Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: FTP Server Honeypots?

timothy posted more than 3 years ago | from the said-the-spider-to-the-vandal dept.

Security 298

An anonymous reader writes "I run an FTP server for a few dozen people, and it seems like every week I have a random IP address connect to my box and try guessing 'Administrator' passwords once every five seconds or so. This poses no real risk to me, since all my accounts have custom (uncommon) names. But if this is happening to me, I would wager lots of people are at risk of low level, persistent, long term password cracking attempts. Is there a way to report the perpetrators, or any action we can take to address this kind of danger?"

cancel ×

298 comments

Sorry! There are no comments related to the filter you selected.

No (1)

Anonymous Coward | more than 3 years ago | (#36184792)

Really, that's the short answer.

Re:No (1)

man_of_mr_e (217855) | more than 3 years ago | (#36184812)

And the long answer. All you can do is firewall, and use things like fail2ban.

Re:No (0, Insightful)

Anonymous Coward | more than 3 years ago | (#36184882)

Change to a nonstandard port and switch to sftp or webdav over https. In my case, this resulted in no more overfilled logs of sshd failed logins (hilariously, in this context, it was the unlogged successful that I really needed to know, since it was just a fishing expedition). Moving to a nonstandard port means that you'll know that the attacks are targeted, and allows you respond accordingly. It isn't security through obscurity, because you are going to be using an actually secure mechanism.

Re:No (4, Informative)

0100010001010011 (652467) | more than 3 years ago | (#36185054)

Denyhosts [sourceforge.net] also. I just set this up after finding over 40,000 failed ssh attempts in the last 3 days.

Re:No (2)

QuasiEvil (74356) | more than 3 years ago | (#36185414)

Denyhosts is the bomb. Seriously, I get weeks where I used to get hammered with ssh login dictionary attacks. Now, denyhosts nicely bans them, and best of all, it can share back with a central server so once somebody starts attacking a couple people, we all ban their asses. It's one of the first things I install on any new server. Seriously, I think I'm going to go send the DH guys another donation because they're so damned awesome.

DH is ssh-centric, though. For your FTP problem, fail2ban is better.

Re:No (2)

mlts (1038732) | more than 3 years ago | (#36185208)

That sums it up right there. Why? Lots of reasons:

1: A honeypot might get someone in legal hot water if someone then launches criminal activity from it. For example, if someone's honeypot was used for torrents or CP, it will be tough explaining to cops (or the RIAA's pet judge) that the owner knowingly allowed such activity to happen and hoping not to get found culpable/convicted.

2: FTP for anonymous downloads is one thing (assuming a hardened FTP server.) Anonymous uploads can be done too, provided you clean the incoming directory. FTP for users with passwords sent plaintext is just bad form. Use sftp, or scp for this.

3: Before '97, you could call an ISP or other domain and deal with someone who would be ready/willing/able to stop someone hacking from a site. These days, nobody cares, especially offshore domains. IP address banning is noble, but just not running the service unless needed is the best bet.

4: Even with IP banning, it won't do much. Blackhats have a crapload of bots on wide IP ranges. Better to just figure out what ranges to allow and deny everyone else.

5: Passwords should never be used anyway. Use S/Key or OPIE if one can't authenticate using two factor stuff. Best of all, use public key authentication over ssh. This way, there is no way a brute force attack could succeed, if the SSHGuard program or other anti-guessing daemon doesn't work.

Re:No (3, Interesting)

Sancho (17056) | more than 3 years ago | (#36185632)

We use honeypots purely for denyhosts purposes. These are machines which are not in DNS and should never have machines connect to it. If a machine connects, we assume that it's malicious and add it to a blocklist which is shared amongst the rest of our machines. No one ever gets in to the honeypot. One could wait for a failed login attempt to occur (it would be a little more generous to scanners who aren't trying to break in)--it's just a tradeoff. We're much harsher.

