Ask Slashdot: FTP Server Honeypots? 298
An anonymous reader writes "I run an FTP server for a few dozen people, and it seems like every week I have a random IP address connect to my box and try guessing 'Administrator' passwords once every five seconds or so. This poses no real risk to me, since all my accounts have custom (uncommon) names. But if this is happening to me, I would wager lots of people are at risk of low level, persistent, long term password cracking attempts. Is there a way to report the perpetrators, or any action we can take to address this kind of danger?"
Worst thing is the bandwidth drain (Score:4, Interesting)
If your security is even modest as far as passwords there is no need to worry. More sophisticated attacks using coordinated bot nets are the really scary thing but can be countered by limiting the number of login attempts a second/minute. But it's all just extended dictionary attacks. Only someone really dedicated does brute force. This is the equivalent of someone going through a parking lot and checking to see if anyone left their door unlocked and or keys inside their car. If you can just change the port used for ftp, it cuts it down by 99 percent.
The problem is the bandwidth. You have to pay for it anyway. Even if your server doesn't acknowledge it. Someone really dedicated using a bot net can easily give you overage charges.
Re:Yep, (Score:4, Interesting)
Re:No (Score:4, Interesting)
We use honeypots purely for denyhosts purposes. These are machines which are not in DNS and should never have machines connect to it. If a machine connects, we assume that it's malicious and add it to a blocklist which is shared amongst the rest of our machines. No one ever gets in to the honeypot. One could wait for a failed login attempt to occur (it would be a little more generous to scanners who aren't trying to break in)--it's just a tradeoff. We're much harsher.
shell script to auto null route brute force attack (Score:3, Interesting)
----begin----
#!/bin/bash
# script to sense bad ssh or ftp login tries from the same ip address
while [ 1 ];
do
# block known linux service user accounts ssh attempts
previous=0;
i=0;
for badip in `awk '/sshd/ &&
do
if ! `grep -q $badip
echo "ALL: $badip" >>
echo "route add -host $badip gw 127.0.0.1" >>
route add -host $badip gw 127.0.0.1;
fi
done
# null route any attempt at non-existant users for ssh attempts
previous=0;
i=0;
for badip in `awk '/sshd/ &&
do
if ! `grep -q $badip
echo "ALL: $badip" >>
echo "route add -host $badip gw 127.0.0.1" >>
route add -host $badip gw 127.0.0.1;
fi
done
# scan for behavior - probe ssh then try password
previous=0;
i=0;
# first loop- check for ssh probe
for badip in `awk '/sshd/ &&
do
if [ $previous == $badip ]; then
i=`expr $i + 1`;
# echo "in spoofed checker $badip $i"
else
i=0;
fi
#echo "these are the bad ip addresses: $badip $previous $i";
previous=$badip;
done
# end first for loop
#start second loop - check for failed logins
for badip2 in `grep $badip
do
if [ $previous == $badip2 ]; then
i=`expr $i + 1`;
# echo "in spoofed checker $badip2 $i"
else
i=0;
fi
if [ $i -ge 3 ]; then