Slashdot Mirror
Ask Slashdot: FTP Server Honeypots?
An anonymous reader writes "I run an FTP server for a few dozen people, and it seems like every week I have a random IP address connect to my box and try guessing 'Administrator' passwords once every five seconds or so. This poses no real risk to me, since all my accounts have custom (uncommon) names. But if this is happening to me, I would wager lots of people are at risk of low level, persistent, long term password cracking attempts. Is there a way to report the perpetrators, or any action we can take to address this kind of danger?"
Really, that's the short answer.
About all you can do is briefly connect the Ethernet to a power outlet and hope that the tubes carry the high voltage across the interweb and fry their equipment. Of course, timing is everything.
Nullius in verba
You can pwn their box...
Seriously though, if you report something like this to the Police in the UK they'll look at you like you're mad, so if they won't listen to the victim, why would they listen to a victim of revenge?
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
I'm pretty sure that qualifies as unauthorized computer access and you could just hand over the IP addresses to the FBI.
They could easily be zombies or proxies you're seeing, especially zombies since it sounds automated.
I've used Fail2ban in the past:
http://www.fail2ban.org/wiki/index.php/Main_Page
"And the meaning of words; when they cease to function; when will it start worrying you?"
1. Require your users to connect using SFTP.
2. Implement a signed-certificate with the SFTP server and share the cert file only with authorized individuals
Proactively? Not really. The systems used for this are typically overseas, in countries that more or less don't care.
However, you -can- configure your server to disregard even initial connection attempts from specific ranges of IP addresses. I solved a lot of this on my own home FTP server by (sorry comrads) telling my server to ignore connection attempts from Russia and China.
Upon doing so, it went from a daily occurrence, to maybe one attempt a month. Usually less.
And, if a friend ever needs to FTP in from one of these countries, it's a simple enough rule change.
There's a spot in User Info for World of Warcraft account names? Really?
I had a few meetings with local FBI cyber people, and they recommended for me to send things like that to either DISA or to them (the local field office for my area) Contact your local FBI field office and see what they say. If you can talk to their cyber division they are usually helpful. (usually...)
Welcome to the internet, not sure what took you so long to find it, but we're glad you did.
You could probably tweak it to work with FTP. It just parses the logs and looks for failed attempts, and blocks any IPs that have too many failures.
this is great. we were thinking we might have to tell the kids that things were not looking too secure. now we van tell them that our rulers have come to our senses, & the truth is going to help us out of our foibles. so that's really good news
I always found that honeypots also attracted MORE attention to the network, rather than serving as a tool of defense.
Essentially, even if you did get the police involved to the point where they could trace the hackers, chances are they are using some type of TOR technology, and the ones that aren't, the little bobby droptables of the world, probably aren't worth prosecuting.
Save yourself the headache and forgo the unnecessary risk and stress of honeypotting.
Hi, I Boris. Hear fix bear, yes?
I would recommended that you use SSH/SFTP except for FTP FTP is one of those old standards made before people realized that they could sniff networks, and pull login names and passwords.
FTP and Telnet are one of those simple protocalls if you are woried about security, HTTPS, SSH and SFTP
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
not at all, but we know that our lives are more important than business deals, or keeping secrets
Disclaimer: $dayjob supports them with a base VPS.
You could *cough* Retaliate *cough* I have done this before if the person using premade scripts you could accidently have an unsecure area or a simple password like Fish with a datafile infected with a virus hackers generally download everything they have access to.
Try Denyhosts (http://denyhosts.sourceforge.net/). It's not a honeypot but it will ban an address that keeps trying to log in with an invalid password. Better yet, have your users make longer passwords :)
Easier than banning every overseas IP, IMHO anyway. This is what I do for SSH:
# Allow SSH with a rate limit
iptables -A INPUT -i ppp0 -p tcp --syn --dport 22 -m hashlimit --hashlimit 15/hour --hashlimit-burst 3 --hashlimit-htable-expire 600000 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --syn --dport 22 -j LOG --log-prefix "[DROPPED SSH]: "
iptables -A INPUT -i ppp0 -p tcp --syn --dport 22 -j DROP
There may be a more eloquent way to do this but it gets the job done.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
seriously. read the HBGary emails dumped by anonymous. the guy was running crack programs against people he found on irc.
and this was a federal government contractor with millions in income.
its only the tip of the iceberg.