The longer answer. (4, Insightful)

Tatarize (682683) | more than 3 years ago | (#36185434)

The longer answer is do anything you want. I highly recommend spending a lot of time to configure an "administrator" login. Then have it take one to a fake directory with nothing important. Wait until that IP drops off the inevitable giant pile of files to be shared with other people, and then when all the stuff is uploaded. Disable it and keep the files. It seems like pretending to be there for a short while could get you many gigabytes of something. It would be like peer to peer in reverse.

ssh is the same (4, Funny)

bugs2squash (1132591) | more than 3 years ago | (#36184794)

About all you can do is briefly connect the Ethernet to a power outlet and hope that the tubes carry the high voltage across the interweb and fry their equipment. Of course, timing is everything.

Re:ssh is the same (3, Funny)

JustNiz (692889) | more than 3 years ago | (#36184934)

Mod parent up Wow this works really well!
Since briefly connecting my ethernet to the power socket I haven't had any hack attempts at all!! That must have showed them!!

Re:ssh is the same (0)

webmistressrachel (903577) | more than 3 years ago | (#36184950)

Is your NIC working still? Something tells me you don't check your mail much...

Re:ssh is the same (1)

cos(0) (455098) | more than 3 years ago | (#36184996)

*whoosh*

Re:ssh is the same (0)

webmistressrachel (903577) | more than 3 years ago | (#36185264)

Whoosh^2!

Re:ssh is the same (2, Insightful)

maswan (106561) | more than 3 years ago | (#36184978)

Stop allowing password-based access. There is no way anyone is going to be able to guess a key by connecting and trying them.

Re:ssh is the same (1)

InlawBiker (1124825) | more than 3 years ago | (#36185636)

That's a fine idea for private systems. For private servers I use only ssh with certificates. Poof, hack attempts are gone.

For a public facing FTP server the idea is to keep it easy. It should work with any FTP client out of the box with no configuration. In this case your only defense is to pick real username and long, quality passwords.

Re:ssh is the same (1)

RichM (754883) | more than 3 years ago | (#36185162)

Not sure why you'd run SSH over the standard port...

Re:ssh is the same (1)

Capt.DrumkenBum (1173011) | more than 3 years ago | (#36185554)

Security through obscurity. That works well. NOT!

Re:ssh is the same (1)

cowboy76Spain (815442) | more than 3 years ago | (#36185352)

I finally solved the issue of logs of failed logins with a way simpler metod... in the initial message I tell everybody the root password.

Been years since I saw one of those pesky messages.

Yep, (1)

webmistressrachel (903577) | more than 3 years ago | (#36184800)

You can pwn their box...

Seriously though, if you report something like this to the Police in the UK they'll look at you like you're mad, so if they won't listen to the victim, why would they listen to a victim of revenge?

Re:Yep, (1)

Cryacin (657549) | more than 3 years ago | (#36185228)

Because they hate vigilantees. Hurts their business.

Re:Yep, (1)

Archangel Michael (180766) | more than 3 years ago | (#36185476)

The basis for social construct is that the collective does the work of the individual to prevent abuse. If the collective (police) won't do the work, then by default it returns back to the individual. But you're right, however the "they" you speak of is "us".

Re:Yep, (3, Interesting)

zebs (105927) | more than 3 years ago | (#36185340)

Hmmm, on the systems I help look after we occasionally see large number of RDP sessions with invalid logons. On some rare occasions we've been able to RDP to the source IP (get to the logon screen). Gives me the impression that its a bot.

Re:Yep, (1)

SuricouRaven (1897204) | more than 3 years ago | (#36185422)

Because they'd spend many hours of police time and all the hastle of getting the ISP to hand over the address, and in all probability find some fourteen-year-old script kiddie who is playing with a brute-force program and password list he grabbed off of a site with two many Zs in the name.

Re:Yep, (0)

Anonymous Coward | more than 3 years ago | (#36185536)

with a brute-force program and password list he grabbed off of a site with two many Zs in the name

But English is a living language and it evolves over time. Get over it.

