Ask Slashdot: FTP Server Honeypots? - Slashdot

Follow Slashdot stories on Twitter

×

Ask Slashdot: FTP Server Honeypots? 298

Posted by timothy on Thursday May 19, 2011 @05:22PM from the said-the-spider-to-the-vandal dept.

An anonymous reader writes "I run an FTP server for a few dozen people, and it seems like every week I have a random IP address connect to my box and try guessing 'Administrator' passwords once every five seconds or so. This poses no real risk to me, since all my accounts have custom (uncommon) names. But if this is happening to me, I would wager lots of people are at risk of low level, persistent, long term password cracking attempts. Is there a way to report the perpetrators, or any action we can take to address this kind of danger?"

This discussion has been archived. No new comments can be posted.

Ask Slashdot: FTP Server Honeypots?

Search 298 Comments Log In/Create an Account

Comments Filter:

Worst thing is the bandwidth drain (Score:4, Interesting)

by BlueCoder ( 223005 ) writes: on Thursday May 19, 2011 @05:43PM (#36185070)

If your security is even modest as far as passwords there is no need to worry. More sophisticated attacks using coordinated bot nets are the really scary thing but can be countered by limiting the number of login attempts a second/minute. But it's all just extended dictionary attacks. Only someone really dedicated does brute force. This is the equivalent of someone going through a parking lot and checking to see if anyone left their door unlocked and or keys inside their car. If you can just change the port used for ftp, it cuts it down by 99 percent.
The problem is the bandwidth. You have to pay for it anyway. Even if your server doesn't acknowledge it. Someone really dedicated using a bot net can easily give you overage charges.

Share
twitter facebook
Re:Yep, (Score:4, Interesting)

by zebs ( 105927 ) writes: on Thursday May 19, 2011 @06:10PM (#36185340) Homepage

Hmmm, on the systems I help look after we occasionally see large number of RDP sessions with invalid logons. On some rare occasions we've been able to RDP to the source IP (get to the logon screen). Gives me the impression that its a bot.

Parent Share
twitter facebook
Re:No (Score:4, Interesting)

by Sancho ( 17056 ) * writes: on Thursday May 19, 2011 @06:38PM (#36185632) Homepage

We use honeypots purely for denyhosts purposes. These are machines which are not in DNS and should never have machines connect to it. If a machine connects, we assume that it's malicious and add it to a blocklist which is shared amongst the rest of our machines. No one ever gets in to the honeypot. One could wait for a failed login attempt to occur (it would be a little more generous to scanners who aren't trying to break in)--it's just a tradeoff. We're much harsher.

Parent Share
twitter facebook
shell script to auto null route brute force attack (Score:3, Interesting)

by Kamphor ( 609888 ) writes: on Thursday May 19, 2011 @09:27PM (#36187178)

Guess it's time to give back to the community....a few years ago, I wrote a custom script to continually tail out lines at a time from /var/log/auth.log and null route the bad ip's....to date, I have 4316 ip's null routed. I have the following script running as a background job initiated from /etc/rc.local hope this is helpful to people. ----begin---- #!/bin/bash # script to sense bad ssh or ftp login tries from the same ip address while [ 1 ]; do # block known linux service user accounts ssh attempts previous=0; i=0; for badip in `awk '/sshd/ && /Failed password for /' /var/log/auth.log | egrep -i "root|bin|daemon|adm|lp|sync|shutdown|halt|mail|news|uucp|operator|games|rpm|vcsa|rpc|xfs|apache|rpcuser|sshd|ftp|kamphor|named|messagebus|haldaemon|ntp|openvpn|x11|polkituser|avahi|avahi-autoipd|htdig|pulse" | awk '{print $11}'| tail -100 | sort | uniq`; do if ! `grep -q $badip /etc/hosts.deny`; then echo "ALL: $badip" >> /etc/hosts.deny; echo "route add -host $badip gw 127.0.0.1" >> /etc/routeblock.sh route add -host $badip gw 127.0.0.1; fi done # null route any attempt at non-existant users for ssh attempts previous=0; i=0; for badip in `awk '/sshd/ && /invalid user/ {print $13}' /var/log/auth.log | tail -100 | sort | uniq`; do if ! `grep -q $badip /etc/hosts.deny`; then echo "ALL: $badip" >> /etc/hosts.deny; echo "route add -host $badip gw 127.0.0.1" >> /etc/routeblock.sh route add -host $badip gw 127.0.0.1; fi done # scan for behavior - probe ssh then try password previous=0; i=0; # first loop- check for ssh probe for badip in `awk '/sshd/ && /not receive identification string/ {print $12}' /var/log/auth.log | tail -2`; do if [ $previous == $badip ]; then i=`expr $i + 1`; # echo "in spoofed checker $badip $i" else i=0; fi #echo "these are the bad ip addresses: $badip $previous $i"; previous=$badip; done # end first for loop #start second loop - check for failed logins for badip2 in `grep $badip /var/log/auth.log | awk '/sshd/ && /Failed/ {print $11}' | tail -2`; do if [ $previous == $badip2 ]; then i=`expr $i + 1`; # echo "in spoofed checker $badip2 $i" else i=0; fi if [ $i -ge 3 ]; then
Read the rest of this comment...

Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

275 commentsAsk Slashdot: Why Should I Be Afraid of Artificial Intelligence?
225 commentsAsk Slashdot: What Are Some Good AI Regulations?
184 commentsSlashdot Asks: Your Favorite 2023-Made Movies and TV Shows?
163 commentsAsk Slashdot: Should Libraries Eliminate Fines for Overdue Books?
150 commentsAsk Slashdot: Can You Roll Your Own Home Router?

Machines have less problems. I'd like to be a machine. -- Andy Warhol