James Bamford's book The Shadow Factory describes specifically how their new system, Turbulence, provides 'offensive' capabilities.
(coincidentially, two of the documents that whistleblower Thomas Drake is under Espionage Act indictment for were related to Turbulence)
SSH blacklist watches the SSH authentication requests. Once the attempts exceed a configurable threshold, I write those source addresses to a iptables rule that blacklists them.
I've blacklisted 133,649 unique IP address since starting back in 2009. BTW, zero actually got in :). Also, 95% source from Asia, I'm in California-US.
I have a personal server behind a firewall that only allows SSH connections through. After a while I got literally hundreds of login attempts for root, postmaster etc every day. There was no way anyone was going to get in this way since all but a few trusted user accounts were disallowed and password login was disabled but it was still annoying me. I switched from port 22 to some other random port and the problem went away. Presumably the zombies or script kiddies scan the net more or less randomly for standard services and so far they haven't found me again.
im saying there are probably a lot of people who work for the government who are doing a lot of 'testing' of their little toys on the unwitting civilian population. nothing makes this more clear than the HBGary emails.
Jailed FTP server with fake plans for missiles and stuff on it. Six months and $1 million later, they fire it up and bubble-gum comes out the nozzle.
Personally I use the lfd daemon with the csf firewall script on my servers. fail2ban is similar.
People should not get unlimited attempts to connect to your services.
At the same time, you don't want to clog up your firewall rules with thousands of denied IPs, so I usually set the filter rather high so it will not impact real users (you would be surprised how many users need 10 or 15 attempts to guess their password if they forgot) but only people really performing a serious brute force password guessing attack.
Also you can use temporary to permanent blocking, where the perp is banned temporarily and rolls off the firewall ban after a few days when he has lost interest, and is only banned permanently if the attacks continue over a longer period.
You say this poses no real risk to you, because your passwords are immune to dictionary attacks. But ftp sends passwords in cleartext, so it actually does pose a risk to you if someone is able to sniff your packets on the public internet.
But anyway, if you feel that the risk to you is insignificant, then why are you asking the question? Are you asking it on behalf of other people who might want to security-harden their ftp servers? If those people are worried, why wouldn't they have already switched from ftp to sftp? And if they're running sftp, they can protect against attacks of the type you're describing by installing denyhosts:http://denyhosts.sourceforge.net/ Denyhosts does have a cooperative blacklisting facility of the type you were asking about.
I could be wrong, but since ftp is inherently insecure, I would be surprised if someone had created software with the same functionality as denyhosts that would work with ftp. That would be like retrofitting a tricycle to make it supersonic.
Find free books.
Fail2ban is your friend.... http://www.fail2ban.org/
OSSEC will block IPs for however long you'd like when they fail on multiple SSH logins. I would assume it can be set up for FTP as well.
Working...
Unless you're being fiscally damaged this isn't even news, just everyday IT whereabouts.
Most automated scans will not take the time to scan for open ports. (that I have experienced)
Also consider FTP with SSL / TLS like what can be done with vsftpd. http://vsftpd.beasts.org/
As mentioned elsewhere in this thread consider using Fail2ban which is easily configured for monitoring failed attempts at connecting to your server and can then block the IP after a configurable threshold is reached.
You can reverse lookup the IP address, find out who owns the netblock and then report it to abuse@ the isp that owns the block, its normally against their terms of service. I once did this to a good isp who cut a script kiddie off.
Is there a way to report the perpetrators, or any action we can take to address this kind of danger?
Not really, this is probably just an automated attempt to get access. Googling "how to maek an ftp server secure" is probably the best you can do here.
Try running an SSH server, you'll have people (bots) hammering it all the time, constantly. We just disable password based access and block any IPs engaging in ovetly suspiciuos behaviour.
If your security is even modest as far as passwords there is no need to worry. More sophisticated attacks using coordinated bot nets are the really scary thing but can be countered by limiting the number of login attempts a second/minute. But it's all just extended dictionary attacks. Only someone really dedicated does brute force. This is the equivalent of someone going through a parking lot and checking to see if anyone left their door unlocked and or keys inside their car. If you can just change the port used for ftp, it cuts it down by 99 percent.
The problem is the bandwidth. You have to pay for it anyway. Even if your server doesn't acknowledge it. Someone really dedicated using a bot net can easily give you overage charges.