Re:Yep, (1)

webmistressrachel (903577) | more than 3 years ago | (#36185570)

And they should then punish that 14yo accordingly, preventing him from doing worse in the future.

I'm fed up with people being hassled by society for something harmless like smoking pot, while people make lame excuses for other people, who can get away with far worse because it's considered less harmful.

In the long run, which hurts others more, personal use of natural herbs or script kiddies and what script kiddies will become if they are allowed to continue to get away with it, and learn to become full-blown black-hatters? Add spammers to that and w've got a recipe for actively encouraging crime and criminals.

FBI? (0)

Anonymous Coward | more than 3 years ago | (#36184804)

I'm pretty sure that qualifies as unauthorized computer access and you could just hand over the IP addresses to the FBI.

Re:FBI? (0)

Anonymous Coward | more than 3 years ago | (#36184870)

They haven't gained access to the system, so there wasn't any unauthorized computer access.

Re:FBI? (0)

Anonymous Coward | more than 3 years ago | (#36184902)

I'm pretty sure that qualifies as unauthorized computer access and you could just hand over the IP addresses to the FBI.

I disagree, unless they successfully accessed the box or hacked in through some other means I don't think it's a criminal act. Besides, there is the 'reasonable doubt' thing, someone could have gotten the IP address of a dedicated server wrong and forgot their admin password and they are trying to brute force their way into their own server (It's a long shot, I know).

In response to the poster, I used to have a hosted dedicated server and would get the same connection attempts all day long. Make sure to run the server as a non-privileged user, keep the user passwords decently tough to crack, and keep your software up to date. If you do all that, you should be fine.

Re:FBI? (1)

hedwards (940851) | more than 3 years ago | (#36185246)

I'm pretty sure it doesn't. That would be like saying that turning the doorknob on somebody's home qualifies as breaking and entering.

Re:FBI? (2)

webmistressrachel (903577) | more than 3 years ago | (#36185408)

Surely trying every doorknob on a terraced street qualifies as intent to tresspass and steal??

Probably not worth the effort (3, Informative)

The MAZZTer (911996) | more than 3 years ago | (#36184810)

They could easily be zombies or proxies you're seeing, especially zombies since it sounds automated.

Re:Probably not worth the effort (2)

bab72 (302207) | more than 3 years ago | (#36184976)

What? First, I had to worry about zombies eating my flesh - Now, I have to worry about them hacking into my FTP server, too?!?

Re:Probably not worth the effort (1)

Reservoir Penguin (611789) | more than 3 years ago | (#36185292)

I agree, looks like the dude is totally amateur and panicked over something he saw in the logs. Everyone has these automated scans. Rest easy, hackers are not targeting you specifically.

Fail2ban? (2)

gilgongo (57446) | more than 3 years ago | (#36184820)

I've used Fail2ban in the past:

http://www.fail2ban.org/wiki/index.php/Main_Page [fail2ban.org]

Re:Fail2ban? (1)

trainman (6872) | more than 3 years ago | (#36184874)

I second Fail2Ban, I've set my tripwire VERY tight for services. I also agree with the following post, SFTP, I'm phasing out FTP myself. About bloody time.

Re:Fail2ban? (1)

fuckface (32611) | more than 3 years ago | (#36184956)

In addition to Fail2ban I also make liberal use of iptables to permanent block large swaths of IP-space covering countries that I know I will never be doing business with nor plan to visit in this lifetime. For me these are mostly in eastern Europe, the middle east, and Asia. There are many web pages that provide IP lists of common offending countries.

On top of that I have an iptables rule that logs every non-http (ports 80 and 443, since those are already well logged by apache) connection attempt to the host so I can tally up the big offenders every week or two and add them to my every-growing block list. I always keep a terminal in a screen session that runs a script which tails and formats a number of my system logs including this one (with pretty colors too!) so I can see what kind of activity is going on. I usually keep it running off to the side, half-hidden and when a brute-force attack comes in it catches my eye so I can squash the fucker immediately.

