file into a format my SIEM tool can read. Any suggestions would be greatly appreciated!

Thanks for the help

Hi team

We were able to set up tokens in our aws envi. The new interface looks really nice. But i have issues with my DNS tokens. We have updated our DNS records with a public IP.
Also the tokens like http, smtp etc wrk fine.
Do we have to add another entry for this to wrk.
ex: *.abc.mycompany.com

I have issues with this step:

• Configure your domains so that their nameservers point to the public IP of the Docker host. This requires a change at your Registrar. Simply changing NS records in the zonefile is insufficient.

I am using GoDaddy and it seems that it is not possible to change the nameserver settings so they point to the IP of the Docker host. Or am I getting something wrong?

In addition;
What inbound ports must be open for the different canary tokens? Only http, https and DNS? Maybe it would be good to enhance the instructions.

Hi,

with the current docker container version I get the following error entry in switchboard.log when triggering a canary web token which should do the alerting with Mailgun (alerting is not working).

Any ideas?

root@89053bfa5253:/srv# tail -f switchboard.log 2018-08-12 12:59:17+0000 [HTTPChannel,1,172.20.0.5] {'src_ip': '<ip removed>', 'useragent': 'Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0', 'referer': None, 'location': None} 2018-08-12 12:59:18+0000 [HTTPChannel,1,172.20.0.5] 'Exception occurred in switchboard dispatch: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'

The IP 172.20.0.5 belongs to the thinkst/certbot-nginx container.
Thanks
Florian

Hi. Image tokens generation isn't working properly on a self-hosted instance. It generates a token which can be triggered, yes. But picture is not visible when accessing through <img src="url> tag.
Note, when using canarytokens.com - the same picture is visible so that eliminates possibility that when using self-hosted CT I am embedding picture into html page somehow wrongly. Is there anything what needs to be changed on the server side? Is there any debugging I can do and where uploaded file is being saved (to validate that upload is working correctly and picture exists) ?
Thanks.

Why don't I receive email notifications from Canarytokens-docker?
i have one docker domain, and when someone use tracking link or any other option, he don't receive email report.
can you help me??
thx

have managed to get the docker image running, however am not receiving emails.

in the switchboard.env can an example be provided for the parameter

if my parent domain is xyz.com what should

canary_mailgun_domain_name=

After i click on the manage tokens, the geolocation for the docker image does not seem to be working. What am i missing here

Getting an error with let's encrypt docker compose

switchboard | 2019-09-10 05:44:27+0000 [-] Starting factory <channel_input_smtp.CanarySMTPFactory object at 0x7f23297bd990> switchboard | 2019-09-10 05:44:28+0000 [-] 'Imgur error: string indices must be integers, not str' nginx | Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)

when running the docker-compose up, it hangs with below info:

--2016-06-21 07:29:59-- https://github.com/thinkst/canarytokens/archive/master.zip?step=1
Resolving github.com (github.com)... 192.30.252.128
Connecting to github.com (github.com)|192.30.252.128|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/thinkst/canarytokens/zip/master [following]
--2016-06-21 07:30:01-- https://codeload.github.com/thinkst/canarytokens/zip/master
Resolving codeload.github.com (codeload.github.com)... 192.30.253.121
Connecting to codeload.github.com (codeload.github.com)|192.30.253.121|:443... connected.

I can download the file with the command in Dockerfile "wget -O master.zip https://github.com/thinkst/canarytokens/archive/master.zi
p?step=1", but it just hang on there.

Any suggestions?

Hello,

Is there a web ui that can be used to view created tokens. I see they are stored in the data directory, but is there a way to view them through the UI?

Thanks

This container is open to be used in a DNS amplification attack. This works by:

• Attacker makes a DNS request to the canary tokens server but spoofs the UDP packet with the victims IP.
• Server responds with failure message and sends this to the victim.
• Victim is deluged by traffic

The fix is to not send responses for DNS requests that are not valid

any plan to have yaml or helm chart to deploy this on kubernetes?