Option 1 - set an access list on your border router and permit connections only from the networks of your users
Option 2 - eliminate FTP externally, make everyone connect via VPN and run FTP internally.
Option 3 - Option 1 plus SFTP rather than FTP.
There are more options of course. There are ways to mitigate the number of attacks, but you have to research and implement them. Good luck!
How come Slashdot never gets Slashdotted?
Comment removed based on user account deletion
i use fail2ban and have it set for 3 strikes and yer out for a week
When i see the failed login attempts to ssh or ftp I setup a script to login to their computer as user fuckyou over and over
1/2 the attempts originate from China, 1/4 from the Ukraine, 1/8 from Arab countries (not exact but close)
Transfer everything to sftp, use keys and turn off user/pass authentication... It's as simple as that... Then they can keep guessing the password till the rest of their lives :)
retrofitting a tricycle to make it supersonic.
I like your ideas. Do you have a newsletter I could subscribe to?
cogito ergo dubito
That would be like retrofitting a tricycle to make it supersonic.
So you're saying it would be totally awesome?
PocketPermissions Android Permission Guide
I have used fail2ban for years. Very effective and even stopped DDOS attacks against my ssh server
http://www.fail2ban.org/wiki/index.php/Main_Page
Rooster - A friend. "Anyone's friend in particular or just generally well disposed to people?"
Like you, I saw the same thing. That said, I also configured my system to respond as though it was a Windows 2000 server, when in reality it was a linux box, so it could try guessing "administrator" all it wants.... That said, I also wrote a script and cron job to parse all the access logs, keep counts of failed login attempts by IP address, subnet, and ISP block, and when they hit certain thresholds, update my firewall rules to reject all connections to that address, subnet, and ISP. I saw a lot of stuff coming out of China and Hong Kong for a long time there (probably other compromised systems), but I am not too worried.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Let's see how stupid they are. Find a nasty virus variant, package it in a file called Kiddy_Porn.exe and drop it on your server. Set up an account with the login Administrator:Password and have that account point to just this file. Maybe put some others in a directory to give it some legitimacy.
Monitor your logs and laugh your butt off when you see get /kiddy_porn.exe
and it seems like every week I have a random IP address connect to my box and try guessing 'Administrator' passwords once every five seconds or so.
So, your week lasts for about 5 seconds?
Unless you're running an anonymous FTP to download Linux ISOs or something there's no need for it.
Cyberduck for OS X, FileZilla for Windows, and gFTP all do SFTP and are free. If you're already using SFTP then only allow specific users and disable root access. Key authentication is ideal like others have mentioned but sometimes a hassle.
The first (and hopefully last time) I was rooted was in '99 on a Redhat box through FTP using a buffer overflow. Since then I learned my lesson.
The longer answer is do anything you want. I highly recommend spending a lot of time to configure an "administrator" login. Then have it take one to a fake directory with nothing important. Wait until that IP drops off the inevitable giant pile of files to be shared with other people, and then when all the stuff is uploaded. Disable it and keep the files. It seems like pretending to be there for a short while could get you many gigabytes of something. It would be like peer to peer in reverse.
It is no longer uncommon to be uncommon.
Block by country dynamically: https://github.com/bugi/iptables-by-country
It's a bit cobbled together, but it works for me.
Really It is about time we came up with some good ideas to try to prevent this sort of things. We see it on blogs (backlink spam) We see it on smtp We see it on rdp We see it on website We see it on outlook web access We see it on almost every service!
Either use Fail2Ban or denyhosts, assuming you are using some sort of a linux/unix server. Both of them allows you to set thresholds so that it blocks further attempts from that particular IP for a preset amount of time. So you can set something like: if username is valid, allow 5 password attempts, then ban for 10 minutes if username is invalid, allow 2 attempts, then ban for 30 minutes if username is root or admin, block the ip until the world ends (which is two days from now apparently).
We had a dictionary attack recently where a bot group with unrelated addresses tried to log in to our 3rd party NAS. The NAS had a guessable admin name (but fortunately, a long and complex password. Our sysadmin is paranoid - I like him).
Simple user/password authentication, with no inbuilt three-strikes lockout (wtf? Cheeeep...) It was coming in via IAS vector. Simple fix for us, we shut down IAS on the affected machine. YMMV.