Re:Fail2ban? (1)

billcopc (196330) | more than 3 years ago | (#36185216)

Yep, I've been doing and saying this for years. If Asia, Russia, South America are not interesting markets for my site/service/product/email, I simply block the IP ranges from hitting the respective ports. I'm certainly not about to sell high-end gaming computers or consulting services to China, so they're more than welcome to find some other host to crack.

Re:Fail2ban? (1)

mirix (1649853) | more than 3 years ago | (#36185206)

Yeah, there are a few script package deals, fail2ban, denyhosts(?), etc.

Or you can just modify iptables / pf / whatever your firewall is directly. I've got a rule on pf to plonk any traffic on ssh if more than 3 connections are made in some amount of time.

Of course, all of these aren't immune to massive distributed attacks, as a billion * three attempts is still 3 billion attempts.

use SFTP and a certificate (0)

Anonymous Coward | more than 3 years ago | (#36184828)

1. Require your users to connect using SFTP.
2. Implement a signed-certificate with the SFTP server and share the cert file only with authorized individuals

Re:use SFTP and a certificate (1)

SeNtM (965176) | more than 3 years ago | (#36184884)

3. ?
4. Profit!

FTFY

Re:use SFTP and a certificate (1)

Opportunist (166417) | more than 3 years ago | (#36185080)

3 would probably be "charge for it". Since everything else is in place.

Well, not really... (4, Insightful)

DWMorse (1816016) | more than 3 years ago | (#36184834)

Proactively? Not really. The systems used for this are typically overseas, in countries that more or less don't care.

However, you -can- configure your server to disregard even initial connection attempts from specific ranges of IP addresses. I solved a lot of this on my own home FTP server by (sorry comrads) telling my server to ignore connection attempts from Russia and China.

Upon doing so, it went from a daily occurrence, to maybe one attempt a month. Usually less.

And, if a friend ever needs to FTP in from one of these countries, it's a simple enough rule change.

rate limit incoming connections based on IP (5, Informative)

Shakrai (717556) | more than 3 years ago | (#36184918)

Easier than banning every overseas IP, IMHO anyway. This is what I do for SSH:

# Allow SSH with a rate limit
iptables -A INPUT -i ppp0 -p tcp --syn --dport 22 -m hashlimit --hashlimit 15/hour --hashlimit-burst 3 --hashlimit-htable-expire 600000 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --syn --dport 22 -j LOG --log-prefix "[DROPPED SSH]: "
iptables -A INPUT -i ppp0 -p tcp --syn --dport 22 -j DROP

There may be a more eloquent way to do this but it gets the job done.

Re:rate limit incoming connections based on IP (1)

cshake (736412) | more than 3 years ago | (#36185140)

Instead of adding the rules manually, I've been using fail2ban [fail2ban.org] for a few years now, and haven't had any problems. Well, except when I opened a shell to let my father upload pictures to my VPS, and he kept forgetting his password and getting locked out for a while.

It looks like it hasn't been updated in 2 years, but then again the iptables interface hasn't either, so no big deal.

Re:rate limit incoming connections based on IP (1)

Pharmboy (216950) | more than 3 years ago | (#36185182)

Have you ever thought of just running ssh on a port other than 22? I haven't use 22 in many years. We get tons of garbage attacks on the webserver, but I haven't had a single attempt on my ssh server in years. Not one. I still check the logs, but now it takes seconds instead of an hour. One less thing to have to worry about.

Putting ftp on a different port(s) is much more problematic, but changing sshd is trivial.

Re:Well, not really... (1)

LWATCDR (28044) | more than 3 years ago | (#36185090)

Every once in a while some one will do something. After checking my logs I found one day I found some attacks coming from a university in the UK. Sent that section of the log to the admin of the school. I got a nice email back thanking me for email because it allowed him to find and fix the machine that was compromised.
Another option would be to write a script that would detect any attempt at admin access that fails more than three times and block the IP for a week or so.

Re:Well, not really... (0)

Anonymous Coward | more than 3 years ago | (#36185134)

Proactively? Not really. The systems used for this are typically overseas, in countries that more or less don't care.