Hi! When I trigger an alert with a token with the docker setup, I see on the manage page of the token the count going up by how many times it triggered. When I go to history however, I do not see the Incident List as on your website (canarytokens.org) where I can see the client specific information like UA and IP

Took a look at the code in the docker containers and the log files but couldn't find any suspects

Hi, i have used the procedure that was mentioned and was able to replicate canary token generator, but since i am gonna use it from outside as i have given it a public IP address, is there some option where we can create some basic authentication for this

Good day,

I've setup canary token on an VPS instance and everything else but DNS seems to be working fine.

I pointed my domains Authoritative Name Servers to the IP (hostname cause IP gives me an error) where my docker instance is running but every time I try to dig a c token, it doesn't resolve.

If I do:
#dig @canary_dns_or_ip (token).domain.com
Everything is working find and I get my DNS hit in my mail.

Any idea what could cause that problem?

Thanks a lot! Awesome work btw on that project :)

Hello,

When i am generating alert using PDF token it is showing different IP then my ISP public ip.
It is showing ip of the dns server that's the ISP is using to resolve the address.
In most cases, it is different from the location of the user who is actually opening the file.
And in some tokens I am getting same as ISP IP. so it is not showing the exact location it is false positive in many cases.
Is there any different method are you using for generating alert for PDF token?

Thanks

I'm getting the following in my docker logs when running docker-compose up

Ubuntu 14.10

frontend_1    | Failed to load application:
frontend_1    |
frontend_1    | [x] Adding domains
frontend_1    |     <redacted>.com
frontend_1    | [x] Adding NX domains
frontend_1    | Unhandled Error
frontend_1    | Traceback (most recent call last):
frontend_1    |   File "/usr/local/lib/python2.7/site-packages/twisted/application/app.py", line 657, in run
frontend_1    |     runApp(config)
frontend_1    |   File "/usr/local/lib/python2.7/site-packages/twisted/scripts/twistd.py", line 23, in runApp
frontend_1    |     _SomeApplicationRunner(config).run()
frontend_1    |   File "/usr/local/lib/python2.7/site-packages/twisted/application/app.py", line 389, in run
frontend_1    |     self.application = self.createOrGetApplication()
frontend_1    |   File "/usr/local/lib/python2.7/site-packages/twisted/application/app.py", line 454, in createOrGetApplication
frontend_1    |     application = getApplication(self.config, passphrase)
frontend_1    | --- <exception caught here> ---
frontend_1    |   File "/usr/local/lib/python2.7/site-packages/twisted/application/app.py", line 465, in getApplication
frontend_1    |     application = service.loadApplication(filename, style, passphrase)
frontend_1    |   File "/usr/local/lib/python2.7/site-packages/twisted/application/service.py", line 403, in loadApplication
frontend_1    |     application = sob.loadValueFromFile(filename, 'application', passphrase)
frontend_1    |   File "/usr/local/lib/python2.7/site-packages/twisted/persisted/sob.py", line 210, in loadValueFromFile
frontend_1    |     exec fileObj in d, d
frontend_1    |   File "frontend.tac", line 11, in <module>
frontend_1    |     import setup_db
frontend_1    |   File "/srv/setup_db.py", line 18, in <module>
frontend_1    |     add_canary_nxdomain(domain=d)
frontend_1    |   File "/srv/queries.py", line 53, in add_canary_nxdomain
frontend_1    |     raise ValueError
frontend_1    | exceptions.ValueError:

I setup a canarytokens-docker instance some time ago though I haven't done much with it and I just recently got an alert from AWS that it's been flagged by an abuse report as running an open-resolver.

It's possible that this is due to how /I/ configured the setup and not necessarily the fault of the image itself, but I figured I'd file it here just in case. The server wasn't important so I just killed the instance for now.

Ok so not new to linux but new to docker. I am trying to get this installed but running into what i assume is a basic issue. I run all the install commands but when I try to start this I get the below:

ERROR: Couldn't connect to Docker daemon - you might need to run docker-machine start default.

canary@canary:/canarytokens/canarytokens-docker$ docker-machine ls
NAME ACTIVE DRIVER STATE URL SWARM DOCKER ERRORS
canary@canary:/canarytokens/canarytokens-docker$

I've had an issue since I started using this (which was only two commits ago) where the redis data does not persist. Everything else about this functions correctly - notifications, etc. But if I ever have to rebuild or stop/start the containers, no dump.rdb gets appended to data directory.

I've just rm'd each instance, and all associated images, done a docker-compose pull again, and docker-compose up -d (all as sudo), everything has created successfully - and then I gracefully stop the containers, and no data has been written/dumped.

Anything I can provide to help, I'd be happy to do so!

I tried on both canarytokens.org and on my self-hosted canarytokens instance and it seems tokens embedding into exe/dll files isn't working? Whenever I try to generate a token using .exe file it returns a successful windows with green button (as usually) but button has name "Save undefined" and when clicking on it it just downloads the .html document of the actual canarytokens main page - is it a bug? Or is there any restrictions on .exe files which can be used?
Thanks.

Hey Guys,

I have made the below changes to the switchboard.env file but still not receiving emails via SMTP

CANARY_SMTP_SERVER=mailhost.omit.omit.omit.com
CANARY_SMTP_PORT=25
CANARY_ALERT_EMAIL_FROM_ADDRESS=[email protected]
CANARY_ALERT_EMAIL_SUBJECT="Canary Alert via SMTP"
CANARY_SMTP_USERNAME=
CANARY_SMTP_PASSWORD=
CANARY_PUBLIC_DOMAIN=omit.omit.com
CANARY_ALERT_EMAIL_SUBJECT="Canary Token Fired"

CANARY_TOKEN_RETURN=fortune

CANARY_WEB_IMAGE_UPLOAD_PATH=/uploads

LOG_FILE=switchboard.log

Any help would be much appreciated.

Thanks

Hi.
I found one annoying issue...Especially after enabling basic_auth in Nginx.
Letsencrypt has a limit of cert generations for the same domain which is 5/week.
Now here is the situation I met - each time when starting server with docker-composer-letsencrypt.yml it is requesting new certificate from Letsencrypt provider. After several CanaryTokens server/container restart attempts my https stopped working (server refuses connection), while http is working fine... I ran container manually in foreground mode and noticed from the log it's failing to register with letsencrypt service which returns "Too many attempts" error. I tried to "hack" it by replacing nginx.conf under /nginx/ directory to the the one under /certbot-nginx/ directory and added port 443 in docker-composer.yml file, then rebuild container to apply changes (all that was done with the hope to skip letsencrypt cert request part) - but that trick didn't work...
I think if there would be an additional configurable option/parameter implemented which would tell "Use letsencript to obtain new cert OR Don't use letsencrypt" while running https setup that would be the easiest solution because would allow to run HTTPS without re-requesting cert each time. I hope that can be added.
For now I am stuck for 1 week with http and basic authentication which sends my credentials in plain-text (actually base64 encoded, but that's mickey mouse) with every request I do to CT :(

I have installed the canarytokens-docker in a few different ways (the way i install docker and docker-compose) but it never connects to my mailgun account.

In all instances i'am getting this error:

:0: UserWarning: You do not have a working installation of the service_identity module: 'No module named service_identity'. Please install it from https://pypi.python.org/pypi/service_identity and make sure all of its dependencies are satisfied. Without the service_identity module and a recent enough pyOpenSSL to support it, Twisted can perform only rudimentary TLS client hostname verification. Many valid certificate/hostname mappings may be rejected.

I tries different ways of installing and updating the service_identity module, and i'm getting this reply:

pip install --upgrade service_identity
Requirement already up-to-date: service_identity in /usr/local/lib/python2.7/dist-packages/service_identity-16.0.0-py2.7.egg
Requirement already up-to-date: attrs in /usr/local/lib/python2.7/dist-packages/attrs-16.3.0-py2.7.egg (from service_identity)
Requirement already up-to-date: pyasn1 in /usr/local/lib/python2.7/dist-packages (from service_identity)
Requirement already up-to-date: pyasn1-modules in /usr/local/lib/python2.7/dist-packages/pyasn1_modules-0.0.8-py2.7.egg (from service_identity)
Requirement already up-to-date: pyopenssl>=0.12 in /usr/local/lib/python2.7/dist-packages (from service_identity)
Requirement already up-to-date: cryptography>=1.3.4 in /usr/local/lib/python2.7/dist-packages (from pyopenssl>=0.12->service_identity)
Requirement already up-to-date: six>=1.5.2 in /usr/lib/python2.7/dist-packages (from pyopenssl>=0.12->service_identity)
Requirement already up-to-date: setuptools>=11.3 in /usr/local/lib/python2.7/dist-packages (from cryptography>=1.3.4->pyopenssl>=0.12->service_identity)
Requirement already up-to-date: ipaddress in /usr/local/lib/python2.7/dist-packages (from cryptography>=1.3.4->pyopenssl>=0.12->service_identity)
Requirement already up-to-date: enum34 in /usr/local/lib/python2.7/dist-packages (from cryptography>=1.3.4->pyopenssl>=0.12->service_identity)
Requirement already up-to-date: idna>=2.0 in /usr/local/lib/python2.7/dist-packages (from cryptography>=1.3.4->pyopenssl>=0.12->service_identity)
Requirement already up-to-date: cffi>=1.4.1 in /usr/local/lib/python2.7/dist-packages (from cryptography>=1.3.4->pyopenssl>=0.12->service_identity)
Requirement already up-to-date: appdirs>=1.4.0 in /usr/local/lib/python2.7/dist-packages (from setuptools>=11.3->cryptography>=1.3.4->pyopenssl>=0.12->service_identity)
Requirement already up-to-date: packaging>=16.8 in /usr/local/lib/python2.7/dist-packages (from setuptools>=11.3->cryptography>=1.3.4->pyopenssl>=0.12->service_identity)
Requirement already up-to-date: pycparser in /usr/local/lib/python2.7/dist-packages (from cffi>=1.4.1->cryptography>=1.3.4->pyopenssl>=0.12->service_identity)
Requirement already up-to-date: pyparsing in /usr/local/lib/python2.7/dist-packages (from packaging>=16.8->setuptools>=11.3->cryptography>=1.3.4->pyopenssl>=0.12->service_identity)

Hi Team,

I am setting up a Unique email address Token. My Canary docker is working fine for all canary token while generating email address it appends IP address instead of the domain. Here is - [Ofcourse I am testing internally hence private IP is used.]

Your Email address token is active!
Here is a unique email address:

l698fgdrx5cr5n42qst9i6cr0@192.168.5.122

Here is my switchboard.env
CANARY_PUBLIC_IP=192.168.5.122
CANARY_PUBLIC_DOMAIN=klam.in

And frontboard.env
CANARY_DOMAINS=klam.in
CANARY_NXDOMAINS=nx.klam.in

I have letsencrypt and everything works, but you have to manually change http to https, how can I enable auto redirect to https please?

When I reboot my VPS, the docker images attempt to restart. Redis and grontend do so without a problem, then nginx gets stuck in a restarting loop. According to the yml, switchboard isn't set to restart at all (the others are set to restart always).

I'm fairly new to docker containers, so I'm not sure if this is something I've done wrong, or incorrect behavior. If there are any logs I can provide, please let me know what is needed and from where.

Ive been using this repo for at least a year and been about to build a new webserver from it on Linux (ubuntu 18.04), however I have just tried this weekend and now get the following error during sudo docker-compose build:

Step 11/37 : RUN pip install --no-cache-dir Twisted==15.2.1
---> Running in 642adaac9a7c
DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Collecting Twisted==15.2.1
Downloading https://files.pythonhosted.org/packages/ce/1b/1563ef82c2103ee937a78800486812da511e31e51b70870183ba82123a7c/Twisted-15.2.1.tar.bz2 (4.6MB)
Collecting zope.interface>=3.6.0
Downloading https://files.pythonhosted.org/packages/d3/f0/521019b86fadc15272fd1229fbad811c4af5ad8f63a2ec604e0b50e7b473/zope.interface-4.7.1-cp27-cp27mu-manylinux2010_x86_64.whl (164kB)
Requirement already satisfied: setuptools in /usr/local/lib/python2.7/dist-packages (from zope.interface>=3.6.0->Twisted==15.2.1) (45.0.0)

ERROR: Package 'setuptools' requires a different Python: 2.7.12 not in '>=3.5'
ERROR: Service 'frontend' failed to build: The command '/bin/sh -c pip install --no-cache-dir Twisted==15.2.1' returned a non-zero code: 1

I have tried to google but im a novice on this, maybe you are aware of the issue already?