But there's a hint -- if you buy a cheap 3rd party NAS, you have to secure that sucker.
I wrote a (T)FTP server that after 6 trys gives the user a 6 minute delay; after another 10 tries another delay (15 minutes) is applied, but after 20 to 30 (psedo- random) total failed attempts in one day, the user (irregardless of username) is given what seems like access to the system. They can list a limited set of small "files and directories", although none actually exist, and all simulated file contents are mundane, boring, and severely rate limited.
Only one fake "guest" account is allowed at a time, any new intruders gaining access cause the previous guest connection to disconnect.
I've resisted removing the "honeypot" since I've observed several interesting effects due to this "feature":
"Oh, this again? We could use more funding for better servers, oh well. I'll have it fixed in a jiffy, but you'll have to select a new password again, sorry."
I've used fuzzing and several attack toolkits to test the system's security (as well as peer review), and our current version also supports SFTP (which many users have transitioned to over the years).
I would bet that if it is coming from a single IP at a time, it is coming from a country where English is not the primary language. You can try to report it, but you'll likely get a reply in a language you cannot read and the correspondence will stop there.
Alternately, if you are seeing distributed (botnet) attempts, there isn't much point in trying. You'll have dozens (if not more) of different addresses, and they are almost always all transient anyways. You could spend your time going through all the addresses, finding all the ISPs, but you'll likely end up with many copies of the same problem I just described.
In other words, just make sure you don't allow logins of the names they try. Don't just stop with "a really good password" as so many others have tried; rather ban those usernames entirely from remote login. I've even seen phone book attacks on my system where they try a long list of common first names (Aaron, all the way to Zelda).
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Setup a fake login with a separate file structure. Fill it with Goatse and gay porn.
Alternately (or in addition to) add some random viruses that you know they'll click on.
Fail2Ban seems to work well, and one of the mail servers I use does it, but i asked him to not use int on my server - I wanted the wrapper option instead of iptables, and my admin partner balked. He wanted to keep the bans in place for years, which is fairly pointless, except he has a secret admirer that comes back and hax on his system every 2 years or so. I'm not sure i can take him anywhere with me any more, he's pissed someone off who has more scripts than he does. Fortunately his secret admirer is now reduced to moderately intense DOS attacks, instead of deleting data and writing our web pages into pr0n sites... Ah, good times, those were, much lost sleep. If I find him, I'm gonna feed him to ants.
I used a script I found here, which just needed some fixups for my system. It's fairly good.
I liked the detecting brute forces and putting them in hosts.deny best, it let me see what was added and flush them out after they went away to someone else's server, and it didn't grow my iptables into something grotesque. At least no more so than it already was. And it made me learn regex a little better.
deleting the extra space after periods so i can stay relevant, yeah.
That's pretty much what my equipment said when I fed 110v to the Ethernets...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It was "carriage return".
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Filezilla can do automatic bans. I am sure your favourite FTP server can do that as well. 5 failed login attempts = auto ban for 3 hours. That solved all our problems in the office.
For home, just running an FTP server on a different port got rid of these kind of attacks completely. Of course, blocking hinet and other chinese netblocks works as well. You have a lot of options here.
As a potential lottery winner, I totally support tax cuts for the wealthy
You might as well provide some customized content for your Chinese visitors. Falun Gong literature, Tibetan Buddhist literature, clones of the epochtimes.com newspaper, an occasional Jasmine Revolution or Grass Mud Horse.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Yeah, it's called fail2ban.
If the users are at all technical, just use port-knocking. The idea is simple: Connects to your ftp[s] port is denied by default. If someone makes a tcp connection to a magic port, the ftp[s] port is opened for say 30 seconds. Naturally you configure it such that if someone connects to the port below or above your port knock that you close the ftp[s] port (assuming they are port scanning you).
Here is a multi-port implimentation, but you can use a single port:
http://www.debian-administration.org/articles/268
I like a single port knock and nothing special other than a tcp connection. This allows you to use telnet from a command line (and batch file/bash shell script).
Some people here have suggested blocking connections from various IPs. However, since the original question suggested this server is used by very few people, I'd consider setting the firewall to only allow connections from a specific range of IPs. Find out where your friends are connecting from and tell the firewall to only let in connections from those networks.
Also, consider switching over to SFTP. Sure FTP is fine for public anonymous transfers, but if you're password protecting your data, SFTP is the way to go.
