Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: FTP Server Honeypots?

Posted by timothy on from the said-the-spider-to-the-vandal dept.

An anonymous reader writes "I run an FTP server for a few dozen people, and it seems like every week I have a random IP address connect to my box and try guessing 'Administrator' passwords once every five seconds or so. This poses no real risk to me, since all my accounts have custom (uncommon) names. But if this is happening to me, I would wager lots of people are at risk of low level, persistent, long term password cracking attempts. Is there a way to report the perpetrators, or any action we can take to address this kind of danger?"

4 of 298 comments (clear)

  1. Worst thing is the bandwidth drain by BlueCoder · · Score: 3, Interesting

    If your security is even modest as far as passwords there is no need to worry. More sophisticated attacks using coordinated bot nets are the really scary thing but can be countered by limiting the number of login attempts a second/minute. But it's all just extended dictionary attacks. Only someone really dedicated does brute force. This is the equivalent of someone going through a parking lot and checking to see if anyone left their door unlocked and or keys inside their car. If you can just change the port used for ftp, it cuts it down by 99 percent.

    The problem is the bandwidth. You have to pay for it anyway. Even if your server doesn't acknowledge it. Someone really dedicated using a bot net can easily give you overage charges.

  2. Re:Yep, by zebs · · Score: 3, Interesting

    Hmmm, on the systems I help look after we occasionally see large number of RDP sessions with invalid logons. On some rare occasions we've been able to RDP to the source IP (get to the logon screen). Gives me the impression that its a bot.

  3. Re:No by Sancho · · Score: 3, Interesting

    We use honeypots purely for denyhosts purposes. These are machines which are not in DNS and should never have machines connect to it. If a machine connects, we assume that it's malicious and add it to a blocklist which is shared amongst the rest of our machines. No one ever gets in to the honeypot. One could wait for a failed login attempt to occur (it would be a little more generous to scanners who aren't trying to break in)--it's just a tradeoff. We're much harsher.

  4. shell script to auto null route brute force attack by Kamphor · · Score: 3, Interesting

    Guess it's time to give back to the community....a few years ago, I wrote a custom script to continually tail out lines at a time from /var/log/auth.log and null route the bad ip's....to date, I have 4316 ip's null routed. I have the following script running as a background job initiated from /etc/rc.local hope this is helpful to people.

    ----begin----
    #!/bin/bash
    # script to sense bad ssh or ftp login tries from the same ip address
    while [ 1 ];
    do
    # block known linux service user accounts ssh attempts
    previous=0;
    i=0;
    for badip in `awk '/sshd/ && /Failed password for /' /var/log/auth.log | egrep -i "root|bin|daemon|adm|lp|sync|shutdown|halt|mail|news|uucp|operator|games|rpm|vcsa|rpc|xfs|apache|rpcuser|sshd|ftp|kamphor|named|messagebus|haldaemon|ntp|openvpn|x11|polkituser|avahi|avahi-autoipd|htdig|pulse" | awk '{print $11}'| tail -100 | sort | uniq`;
    do
    if ! `grep -q $badip /etc/hosts.deny`; then
    echo "ALL: $badip" >> /etc/hosts.deny;
    echo "route add -host $badip gw 127.0.0.1" >> /etc/routeblock.sh
    route add -host $badip gw 127.0.0.1;
    fi
    done

    # null route any attempt at non-existant users for ssh attempts
    previous=0;
    i=0;
    for badip in `awk '/sshd/ && /invalid user/ {print $13}' /var/log/auth.log | tail -100 | sort | uniq`;
    do
    if ! `grep -q $badip /etc/hosts.deny`; then
    echo "ALL: $badip" >> /etc/hosts.deny;
    echo "route add -host $badip gw 127.0.0.1" >> /etc/routeblock.sh
    route add -host $badip gw 127.0.0.1;
    fi
    done
    # scan for behavior - probe ssh then try password
    previous=0;
    i=0;
    # first loop- check for ssh probe
    for badip in `awk '/sshd/ && /not receive identification string/ {print $12}' /var/log/auth.log | tail -2`;
    do
    if [ $previous == $badip ]; then
    i=`expr $i + 1`;
    # echo "in spoofed checker $badip $i"
    else
    i=0;
    fi
    #echo "these are the bad ip addresses: $badip $previous $i";
    previous=$badip;
    done
    # end first for loop
    #start second loop - check for failed logins
    for badip2 in `grep $badip /var/log/auth.log | awk '/sshd/ && /Failed/ {print $11}' | tail -2`;
    do
    if [ $previous == $badip2 ]; then
    i=`expr $i + 1`;
    # echo "in spoofed checker $badip2 $i"
    else
    i=0;
    fi
    if [ $i -ge 3 ]; then