I never make any changes but seems some dependence have changed

Hi there,

"At least one domain name. If you want to enabled PDF-opening tracking, at least two domains."
Can we use a subdomain as 2nd domain?

I'm having some issues with tokens history. If I click on More info on this token here on the email containing the alert, I'm redirected to a page (ps below) but cannot see any history
.Is this normal or am I missing something?

Thank you.

The current instructions call for placing the auth_basic settings under server which requires auth for all traffic to the server, including triggering a token. This is preventing any tokens from triggering and notifying owners.

The auth_basic settings should be moved under the location declaration for generate, manage, download, history, settings and resources. Those are the locations that should be secured via auth.

Current:

server {
auth_basic "Basic Auth Restricted Canrytokens"; <---- ADD
auth_basic_user_file /etc/nginx/htpasswd; <---- ADD

Proposed:

location ~* (/generate|/manage|/download|/history|/settings|/resources).* {
auth_basic "Basic Auth Restricted Canrytokens";
auth_basic_user_file /etc/nginx/.htpasswd;

I am having an issue with the Windows Folder as well as the PDF, but mainly need the windows folder to work so it captures the username of the user that open the folder. I am not sure what i am doing wrong. I need to make canary tokens my authoritative DNS server and im not sure how to.

@jayjb @mamisano @stevesbrain @obsti8383

I have canary tokens docker container running on a server mapped to 'domain1.com' and on switchboard.env I have added one more domain name as public domain 'domain2.com'. When i run all the containers initially all works perfectly .Both domain url hits works fine .But one of them stop working after some time.

I'm sorry if there is somthing about. I'm already confused.
I tried to find some similar cases but nothing worked for me at all.
I checked this on Ubuntu 16.04 and 18.04.
Same problems on same VPS. Earlier was successfull on different hosting.

First there is a conflict of ports which is showing for switchboard and later for ngnix (resolved by some tips here - changing from 80:80 to 8080:80 and 26:25)
After that another unresolved problem with nginx:

ERROR: for nginx Cannot start service nginx: OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:346: sending config to init process caused "write init-p: broken pipe"": unknown

sometimes it runs differently and effects are like this:
root@vps1234567:~/canarytokens-docker# docker-compose up
redis is up-to-date
frontend is up-to-date
switchboard is up-to-date
Creating nginx ... done
Attaching to redis, frontend, switchboard, nginx
redis | 1:C 24 Sep 2019 22:14:50.454 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
redis | 1:C 24 Sep 2019 22:14:50.454 # Redis version=5.0.5, bits=64, commit=00000000, modified=0, pid=1, just started
redis | 1:C 24 Sep 2019 22:14:50.454 # Configuration loaded
redis | 1:M 24 Sep 2019 22:14:50.463 * Running mode=standalone, port=6379.
redis | 1:M 24 Sep 2019 22:14:50.463 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
redis | 1:M 24 Sep 2019 22:14:50.463 # Server initialized
redis | 1:M 24 Sep 2019 22:14:50.468 * DB loaded from append only file: 0.004 seconds
redis | 1:M 24 Sep 2019 22:14:50.468 * Ready to accept connections
frontend | rm: cannot remove 'frontend.pid': No such file or directory
frontend | DEBUG:generator_httpd:Canarydrops generator HTTPd
nginx | 2019/09/24 22:15:35 [emerg] 1#1: host not found in upstream "frontend" in /etc/nginx/nginx.conf:34
nginx | nginx: [emerg] host not found in upstream "frontend" in /etc/nginx/nginx.conf:34
switchboard | rm: cannot remove 'switchboard.pid': No such file or directory
switchboard | Could not connect to redis, bailing: Error -3 connecting to redis:6379. Temporary failure in name resolution.
switchboard | rm: cannot remove 'switchboard.pid': No such file or directory
switchboard | Could not connect to redis, bailing: Error -3 connecting to redis:6379. Temporary failure in name resolution.
switchboard | rm: cannot remove 'switchboard.pid': No such file or directory
switchboard | Could not connect to redis, bailing: Error -3 connecting to redis:6379. Temporary failure in name resolution.
switchboard | rm: cannot remove 'switchboard.pid': No such file or directory
switchboard | Could not connect to redis, bailing: Error -3 connecting to redis:6379. Temporary failure in name resolution.
switchboard | rm: cannot remove 'switchboard.pid': No such file or directory
switchboard | Could not connect to redis, bailing: Error -3 connecting to redis:6379. Temporary failure in name resolution.
switchboard | rm: cannot remove 'switchboard.pid': No such file or directory
switchboard | Could not connect to redis, bailing: Error -3 connecting to redis:6379. Temporary failure in name resolution.
switchboard | rm: cannot remove 'switchboard.pid': No such file or directory
switchboard | Could not connect to redis, bailing: Error -3 connecting to redis:6379. Temporary failure in name resolution.
switchboard exited with code 1
nginx exited with code 0
nginx exited with code 1
nginx exited with code 1
^CGracefully stopping... (press Ctrl+C again to force)

