Ask Slashdot: FTP Server Honeypots? - Slashdot

Become a fan of Slashdot on Facebook

×

Ask Slashdot: FTP Server Honeypots? 298

Posted by timothy on Thursday May 19, 2011 @05:22PM from the said-the-spider-to-the-vandal dept.

An anonymous reader writes "I run an FTP server for a few dozen people, and it seems like every week I have a random IP address connect to my box and try guessing 'Administrator' passwords once every five seconds or so. This poses no real risk to me, since all my accounts have custom (uncommon) names. But if this is happening to me, I would wager lots of people are at risk of low level, persistent, long term password cracking attempts. Is there a way to report the perpetrators, or any action we can take to address this kind of danger?"

This discussion has been archived. No new comments can be posted.

Ask Slashdot: FTP Server Honeypots?

Search 298 Comments Log In/Create an Account

Comments Filter:

Well, not really... (Score:5, Insightful)

by DWMorse ( 1816016 ) writes: on Thursday May 19, 2011 @05:26PM (#36184834) Homepage

Proactively? Not really. The systems used for this are typically overseas, in countries that more or less don't care.
However, you -can- configure your server to disregard even initial connection attempts from specific ranges of IP addresses. I solved a lot of this on my own home FTP server by (sorry comrads) telling my server to ignore connection attempts from Russia and China.
Upon doing so, it went from a daily occurrence, to maybe one attempt a month. Usually less.
And, if a friend ever needs to FTP in from one of these countries, it's a simple enough rule change.

Share
twitter facebook
Re:No (Score:0, Insightful)

by Anonymous Coward writes: on Thursday May 19, 2011 @05:31PM (#36184882)

Change to a nonstandard port and switch to sftp or webdav over https. In my case, this resulted in no more overfilled logs of sshd failed logins (hilariously, in this context, it was the unlogged successful that I really needed to know, since it was just a fishing expedition). Moving to a nonstandard port means that you'll know that the attacks are targeted, and allows you respond accordingly. It isn't security through obscurity, because you are going to be using an actually secure mechanism.

Parent Share
twitter facebook
Re:ssh is the same (Score:3, Insightful)

by maswan ( 106561 ) writes: <slashdot2&maswan,mw,mw> on Thursday May 19, 2011 @05:37PM (#36184978) Homepage

Stop allowing password-based access. There is no way anyone is going to be able to guess a key by connecting and trying them.

Parent Share
twitter facebook
SFTP. It's 2011. (Score:4, Insightful)

by bedouin ( 248624 ) writes: on Thursday May 19, 2011 @06:16PM (#36185404)

Unless you're running an anonymous FTP to download Linux ISOs or something there's no need for it.
Cyberduck for OS X, FileZilla for Windows, and gFTP all do SFTP and are free. If you're already using SFTP then only allow specific users and disable root access. Key authentication is ideal like others have mentioned but sometimes a hassle.
The first (and hopefully last time) I was rooted was in '99 on a Redhat box through FTP using a buffer overflow. Since then I learned my lesson.

Share
twitter facebook
The longer answer. (Score:5, Insightful)

by Tatarize ( 682683 ) writes: on Thursday May 19, 2011 @06:17PM (#36185434) Homepage

The longer answer is do anything you want. I highly recommend spending a lot of time to configure an "administrator" login. Then have it take one to a fake directory with nothing important. Wait until that IP drops off the inevitable giant pile of files to be shared with other people, and then when all the stuff is uploaded. Disable it and keep the files. It seems like pretending to be there for a short while could get you many gigabytes of something. It would be like peer to peer in reverse.

Parent Share
twitter facebook
Re:ssh is the same (Score:5, Insightful)

by icebraining ( 1313345 ) writes: on Thursday May 19, 2011 @06:51PM (#36185796) Homepage

Proper security measures and changing port is better than having only the former.

Parent Share
twitter facebook
Reply from the submitter (Score:4, Insightful)

by glassware ( 195317 ) writes: on Thursday May 19, 2011 @08:26PM (#36186696) Homepage Journal

I'm the guy who posted (accidentally sent it in via anonymous).
1) I like the idea of programs like DenyHosts and Fail2Ban; as some people mentioned FileZilla also has a nifty "auto-ban" option which I've used too. I specifically like using a shared list of bad hosts; that was really what I was asking for, so thank you all! Totally answered my question.
2) Switching from FTP is indeed an option. I originally started by using FTPS, which is nicely supported by FileZilla but not by many other programs. The trouble was that a many users had routing difficulties and were unable to reach the FTPS server from their location. The worst part was that many routing difficulties were transient: when they were at the office it would fail, when they were at starbucks it would work, when they were at a hotel it would fail, etc.
3) I would wager that SFTP is pretty much the right solution. I figure I'll get started on looking for an SFTP replacement for FileZilla server.

Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

275 commentsAsk Slashdot: Why Should I Be Afraid of Artificial Intelligence?
225 commentsAsk Slashdot: What Are Some Good AI Regulations?
184 commentsSlashdot Asks: Your Favorite 2023-Made Movies and TV Shows?
163 commentsAsk Slashdot: Should Libraries Eliminate Fines for Overdue Books?
150 commentsAsk Slashdot: Can You Roll Your Own Home Router?

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky