Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: FTP Server Honeypots?

Posted by timothy on from the said-the-spider-to-the-vandal dept.

An anonymous reader writes "I run an FTP server for a few dozen people, and it seems like every week I have a random IP address connect to my box and try guessing 'Administrator' passwords once every five seconds or so. This poses no real risk to me, since all my accounts have custom (uncommon) names. But if this is happening to me, I would wager lots of people are at risk of low level, persistent, long term password cracking attempts. Is there a way to report the perpetrators, or any action we can take to address this kind of danger?"

5 of 298 comments (clear)

  1. Probably not worth the effort by The+MAZZTer · · Score: 3, Informative

    They could easily be zombies or proxies you're seeing, especially zombies since it sounds automated.

  2. rate limit incoming connections based on IP by Shakrai · · Score: 5, Informative

    Easier than banning every overseas IP, IMHO anyway. This is what I do for SSH:

    # Allow SSH with a rate limit
    iptables -A INPUT -i ppp0 -p tcp --syn --dport 22 -m hashlimit --hashlimit 15/hour --hashlimit-burst 3 --hashlimit-htable-expire 600000 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
    iptables -A INPUT -i ppp0 -p tcp --syn --dport 22 -j LOG --log-prefix "[DROPPED SSH]: "
    iptables -A INPUT -i ppp0 -p tcp --syn --dport 22 -j DROP

    There may be a more eloquent way to do this but it gets the job done.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  3. Re:No by 0100010001010011 · · Score: 4, Informative

    Denyhosts also. I just set this up after finding over 40,000 failed ssh attempts in the last 3 days.

  4. fail2ban by gr8fulnded · · Score: 3, Informative

    How about fail2ban? We use it to block multiple SSH attempts. It blacklists IP's for a user-defined amount of time and then unblocks them again. Works like a charm, every time. Hell, it's even locked me out on more than one time (because I didn't update the whitelist file for my workstation's IP).

    "Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address."

    http://www.fail2ban.org/wiki/index.php/Main_Page

  5. Re:ssh is the same by WuphonsReach · · Score: 4, Informative

    Security through obscurity. That works well. NOT!

    The point of "don't rely on security through obscurity" is that being obscure should not be your only layer of defense.

    Moving your SSH service off of the default port has a few benefits:

    - Most of the standard attack scripts no longer work against your server.

    - Your security logs are 99% less cluttered (if not 99.9%), making it easier to see the more determined and worrisome attackers.

    I never leave a public facing server's SSH port on the default, it's not hard to specify an alternate port in the SSH clients and it makes my life a lot simpler when I don't have to wade through a few thousand password attempts each day on the standard port. There are a few attackers out there who do port-scanning first to find the SSH port before trying dictionary attacks, but since we don't do password authentication they're still left out in the cold unless they get our private SSH keys.

    --
    Wolde you bothe eate your cake, and have your cake?