I used to get a load of similar hacking attempts at my ssh server. So I changed the port to something other than the default. Now I get none.
Do need to specify the port specifically everywhere I want to connect to, or set it in .ssh/config
Better yet, instead of an exe make a script that sends an email to a temp address that you set up with details from their machine. These details could then be used to report the perpetrator. I think that would be completely legal, but if you wanted to take it a few steps further, use your imagination with what to put in the script. ;-)
This could be more fun, a challenge and one could learn something from it.
I have had good results when the attacking IP is from a provider such as Comcast, AT&T, Amazon Cloud, etc.
When it's from "China Unicom Hebei Province Network", like the IP's that hit my router all day long every day scanning port 27977, no reason to even send an abuse message.
No offense meant to anyone from that part of the world.
I'm the guy who posted (accidentally sent it in via anonymous).
1) I like the idea of programs like DenyHosts and Fail2Ban; as some people mentioned FileZilla also has a nifty "auto-ban" option which I've used too. I specifically like using a shared list of bad hosts; that was really what I was asking for, so thank you all! Totally answered my question.
2) Switching from FTP is indeed an option. I originally started by using FTPS, which is nicely supported by FileZilla but not by many other programs. The trouble was that a many users had routing difficulties and were unable to reach the FTPS server from their location. The worst part was that many routing difficulties were transient: when they were at the office it would fail, when they were at starbucks it would work, when they were at a hotel it would fail, etc.
3) I would wager that SFTP is pretty much the right solution. I figure I'll get started on looking for an SFTP replacement for FileZilla server.
How about fail2ban? We use it to block multiple SSH attempts. It blacklists IP's for a user-defined amount of time and then unblocks them again. Works like a charm, every time. Hell, it's even locked me out on more than one time (because I didn't update the whitelist file for my workstation's IP).
"Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address."
http://www.fail2ban.org/wiki/index.php/Main_Page
if ur on a redhat based distro, try configserver firewall. csf comes with lfd, it will blocked an ip automatically after X amounts of failed login attempts. pretty easy to install and configure. in regards to reporting the offender ur best bet is doing a whois look up on the source ip and emailling the logs to the abuse contact. u probably wont get the offender but the hosting provider will usually stop the malicious activity.
Report them to the internet police.
I imagine the default Snort rules would include an example of detecting repeated failed FTP connection attempts (brute force/dictionary attacks). Then SnortSam could block the offending IP address for as long as you like. This is assuming your FTP server is running a compatible firewall, etc.
Guess it's time to give back to the community....a few years ago, I wrote a custom script to continually tail out lines at a time from /var/log/auth.log and null route the bad ip's....to date, I have 4316 ip's null routed. I have the following script running as a background job initiated from /etc/rc.local hope this is helpful to people.
/Failed password for /' /var/log/auth.log | egrep -i "root|bin|daemon|adm|lp|sync|shutdown|halt|mail|news|uucp|operator|games|rpm|vcsa|rpc|xfs|apache|rpcuser|sshd|ftp|kamphor|named|messagebus|haldaemon|ntp|openvpn|x11|polkituser|avahi|avahi-autoipd|htdig|pulse" | awk '{print $11}'| tail -100 | sort | uniq`; /etc/hosts.deny`; then /etc/hosts.deny; /etc/routeblock.sh
/invalid user/ {print $13}' /var/log/auth.log | tail -100 | sort | uniq`; /etc/hosts.deny`; then /etc/hosts.deny; /etc/routeblock.sh /not receive identification string/ {print $12}' /var/log/auth.log | tail -2`; /var/log/auth.log | awk '/sshd/ && /Failed/ {print $11}' | tail -2`;
----begin----
#!/bin/bash
# script to sense bad ssh or ftp login tries from the same ip address
while [ 1 ];
do
# block known linux service user accounts ssh attempts
previous=0;
i=0;
for badip in `awk '/sshd/ &&
do
if ! `grep -q $badip
echo "ALL: $badip" >>
echo "route add -host $badip gw 127.0.0.1" >>
route add -host $badip gw 127.0.0.1;
fi
done
# null route any attempt at non-existant users for ssh attempts
previous=0;
i=0;
for badip in `awk '/sshd/ &&
do
if ! `grep -q $badip
echo "ALL: $badip" >>
echo "route add -host $badip gw 127.0.0.1" >>
route add -host $badip gw 127.0.0.1;
fi
done
# scan for behavior - probe ssh then try password
previous=0;
i=0;
# first loop- check for ssh probe
for badip in `awk '/sshd/ &&
do
if [ $previous == $badip ]; then
i=`expr $i + 1`;
# echo "in spoofed checker $badip $i"
else
i=0;
fi
#echo "these are the bad ip addresses: $badip $previous $i";
previous=$badip;
done
# end first for loop
#start second loop - check for failed logins
for badip2 in `grep $badip
do
if [ $previous == $badip2 ]; then
i=`expr $i + 1`;
# echo "in spoofed checker $badip2 $i"
else
i=0;
fi
if [ $i -ge 3 ]; then
OSSEC HIDS is used on production servers like a charm. Try it.
