Ask Slashdot: FTP Server Honeypots?

← Back to Stories (view on slashdot.org)

Ask Slashdot: FTP Server Honeypots?

Posted by timothy on Thursday May 19, 2011 @09:22AM from the said-the-spider-to-the-vandal dept.

An anonymous reader writes "I run an FTP server for a few dozen people, and it seems like every week I have a random IP address connect to my box and try guessing 'Administrator' passwords once every five seconds or so. This poses no real risk to me, since all my accounts have custom (uncommon) names. But if this is happening to me, I would wager lots of people are at risk of low level, persistent, long term password cracking attempts. Is there a way to report the perpetrators, or any action we can take to address this kind of danger?"

9 of 298 comments (clear)

Min score:

Reason:

Sort:

ssh is the same by bugs2squash · 2011-05-19 09:24 · Score: 4, Funny

About all you can do is briefly connect the Ethernet to a power outlet and hope that the tubes carry the high voltage across the interweb and fry their equipment. Of course, timing is everything.

--
Nullius in verba
1. Re:ssh is the same by icebraining · 2011-05-19 10:51 · Score: 4, Insightful
  
  Proper security measures and changing port is better than having only the former.
  
  --
  Dilbert RSS feed
2. Re:ssh is the same by WuphonsReach · 2011-05-19 14:09 · Score: 4, Informative
  
  Security through obscurity. That works well. NOT!
  
  The point of "don't rely on security through obscurity" is that being obscure should not be your only layer of defense.
  
  Moving your SSH service off of the default port has a few benefits:
  
  - Most of the standard attack scripts no longer work against your server.
  
  - Your security logs are 99% less cluttered (if not 99.9%), making it easier to see the more determined and worrisome attackers.
  
  I never leave a public facing server's SSH port on the default, it's not hard to specify an alternate port in the SSH clients and it makes my life a lot simpler when I don't have to wade through a few thousand password attempts each day on the standard port. There are a few attackers out there who do port-scanning first to find the SSH port before trying dictionary attacks, but since we don't do password authentication they're still left out in the cold unless they get our private SSH keys.
  
  --
  Wolde you bothe eate your cake, and have your cake?
Well, not really... by DWMorse · 2011-05-19 09:26 · Score: 4, Insightful

Proactively? Not really. The systems used for this are typically overseas, in countries that more or less don't care.
However, you -can- configure your server to disregard even initial connection attempts from specific ranges of IP addresses. I solved a lot of this on my own home FTP server by (sorry comrads) telling my server to ignore connection attempts from Russia and China.
Upon doing so, it went from a daily occurrence, to maybe one attempt a month. Usually less.
And, if a friend ever needs to FTP in from one of these countries, it's a simple enough rule change.

--
There's a spot in User Info for World of Warcraft account names? Really?
rate limit incoming connections based on IP by Shakrai · 2011-05-19 09:33 · Score: 5, Informative

Easier than banning every overseas IP, IMHO anyway. This is what I do for SSH:
# Allow SSH with a rate limit
iptables -A INPUT -i ppp0 -p tcp --syn --dport 22 -m hashlimit --hashlimit 15/hour --hashlimit-burst 3 --hashlimit-htable-expire 600000 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --syn --dport 22 -j LOG --log-prefix "[DROPPED SSH]: "
iptables -A INPUT -i ppp0 -p tcp --syn --dport 22 -j DROP
There may be a more eloquent way to do this but it gets the job done.

--
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Re:No by 0100010001010011 · 2011-05-19 09:42 · Score: 4, Informative

Denyhosts also. I just set this up after finding over 40,000 failed ssh attempts in the last 3 days.
Re:ftp sends passwords in cleartext; sftp+denyhost by alostpacket · 2011-05-19 10:05 · Score: 5, Funny

That would be like retrofitting a tricycle to make it supersonic.
So you're saying it would be totally awesome?

--
PocketPermissions Android Permission Guide
The longer answer. by Tatarize · 2011-05-19 10:17 · Score: 4, Insightful

The longer answer is do anything you want. I highly recommend spending a lot of time to configure an "administrator" login. Then have it take one to a fake directory with nothing important. Wait until that IP drops off the inevitable giant pile of files to be shared with other people, and then when all the stuff is uploaded. Disable it and keep the files. It seems like pretending to be there for a short while could get you many gigabytes of something. It would be like peer to peer in reverse.

--

It is no longer uncommon to be uncommon.
1. Re:The longer answer. by diodeus · 2011-05-19 13:42 · Score: 5, Funny
  
  Years ago we found our FTP server was full. It was hacked and contained all kinds of movies and xbox games. We just happened to like movies and xbox games, so we gave it a bit more space.