You mean like in the USA. Sad but true.

Re:Well, not really... (1)

cc1984_ (1096355) | more than 3 years ago | (#36185148)

Proactively? Not really. The systems used for this are typically overseas, in countries that more or less don't care.

However, you -can- configure your server to disregard even initial connection attempts from specific ranges of IP addresses. I solved a lot of this on my own home FTP server by (sorry comrads) telling my server to ignore connection attempts from Russia and China.

Upon doing so, it went from a daily occurrence, to maybe one attempt a month. Usually less.

And, if a friend ever needs to FTP in from one of these countries, it's a simple enough rule change.

That's a pretty good idea. I take it you use the ip blocks given in http://www.ipdeny.com/ipblocks/ [ipdeny.com]

The only slight snag is that the IP I'm on at work in the UK doesn't seem to be listed, so I'm not sure how reliable this list is, although I guess a false negative is better than a false positive.

Re:Well, not really... (0)

Anonymous Coward | more than 3 years ago | (#36185236)

Just use failtoban
Whenever some attemps come from one IP, It will set an iptable rule to ban that IP for some time.

iptables-by-country (1)

bugi (8479) | more than 3 years ago | (#36185438)

Block by country dynamically: https://github.com/bugi/iptables-by-country [github.com]

It's a bit cobbled together, but it works for me.

DISA or FBI (2)

HyTeK3000 (1951192) | more than 3 years ago | (#36184836)

I had a few meetings with local FBI cyber people, and they recommended for me to send things like that to either DISA or to them (the local field office for my area) Contact your local FBI field office and see what they say. If you can talk to their cyber division they are usually helpful. (usually...)

Re:DISA or FBI (1)

HyTeK3000 (1951192) | more than 3 years ago | (#36184904)

If it is a personal ftp server from your home ISP, then as others have said, NO. Any government agency won't care if someone is trying to hack you. However, if it is being hosted by a business' ISP, and especially if that business does ANY type of government contracting, then do contact a local field office.

Re:DISA or FBI (1)

SuricouRaven (1897204) | more than 3 years ago | (#36185470)

"Any government agency won't care if someone is trying to hack you"

Not unless you are someone of particular noteworthyness. A government official, a celebrity of any kind. Then you'll get their attention. Because the police know that even a famous singer will raise hell if they talk about how useless the police are.

Welcome to the internet (0)

Anonymous Coward | more than 3 years ago | (#36184844)

Welcome to the internet, not sure what took you so long to find it, but we're glad you did.

Denyhosts handles this for ssh (0)

Anonymous Coward | more than 3 years ago | (#36184846)

You could probably tweak it to work with FTP. It just parses the logs and looks for failed attempts, and blocks any IPs that have too many failures.

fake weather, murder mayhem crusades ending? (0)

Anonymous Coward | more than 3 years ago | (#36184852)

this is great. we were thinking we might have to tell the kids that things were not looking too secure. now we van tell them that our rulers have come to our senses, & the truth is going to help us out of our foibles. so that's really good news

our rulers said that? (0)

Anonymous Coward | more than 3 years ago | (#36184888)

not at all, but we know that our lives are more important than business deals, or keeping secrets

honeypots (1)

BigJClark (1226554) | more than 3 years ago | (#36184854)


I always found that honeypots also attracted MORE attention to the network, rather than serving as a tool of defense.

Essentially, even if you did get the police involved to the point where they could trace the hackers, chances are they are using some type of TOR technology, and the ones that aren't, the little bobby droptables of the world, probably aren't worth prosecuting.

Save yourself the headache and forgo the unnecessary risk and stress of honeypotting.

Public FTP today... (1)

jellomizer (103300) | more than 3 years ago | (#36184868)

I would recommended that you use SSH/SFTP except for FTP FTP is one of those old standards made before people realized that they could sniff networks, and pull login names and passwords.