Unless you're running an anonymous FTP to download Linux ISOs or something there's no need for it.
Cyberduck for OS X, FileZilla for Windows, and gFTP all do SFTP and are free. If you're already using SFTP then only allow specific users and disable root access. Key authentication is ideal like others have mentioned but sometimes a hassle.
The first (and hopefully last time) I was rooted was in '99 on a Redhat box through FTP using a buffer overflow. Since then I learned my lesson.
Was the lesson not to use Redhat?
How do you know you aren't rooted now, at this very moment? The first rule of security is that there are only two states when it comes to being compromised:
Sorry to be a little pedantic, but it's true. There's no way to know for a fact that you have not been compromised, especially if you are connected to remote systems. A good enough attacker may have gotten in and covered his tracks.
Beware of bugs in the above code; I have only proved it correct, not tried it.
That would be like retrofitting a tricycle to make it supersonic.
So you're saying it would be totally awesome?
You know, I'm still lauging. Been laughing. Hehee. Great post.
Since this won't get read, I'll put in an interesting word: I've had the same problem as the poster. I tried leaving my music collection up for sometime over ftp when I would travel. After a few short months, I started getting the same treatment. I took the IP's and started whois'n. I came up with lots of companies of course. And all of them were 'Research' companies. After calling a few, I found out, that quite a few of them had been paid by BMG, Universal, and a few other high profile music vendors for one reason. To locate and research pirated music collections. Fortunately for me non of them would have ever discovered my password.
@bcrowell. ?? Really? I guess you should ask why you have to use anything else? I use FTP all the time for moving files around my network (and my bosses) because it WORKS EVERY TIME. Even across the net. But I wouldn't recommend it for corporate use. I don't want to use any other file servers especially torrents because I have always been disappointed by their unreliability and high maintenance.
But anyway, if you feel that the risk to you is insignificant, then why are you asking the question?
Because, although the guy outside my own titanium-shuttered windows might pose no threat to me, I may feel some vague sense of civic duty not to just wait idly by until he wanders off to attack the rich widow next door?
Unfortunately for the FP poster, he can pretty much bet on every aspect of the connection as in some way falsified. So the only thing he "knows" about this attacker boils down to "the IP address I see as the source had weaker passwords than I do". Sad but true.
Comment removed based on user account deletion
You'll get the same sort of thing if you run a SSH server. I typically see multiple attacks/day.
Just make sure you use strong passwords (no dictionary words, include special characters, yadda yadda). If practical consider using a non-standard port number, and (for SSH) consider disabling password-based authentication entirely (use key based authentication only).
No, I think RPM hell had more to do with dumping Redhat. Debian guy since '05.
Key authentication is ideal like others have mentioned but sometimes a hassle.
When is key authentication ever a hassle, once you've learned it? My standard system-building procedure is to SSH to a new machine once, cd ~me; mkdir .ssh; chmod 700 .ssh; cd .ssh; cat > authorized_keys; [paste my pubkey into the xterm window]; chmod 400 authorized_keys, edit sshd_config to disable password logins, and restart sshd. That whole process takes about two minutes, and then it's finished for the lifetime of the machine.
Dewey, what part of this looks like authorities should be involved?
we utliize a Network IPS to identify these and reset the connection to anyone attempting to utilize an administrative/common account name.
It then resets and continues to reset their connection for several minutes.
With SSH, it just watches for multiple incoming connections over a certain time-frame/rate that we set and then blocks those.
Are you suggesting there are problems with setting up a spare dinosaur of a machine to ninja pirate terrorist child porn?