Any hope?

I've installed the docker and server is working fine. But I run into a couple of issues.

I added a second domain for PDF in NXDOMAINS but tokens won't fire. The link tries to open but response is No such resource / No such child resource and the token isn't triggered. The URL in the pdf tokenid.mydomain.com/zzzz without the post-fix /zzzzz now allows access to the (tokenid)subdomain after changes to my DNS, so tokenid.mydomain.com/ accesses tokenid.mydomain.com/#generate. The complete link itself won't work however, so somehow the /zzzzz post-fix does not register when created. A Word token URL will trigger the token and a PDF token from canary tokens.org will also trigger even if it has the same structure as my token and gives the same failure if extracted and used as a direct URL. Do I need to change anything in my DNS in order for the NXDOMAINS pdf-token domain can fire besides changing fronted.env?

Last point: any suggestions / experience on how to quickly integrate a generated token into an existing Word / PDF once I get my tokens working?

HI, I have issue while docker-compose up:

Command "/usr/bin/python -u -c "import setuptools, tokenize;file='/tmp/pip-build-tIQTAC/lxml/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record /tmp/pip-Xuy3Sd-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-tIQTAC/lxml/

ERROR: Service 'frontend' failed to build: The command '/bin/sh -c pip install --no-cache-dir lxml==3.4.4' returned a non-zero code: 1

Many thanks :)

Hi, the newest version of the docker container does not start up on my server (AWS Ubuntu Linux) anymore.

"frontend" and "switchboard" continue restarting and contain errors regarding the log.logger in twistd.

Only after editing the yml and removing the log sections it starts up normally.

DIFF:
diff --git a/docker-compose.yml b/docker-compose.yml
index 51faf74..9a3a743 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -17,9 +17,8 @@ services:
- frontend.env
volumes:
- ./uploads:/uploads/

• • log-volume:/logs
    container_name: frontend
• command: bash -c "rm frontend.pid; twistd -noy frontend.tac --logger log.logger --pidfile=frontend.pid"

• command: bash -c "rm frontend.pid; twistd -noy frontend.tac --pidfile=frontend.pid"
  switchboard:
  build: ./canarytokens/
  restart: always
  @@ -35,7 +34,7 @@ services:
  volumes_from:
  • frontend
    container_name: switchboard

• command: bash -c "rm switchboard.pid; twistd -noy switchboard.tac --logger log.logger --pidfile=switchboard.pid"

• command: bash -c "rm switchboard.pid; twistd -noy switchboard.tac --pidfile=switchboard.pid"
  nginx:
  restart: always
  image: thinkst/canarytokens_nginx
  @@ -47,5 +46,3 @@ services:
  • switchboard
    container_name: nginx
    command: /usr/sbin/nginx -c /etc/nginx/nginx.conf -g "daemon off;"
    -volumes:

• log-volume:

Hi All,

I've been trying for the life of me to get mails to send out via my providers normal SMTP Server on token triggers. However, the switchboard.env file only seems to have support for Mailgun or Sendgrid.

If possible, what are the names of the variables for the switchboard.env file for SMTP Server, Username, Password, etc?

Thanks!

hey guys, really cool !