FTP and Telnet are one of those simple protocalls if you are woried about security, HTTPS, SSH and SFTP

Re:Public FTP today... (1)

tomm3h (1406683) | more than 3 years ago | (#36184932)

There is little point saying, "I think you should use $some_better_protocol" when 99% of the world's Dreamweaver/Frontpage users have no clue how any of it works anyway.

FTP is here to stay for a lot longer (despite no-one in the know enjoying this idea). So whilst we have to put up with it, we do need a good, widespread FTP honeypot system. It's a good bet that people like http://www.atomicorp.com [atomicorp.com] would be interested in contributing to such a thing.

Re:Public FTP today... (0)

Anonymous Coward | more than 3 years ago | (#36185044)

We're talking about FTPs and you talk about Dreamweaver/Frontpage, you don't seem to have any idea of how it works.

Re:Public FTP today... (1)

Opportunist (166417) | more than 3 years ago | (#36185104)

Put a simple "here's how to use SFTP, if you want to deal with me, use it" text file in the FTP Server, if you really feel like educating your partners. If you don't, just show them the finger if they're too stupid to use SFTP.

Sorry, but it's not my duty to explain security to people for free. I get paid for that.

Re:Public FTP today... (1)

tomm3h (1406683) | more than 3 years ago | (#36185146)

Congratulations on having no customers. Granted I agree with you in principle, but your customers definitely aren't mine and your approach is but a pipe-dream.

Educating the people we sell website hosting to, about the nature of protocols like SFTP, is a long and painful process.

Re:Public FTP today... (1)

Opportunist (166417) | more than 3 years ago | (#36185336)

Odd. Just yesterday I added an "S" to a project (in front of the "FTP") and nobody raised a concern, it was signed without a problem.

My partners don't care about protocols or technical tidbits. They care about a working interface. For them, using SFTP or FTP is the same as long as their interface delivers their data. If you're concerned with your customers, give them what they need to access your files instead of leaning back and complaining that you'd lose business if your increase security.

Re:Public FTP today... (1)

mortonda (5175) | more than 3 years ago | (#36185394)

This doesn't change the problem, brute force attempts come through on ssh too. All you solution does is transfer the question to a different port.

That said, I prefer scp myself.

SSH Blacklist (1)

tomm3h (1406683) | more than 3 years ago | (#36184894)

http://sshbl.org [sshbl.org] operates such a system for SSH brute force attacks. Perhaps it's worth asking them to extend their efforts?

Disclaimer: $dayjob supports them with a base VPS.

Revenge (0)

Anonymous Coward | more than 3 years ago | (#36184914)

You could *cough* Retaliate *cough* I have done this before if the person using premade scripts you could accidently have an unsecure area or a simple password like Fish with a datafile infected with a virus hackers generally download everything they have access to.

Denyhosts (1)

TheRealKolossos (1573047) | more than 3 years ago | (#36184916)

Try Denyhosts (http://denyhosts.sourceforge.net/). It's not a honeypot but it will ban an address that keeps trying to log in with an invalid password. Better yet, have your users make longer passwords :)

Re:Denyhosts (1)

thebjorn (530874) | more than 3 years ago | (#36185046)

Seconded! I've set it up so it only accepts one failed ssh login attempt from an unknown ip address before it denies _all_ access. (I need to be able to log in while I'm on vacation, so I can't turn it all the way off...)

it's probably the US government (1)

decora (1710862) | more than 3 years ago | (#36184920)

seriously. read the HBGary emails dumped by anonymous. the guy was running crack programs against people he found on irc.

and this was a federal government contractor with millions in income.

its only the tip of the iceberg.

James Bamford's book The Shadow Factory describes specifically how their new system, Turbulence, provides 'offensive' capabilities.

(coincidentially, two of the documents that whistleblower Thomas Drake is under Espionage Act indictment for were related to Turbulence)

im not saying the US govt is targeting you (1)

decora (1710862) | more than 3 years ago | (#36184958)

im saying there are probably a lot of people who work for the government who are doing a lot of 'testing' of their little toys on the unwitting civilian population. nothing makes this more clear than the HBGary emails.

Re:it's probably the US government (1)

Opportunist (166417) | more than 3 years ago | (#36185116)

So you mean I should disable the automated DDoS response to hack attempts?

Same problem, but for SSH. I use sshblacklist (0)

Anonymous Coward | more than 3 years ago | (#36184930)

SSH blacklist watches the SSH authentication requests. Once the attempts exceed a configurable threshold, I write those source addresses to a iptables rule that blacklists them.

I've blacklisted 133,649 unique IP address since starting back in 2009. BTW, zero actually got in :). Also, 95% source from Asia, I'm in California-US.

Just use non-standard ports (0)

Anonymous Coward | more than 3 years ago | (#36184946)

I have a personal server behind a firewall that only allows SSH connections through. After a while I got literally hundreds of login attempts for root, postmaster etc every day. There was no way anyone was going to get in this way since all but a few trusted user accounts were disallowed and password login was disabled but it was still annoying me. I switched from port 22 to some other random port and the problem went away. Presumably the zombies or script kiddies scan the net more or less randomly for standard services and so far they haven't found me again.

Sounds like fun (0)

Anonymous Coward | more than 3 years ago | (#36184986)

Jailed FTP server with fake plans for missiles and stuff on it. Six months and $1 million later, they fire it up and bubble-gum comes out the nozzle.

fail2ban or similar (1)

ravenspear (756059) | more than 3 years ago | (#36184994)

Personally I use the lfd daemon with the csf firewall script on my servers. fail2ban is similar.

People should not get unlimited attempts to connect to your services.

At the same time, you don't want to clog up your firewall rules with thousands of denied IPs, so I usually set the filter rather high so it will not impact real users (you would be surprised how many users need 10 or 15 attempts to guess their password if they forgot) but only people really performing a serious brute force password guessing attack.

Also you can use temporary to permanent blocking, where the perp is banned temporarily and rolls off the firewall ban after a few days when he has lost interest, and is only banned permanently if the attacks continue over a longer period.

ftp sends passwords in cleartext; sftp+denyhosts (2)

bcrowell (177657) | more than 3 years ago | (#36185006)

You say this poses no real risk to you, because your passwords are immune to dictionary attacks. But ftp sends passwords in cleartext, so it actually does pose a risk to you if someone is able to sniff your packets on the public internet.

But anyway, if you feel that the risk to you is insignificant, then why are you asking the question? Are you asking it on behalf of other people who might want to security-harden their ftp servers? If those people are worried, why wouldn't they have already switched from ftp to sftp? And if they're running sftp, they can protect against attacks of the type you're describing by installing denyhosts:http://denyhosts.sourceforge.net/ Denyhosts does have a cooperative blacklisting facility of the type you were asking about.

I could be wrong, but since ftp is inherently insecure, I would be surprised if someone had created software with the same functionality as denyhosts that would work with ftp. That would be like retrofitting a tricycle to make it supersonic.

Re:ftp sends passwords in cleartext; sftp+denyhost (1)

gamanimatron (1327245) | more than 3 years ago | (#36185260)

retrofitting a tricycle to make it supersonic.

I like your ideas. Do you have a newsletter I could subscribe to?

Re:ftp sends passwords in cleartext; sftp+denyhost (5, Funny)

alostpacket (1972110) | more than 3 years ago | (#36185268)

That would be like retrofitting a tricycle to make it supersonic.

So you're saying it would be totally awesome?

Auto ban (0)

Anonymous Coward | more than 3 years ago | (#36185008)

Fail2ban is your friend.... http://www.fail2ban.org/

OSSEC maybe (1)

DataDiddler (1994180) | more than 3 years ago | (#36185012)

OSSEC will block IPs for however long you'd like when they fail on multiple SSH logins. I would assume it can be set up for FTP as well.

No. (1)

atari2600a (1892574) | more than 3 years ago | (#36185014)

Unless you're being fiscally damaged this isn't even news, just everyday IT whereabouts.