HoneyPots can be an important layer. But you need the other layers. We use the following layers to protect SSH (https://it.wiki.usu.edu/ssh_description )
1.) The firewall limits the vulnerable scope of SSH to a few trusted hosts.
2.) The firewall can also be used to prevent credential guessing by rate-limiting connections to the SSH port.
3.) The SSH Port is treated as a shared secret. Only interesting, targeted attacks find the SSH server.
4.) The SSH server should not allow known usernames including root. The attacker must find a username.
5.) The admin is trained to create good passwords for his usernames.
6.) SSH users are taught to verify the identity of their systems when they first connect.
7.) System admins must regularly review the activity of their SSH servers.
8) Security monitors all SSH connections, including ones on non-standard ports. We follow up on connections that seem interesting.
9.) USU has SSH HoneyPots that help us respond to SSH attack.
SSH HoneyPots give us several benefits:
1) They make it easy to automate blocking SSH attackers, with virtually no chance of false positives. Some patterns of attack are designed to bypass Fail2ban, but the HoneyPots have to problem handling them.
2) We notify remote ISPs (and remote managers) that they have attacking systems. This is surprisingly effective. When we started (6 years ago) less than 1 notify in 8 seemed to have any effect. Now about 1/2 of the notifications seem to be have an effect. And remember, virtually every one of those attacking computers belongs to an innocent victim. Notification helps them, and it improves the overall security of the internet. We have also confirmed that notifications drive away some attackers.
3) We collect and analyze guessed credentials.
- If they meet our complexity requirements, they are added to our central black-list.
- Patterns of credentials reveal patterns of attack and patterns of attackers. It's a Heisenberg thing. An attacker both changes the target, and reveals information about himself. Password guessing reveals a lot of information. Virtually every attack has been a unique combination of credentials. You can do cluster analysis against the combinations. You can find relationships between attacks and IPs. You can track how these relationships change over time. You can correlate this information with your other intelligence. The FBI came to us and asked about some attacking IPs. Almost all of them had hit our SSH HoneyPots. We were able to pass all this intelligence back to them.
Our SSH Honeypots (and several other SSH servers) now have the following banner:
---
USU tracks internet abuse. We have SSH honeypots that automate
the process of detection, notification, and blocking. These
honeypots also collect credentials and analyze them.
If this system is a honeypot, your access will be reported as abuse.
Your credentials will be logged. Your IP address will be blocked.
If you believe that your access has been misidentified as abuse,
please contact USU IT Security at security@usu.edu or 435-797-1804.
---
Miles
People who worry about computer security are forbidding the clients of my company from installing software on their MS Windows computers. That means they cannot install the software to do SFTP on their computers - so in the name of security they are using plain old vanilla FTP! For as long as this stupid situation persists I'll be using FTP. The alternatives the clients can actually use are stupid web based FTP done badly ideas like those idiots that set up a system where a password change wouldn't keep people out.
I think I'll be hosting it until we either get some SFTP client that becomes as ubiquitous as winzip or until Microsoft bundle one in.
There's a lot of clunky web based FTP front ends out there but nothing I've seen that does things well with uploads doing https all the way and leaving FTP out of it completely.
Dionaea has a nice FTP honeypot. It will even let bad guys (or bad automated programs) upload files. It's available here [carnivore.it].
Be careful, of course. You want to be safe in case these attacks are automated tools doing something icky like uploading kiddie porn or illegal music to your honeypot...(I'm not sure which would be worse).
The Right Reverend K. Reid Wightman,
Your a bonehead! Just because you can google FTP does not mean you have a relative clue as to what you are talking about. Please give a viable (yes viable) example of how exactly your going to get a packet capture on either side's LAN or into the ISP? You can't since you don't have a clue about networks, security or faking your way through a relatively basic and frequently asked question by anyone who runs their own servers...
Now go to Wikipedia, search for idiot, click edit and upload your pic...have a nice day ;-)
The only problem is when you want to access the machine from a computer other than your own. I guess you could keep the key on a flash drive . . .
Not unless you stick a ninja into it before launch.
You can't handle the truth.
# General new connection rate limiting for DOS and Brute Force protection
iptables -I INPUT -p TCP -m state --state NEW -m limit --limit 30/minute --limit-burst 5 -j ACCEPT
I fail to understand why using sftp makes you immune to buffer overflow
I find most of the pests disappear when I switch out of port 21 and use a more obscure one, most ftp servers will allow this... You also need to make the necessary forwarding from your router and inform all your clients to use the new port. This does not guaranty pest-control but the obfuscation helps...