I have the docker instance nearly fully configured, one thing i noticed is that the url given by canarydrop is still tied to http://canarytokens.org

so, if i have it set up on abc123.com in my email I will see

`One of your canarydrops was triggered.

Channel: HTTP
Time : 2015-11-27 04:21:44.045019
Memo : lol
Source IP : 127.0.0.1
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Manage your settings for this Canarydrop:
http://canarytokens.org/manage?token=fgmb0x5iy3s29rkdhvrvq8cm1&auth=eca1a0a47c8ce7d0704758b6c920733f `

and perhaps it should be

`One of your canarydrops was triggered.

Channel: HTTP
Time : 2015-11-27 04:21:44.045019
Memo : lol
Source IP : 127.0.0.1
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Manage your settings for this Canarydrop:
http://abc123.com/manage?token=fgmb0x5iy3s29rkdhvrvq8cm1&auth=eca1a0a47c8ce7d0704758b6c920733f `

Hi Folks,

Not sure if I have missed, but how do I set up custom email server settings to send a mail from? If I don't want to use default API settings fro mailgun and instead would like to use my internal email server, where do I define that?

TIA
Blason R

I'd like to know more about setting up a custom domain to work with canarytokens.
I've followed the docker install procedure and the web bugs and QR code work fine, but DNS tokens, SMTP and PDF don't.

Here are the logs that I get for different cases:

Web Bugs: NGINX logs
nginx          | <ip-address> - - [30/Sep/2016:08:28:46 +0000] "GET /static/tags/terms/wum4tq19yd0qhzmg4p3brkqn5/index.html HTTP/1.1" 200 66 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"

Web Bugs: Switchboard logs
2016-09-30 08:28:45+0000 [HTTPChannel,0,172.18.0.5] {'src_ip': '<ip-address>', 'useragent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36', 'referer': None, 'location': None}
2016-09-30 08:28:45+0000 [-] {'body': '\n\nOne of your canarydrops was triggered.\n\nChannel: HTTP\nTime   : 2016-09-30 08:28:45.747651\nMemo   : Memo Text\nSource IP: <ip-address>\nUser-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36\n\nManage your settings for this Canarydrop:\nhttp://<domain>/manage?token=wum4tq19yd0qhzmg4p3brkqn5&auth=6664a7601c23062e32b6fd700fe212f2\n', 'from_display': '"ALERT Canarytokens"', 'from_address': '<email address>', 'subject': '"ALERT - StationX Canarytoken Triggered"'}
2016-09-30 08:28:46+0000 [HTTPChannel,0,172.18.0.5] Sent alert to <email> for token wum4tq19yd0qhzmg4p3brkqn5
2016-09-30 08:28:46+0000 [HTTPChannel,0,172.18.0.5] "Could not get a fortune: Command '/usr/games/fortune' returned non-zero exit status 1"
2016-09-30 08:28:46+0000 [-] "172.18.0.5" - - [30/Sep/2016:08:28:43 +0000] "GET /static/tags/terms/wum4tq19yd0qhzmg4p3brkqn5/index.html HTTP/1.0" 200 55 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"

These work, but PDF tokens and DNS don't.

PDF Tokens: NGINX logs
nginx          | <ip-address> - - [30/Sep/2016:08:30:01 +0000] "GET /EMYOTBSJOIYDIOEHIXVNAIXLONGJEBV HTTP/1.1" 404 153 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"

PDF Tokens: Switchboard logs
2016-09-30 08:30:02+0000 [HTTPChannel,3,172.18.0.5] 'Error in render GET: No Canarytoken found in /favicon.ico'
2016-09-30 08:30:02+0000 [-] "172.18.0.5" - - [30/Sep/2016:08:30:01 +0000] "GET /favicon.ico HTTP/1.0" 200 55 "http://wum4tq19yd0qhzmg4p3brkqn5.<domain>.com/EMYOTBSJOIYDIOEHIXVNAIXLONGJEBV" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"

In the case of DNS tokens, I cannot see any entry in any of the logs.
For SMTP Tokens, the email delivery fails.

Any help regarding the setup of the domain would be seriously appreciated.
Thanks

This is the error tht i receive. Any thoughts on this guys?

