Slashdot Mirror
Ask Slashdot: FTP Server Honeypots?
An anonymous reader writes "I run an FTP server for a few dozen people, and it seems like every week I have a random IP address connect to my box and try guessing 'Administrator' passwords once every five seconds or so. This poses no real risk to me, since all my accounts have custom (uncommon) names. But if this is happening to me, I would wager lots of people are at risk of low level, persistent, long term password cracking attempts. Is there a way to report the perpetrators, or any action we can take to address this kind of danger?"
Proactively? Not really. The systems used for this are typically overseas, in countries that more or less don't care.
However, you -can- configure your server to disregard even initial connection attempts from specific ranges of IP addresses. I solved a lot of this on my own home FTP server by (sorry comrads) telling my server to ignore connection attempts from Russia and China.
Upon doing so, it went from a daily occurrence, to maybe one attempt a month. Usually less.
And, if a friend ever needs to FTP in from one of these countries, it's a simple enough rule change.
There's a spot in User Info for World of Warcraft account names? Really?
Change to a nonstandard port and switch to sftp or webdav over https. In my case, this resulted in no more overfilled logs of sshd failed logins (hilariously, in this context, it was the unlogged successful that I really needed to know, since it was just a fishing expedition). Moving to a nonstandard port means that you'll know that the attacks are targeted, and allows you respond accordingly. It isn't security through obscurity, because you are going to be using an actually secure mechanism.
Stop allowing password-based access. There is no way anyone is going to be able to guess a key by connecting and trying them.
Unless you're running an anonymous FTP to download Linux ISOs or something there's no need for it.
Cyberduck for OS X, FileZilla for Windows, and gFTP all do SFTP and are free. If you're already using SFTP then only allow specific users and disable root access. Key authentication is ideal like others have mentioned but sometimes a hassle.
The first (and hopefully last time) I was rooted was in '99 on a Redhat box through FTP using a buffer overflow. Since then I learned my lesson.
The longer answer is do anything you want. I highly recommend spending a lot of time to configure an "administrator" login. Then have it take one to a fake directory with nothing important. Wait until that IP drops off the inevitable giant pile of files to be shared with other people, and then when all the stuff is uploaded. Disable it and keep the files. It seems like pretending to be there for a short while could get you many gigabytes of something. It would be like peer to peer in reverse.
It is no longer uncommon to be uncommon.
Proper security measures and changing port is better than having only the former.
Dilbert RSS feed
I'm the guy who posted (accidentally sent it in via anonymous).
1) I like the idea of programs like DenyHosts and Fail2Ban; as some people mentioned FileZilla also has a nifty "auto-ban" option which I've used too. I specifically like using a shared list of bad hosts; that was really what I was asking for, so thank you all! Totally answered my question.
2) Switching from FTP is indeed an option. I originally started by using FTPS, which is nicely supported by FileZilla but not by many other programs. The trouble was that a many users had routing difficulties and were unable to reach the FTPS server from their location. The worst part was that many routing difficulties were transient: when they were at the office it would fail, when they were at starbucks it would work, when they were at a hotel it would fail, etc.
3) I would wager that SFTP is pretty much the right solution. I figure I'll get started on looking for an SFTP replacement for FileZilla server.