Honeypot Sensor Runbook
AWS Lightsail honeypot sensor running OpenCanary and the crabkey ingest pipeline to detect and log unauthorized access attempts.
Source:
asset-registry.yaml; host: 3.230.47.213 (AWS Lightsail); OpenCanary/crabkey ingest; Phenom honeypot sensor
C2PA signed · SanMarcSoft AI content credential
What it is
The honeypot sensor at 3.230.47.213 is an AWS Lightsail instance running OpenCanary and the crabkey ingest pipeline in the us-east-1 region. It emulates vulnerable services (SSH, HTTP, FTP, etc.) to attract and log unauthorized access attempts, port scans, and credential stuffing. Alert data feeds into the NEST Ops monitoring stack and the ghostmode surveillance system. This is a security asset – treat its IP as sensitive and do not advertise it.
Deployment chain
| Layer | Value |
|---|---|
| IP | 3.230.47.213 (static, AWS Lightsail) |
| Region | us-east-1 |
| AWS profile | phenom |
| Hosting | AWS Lightsail instance |
| Software | OpenCanary honeypot daemon + crabkey ingest |
| Alert destination | NEST Ops / ghostmode surveillance pipeline |
| DNS | No public DNS record (intentional – bare IP only) |
Common operations
SSH to the honeypot instance
# Use the Lightsail SSH key (from pass or AWS console):
ssh -i ~/.ssh/phenom-lightsail.pem ubuntu@3.230.47.213
Check OpenCanary status
ssh -i ~/.ssh/phenom-lightsail.pem ubuntu@3.230.47.213 \
"sudo systemctl status opencanaryd"
# Expected: active (running)
Restart OpenCanary
ssh -i ~/.ssh/phenom-lightsail.pem ubuntu@3.230.47.213 \
"sudo systemctl restart opencanaryd && sudo systemctl status opencanaryd"
View recent honeypot alerts
ssh -i ~/.ssh/phenom-lightsail.pem ubuntu@3.230.47.213 \
"sudo tail -100 /var/log/opencanary.log | python3 -m json.tool | grep -E 'src_host|dst_port|logtype' | head -60"
Check crabkey ingest service
ssh -i ~/.ssh/phenom-lightsail.pem ubuntu@3.230.47.213 \
"sudo systemctl status crabkey-ingest"
# Expected: active (running)
# Restart if needed:
ssh -i ~/.ssh/phenom-lightsail.pem ubuntu@3.230.47.213 \
"sudo systemctl restart crabkey-ingest"
Check Lightsail instance status via AWS CLI
aws lightsail get-instance \
--instance-name phenom-honeypot \
--profile phenom \
--region us-east-1 \
--query 'instance.{State:state.name,PublicIP:publicIpAddress,CPU:hardware.cpuCount,RAM:hardware.ramSizeInGb}'
Reboot the Lightsail instance
aws lightsail reboot-instance \
--instance-name phenom-honeypot \
--profile phenom \
--region us-east-1
Review Lightsail firewall rules
aws lightsail get-instance-port-states \
--instance-name phenom-honeypot \
--profile phenom \
--region us-east-1
# Verify only intended honeypot ports are open (not real admin ports to the public)
Verify it is working
# Check OpenCanary log is receiving events (any recent entry = sensor active):
ssh -i ~/.ssh/phenom-lightsail.pem ubuntu@3.230.47.213 \
"sudo tail -5 /var/log/opencanary.log"
# Expected: recent JSON log lines with timestamps within the last few hours
# Check Lightsail instance is running:
aws lightsail get-instance \
--instance-name phenom-honeypot \
--profile phenom \
--region us-east-1 \
--query 'instance.state.name' \
--output text
# Expected: "running"
Common failure modes
| Symptom | Likely cause | Remediation |
|---|---|---|
| No alerts for 24+ hours | OpenCanary crashed or log rotation issue | SSH in; check systemctl status opencanaryd; restart if needed |
| False-alert flood (crabkey) | Legitimate scanner (Shodan, Censys) triggering events | Review alert source IPs; add known scanner IPs to allowlist in crabkey config |
| SSH to honeypot refused | Lightsail firewall blocking admin SSH port | Verify Lightsail firewall rules allow your IP on port 22 |
| Instance unreachable | Lightsail stopped or IP changed | Check Lightsail console; verify static IP still attached |
| crabkey ingest failing | NEST Ops endpoint unreachable or auth token expired | Check crabkey config for endpoint URL and token; restart service after fix |
| High CPU / OOM | Log file too large or OpenCanary memory leak | Rotate logs; restart OpenCanary; consider upgrading instance plan |
Related
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.