Tor Linuxisos http is sufficient
What if someone starts to poison the shared blacklist DB?
The first (and hopefully last time) I was rooted was in '99 on a Redhat box through FTP using a buffer overflow. Since then I learned my lesson.
... and used OpenBSD software FTW!
Maybe we can form an anonymous-esque group dedicated to DOS'ing (or worse if possible) IP's known to sweep numerous hosts and ports (i.e., each have our own servers listening for the same type of requests). If nothing else, at least knock them down for a while, each time they pop up on the radar.
Won't be effective against blind servers, and on second thought, we don't want to DOS blind servers anyway. :(
"Artificial Intelligence usually beats real stupidity."
I know that much of the world doesn't care but many of these attacks come from compromised servers. I scripted to automatically do a whois on the ip and construct an email to the abuse address with all pertinent log info included. this gets saved to a file and a report generated. I check the report once a month and run another script which sends the emails. I regularly get responses from companies like Amazon letting me know they are tracking them. usually it is a hosting service server and te client didn't lock down the machine, but i have had a few unnamed companies discover their own servers were compromised. you have to fight back people.
"Computer Scientists can count to 1024 on their fingers" (non-mutant, non-mutilatated, human computer scientists)
I would like a copy of your supersonic tricycle plans please.
My employer blocks ssh as a "VPN protocol".
FTP is fine though.
I'm not a professional server admin, but what about using a firewall to only allow whitelisted IP addresses to connect? I've instructed the tech support guys at the datacenter that I'm using to configure a firewall that only allows local access and three particular static IP addresses to connect via ftp or ssh. I think I'm safe, but since no one else has mentioned that solution now I'm worried that I'm missing something obvious... but my sites haven't been tampered with and my server seems ok so far... is my solution secure?
I went through the trouble of setting up one-time passwords on a couple of my hosts. I carry a little printout in my wallet and scratch off passwords as I use them. More commonly, I use an SSH client on my iPhone that gets me into my home server, then branch out from there.
Dewey, what part of this looks like authorities should be involved?
Switch your real FTP server to a random, non-standard port.
Set up Honeyd on port 21: http://www.honeyd.org/
Seriously, people stopped using telnet years ago as the risks were well known, yet people still transmit their username and password (often the same as their normal account login) across the net in clear text. There are lots of alternatives to FTP - especially for developers (STFP, SCP, SVN, GIT, a web-based interface - whatever)
As others mentioned, fail2ban is a great tool to severely limit brute-force attempts in the event you are exposing any authentication service to the internet.
I would personally consider setting up a simple VPN. Anyone that needs to use the server can VPN into a small LAN first and then connection. On the other side, you can nat 21 and 22 off to a different computer. Run honeyd on that computer and simply capture everything to 21 and 22. it'd take more work to actually do something with what you capture, but you'll have some fun stuff to look at every once in a while.
I do security
I much prefer our 440v 3 phase for a nice boom.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Sorry but as far as i remember Filezilla server does not do SFTP only FTPS(implicit and explicit) as secure connections.
http://en.wikipedia.org/wiki/File_Transfer_Protocol#Secure_FTP
Although the end result is the same the process is different. Its like watering your garden with a supermodel, you can fill a watering can or use your hose but the end result is the same... your pants will be wet.
$ unzip, strip, touch, finger, grep, mount, fsck, more, yes,fsck,fsck,fsck,umount, sleep
Can you be absolutely sure that the organization that you're reporting the abuse to isn't the same as the organization that's probing you to begin with. People have been known to try that little trick. Sending them an e-mail may mark you as a live target ?
Joel Julio vs Anges Adjaho Live Streaming Video Sopcast Online TV Link Here Joel Julio vs Anges Adjaho Live Date: 20th May welterweights Enjoy This Live Game Here Welcome to everyone to watch this exciting PPV Boxing Match between Joel Julio vs Anges Adjaho. The Game is Scheduled on Friday, 20th May. So, Watch This PPV Boxing Game via This Sports Channel Site. Catch The Game Here
Thanks. I've been procrastinating on this for years and finally did it.
Comment removed based on user account deletion