Could not find a version that satisfies the requirement setuptools (from versions: )
No matching distribution found for setuptools
ERROR: Service 'frontend' failed to build: The command '/bin/sh -c pip install -U setuptools' returned a non-zero code: 1

Hi,

While I was digging into the code I noticed there are some functionality (like twilio, linkedin, imgur channels, also users auth) which is hidden from web ui when using docker container. Just out of curiosity, are you planning to enable them or is it a functionality of full/paid version of canarytokens or what?
If it's available in full version, can you share a list of diffs between full and this version?
Thanks!

Does a guide for installing the framework without using docker exist ? I would like to have a native installation.

Best regards
Keld Norman

I already set up my CanaryTokens server as guided by the README file.
However, the PDF token does not trigger. When opening the PDF file in web browser, it seems like it cannot find where the CanaryTokens server is.

So my questions are:
Do we need to run a separate DNS server for this purpose?
What type of DNS record (i.e., A or NS) should we point the second domain to?

P/s: currently, I have both domain names pointing to the IP address of the CanaryTokens server. (Please let me know if this setting is incorrect.)

Hi
Previously I have installed the Docker image on Ubuntu 16.04, where it
works. To be compliant though, it has to run on 18.04.
I know the following may not be caused by your software, but I must admit that I'm unable to solve it myself so I have to ask ...
I installed the server a few days ago, so the software is brand new from github (both canarytokens and canarytokens-docker).

The problem is a clash between the Canary software which listens to port 53, and systemd-resolved, that does the same.
The symptom is seen in:
docker-compose up
...
...
Starting frontend ... done
Starting switchboard ...
Starting switchboard ... error

  ERROR: for switchboard  Cannot start service switchboard: driver
  failed programming external connectivity on endpoint switchboard
  (c914c1d34eb093d9e0b6ecc3354cdf7dac94a55fbeec103aa433f6f295a6c235):
  Error starting userland proxy: listen **tcp 0.0.0.0:53: bind: address
  already in use**

  ERROR: for switchboard  Cannot start service switchboard: driver
  failed programming external connectivity on endpoint switchboard
  (c914c1d34eb093d9e0b6ecc3354cdf7dac94a55fbeec103aa433f6f295a6c235):
  Error starting userland proxy: listen tcp 0.0.0.0:53: bind: address
  already in use
  ERROR: Encountered errors while bringing up the project.

"Who" is using the port ?
fuser 53/tcp
53/tcp: 5138

ps -ef | grep 5138
systemd+ 5138 1 0 10:10 ? 00:00:00 /lib/systemd/systemd-resolved
root 5161 3920 0 10:10 pts/0 00:00:00 grep --color=auto 5138

So systemd-resolved is using the port !!

I have found solutions that tells me to edit /etc/systemd/resolved.conf and disable the DNSStubListener. I set
DNSStubListener=no
and restart systemd-resolv
systemctl restart systemd-resolved

What this does it that it DOES allow me to start the canary application, but it ALSO results in that DNS resolution on the host no longer works.
ping github.com
ping: github.com: Temporary failure in name resolution

By examining the output.txt file (generated by channel_dns.py) i see
Query('check.torproject.org', 1, 1)
Query('check.torproject.org', 1, 1)
Query('check.torproject.org', 1, 1)
Query('check.torproject.org', 1, 1)
Query('github.com', 1, 1)
Query('github.com', 28, 1)
Query('github.com', 1, 1)
Query('github.com', 28, 1)
Query('ubuntu.com', 1, 1)
Query('ubuntu.com', 28, 1)
so the docker image DOES pick up requests made on the host.

It may be a side track, but I think, that channel_dns.py should handle
requests made on the host. Has it anything to do with the commented call
to _do_dynamic_response?

Kind regards Niels

I am having trouble with the use of my windows folder token on my custom server. I have connected two different domains, one for the http traffic and one for the DNS channel traffic as it said in GIT hub. I believe i am pointing my DNS domain to the canary token instance, but it doesnt seem to be working.

@jayjb @stevesbrain @obsti8383 @mamisano

Hi! I want to use the docker-compose-letsencrypt.yml for https but I'm not sure how to do so - can anyone help and give some instructions on how to get that set up?