Change Ports! (2)

dclozier (1002772) | more than 3 years ago | (#36185050)

Most automated scans will not take the time to scan for open ports. (that I have experienced)

Also consider FTP with SSL / TLS like what can be done with vsftpd. http://vsftpd.beasts.org/ [beasts.org]

As mentioned elsewhere in this thread consider using Fail2ban which is easily configured for monitoring failed attempts at connecting to your server and can then block the IP after a configurable threshold is reached.

Reverse (0)

Anonymous Coward | more than 3 years ago | (#36185058)

You can reverse lookup the IP address, find out who owns the netblock and then report it to abuse@ the isp that owns the block, its normally against their terms of service. I once did this to a good isp who cut a script kiddie off.

Nope (0)

Anonymous Coward | more than 3 years ago | (#36185064)

Is there a way to report the perpetrators, or any action we can take to address this kind of danger?

Not really, this is probably just an automated attempt to get access. Googling "how to maek an ftp server secure" is probably the best you can do here.

Try running an SSH server, you'll have people (bots) hammering it all the time, constantly. We just disable password based access and block any IPs engaging in ovetly suspiciuos behaviour.

Worst thing is the bandwidth drain (3, Interesting)

BlueCoder (223005) | more than 3 years ago | (#36185070)

If your security is even modest as far as passwords there is no need to worry. More sophisticated attacks using coordinated bot nets are the really scary thing but can be countered by limiting the number of login attempts a second/minute. But it's all just extended dictionary attacks. Only someone really dedicated does brute force. This is the equivalent of someone going through a parking lot and checking to see if anyone left their door unlocked and or keys inside their car. If you can just change the port used for ftp, it cuts it down by 99 percent.

The problem is the bandwidth. You have to pay for it anyway. Even if your server doesn't acknowledge it. Someone really dedicated using a bot net can easily give you overage charges.

Lots of Options Here (1)

avgjoe62 (558860) | more than 3 years ago | (#36185110)

Option 1 - set an access list on your border router and permit connections only from the networks of your users

Option 2 - eliminate FTP externally, make everyone connect via VPN and run FTP internally.

Option 3 - Option 1 plus SFTP rather than FTP.

There are more options of course. There are ways to mitigate the number of attacks, but you have to research and implement them. Good luck!

fail2ban FTW (0)

Anonymous Coward | more than 3 years ago | (#36185156)

i use fail2ban and have it set for 3 strikes and yer out for a week

When i see the failed login attempts to ssh or ftp I setup a script to login to their computer as user fuckyou over and over

1/2 the attempts originate from China, 1/4 from the Ukraine, 1/8 from Arab countries (not exact but close)

   

sftp? (1)

vampirbg (1092525) | more than 3 years ago | (#36185248)

Transfer everything to sftp, use keys and turn off user/pass authentication... It's as simple as that... Then they can keep guessing the password till the rest of their lives :)

I wrote a nice security script for that... (1)

Fallen Kell (165468) | more than 3 years ago | (#36185312)

Like you, I saw the same thing. That said, I also configured my system to respond as though it was a Windows 2000 server, when in reality it was a linux box, so it could try guessing "administrator" all it wants.... That said, I also wrote a script and cron job to parse all the access logs, keep counts of failed login attempts by IP address, subnet, and ISP block, and when they hit certain thresholds, update my firewall rules to reject all connections to that address, subnet, and ISP. I saw a lot of stuff coming out of China and Hong Kong for a long time there (probably other compromised systems), but I am not too worried.

Give them a VIRUS (1)

thegarbz (1787294) | more than 3 years ago | (#36185328)

Let's see how stupid they are. Find a nasty virus variant, package it in a file called Kiddy_Porn.exe and drop it on your server. Set up an account with the login Administrator:Password and have that account point to just this file. Maybe put some others in a directory to give it some legitimacy.

Monitor your logs and laugh your butt off when you see get /kiddy_porn.exe

5 seconds (1)

mestar (121800) | more than 3 years ago | (#36185384)

and it seems like every week I have a random IP address connect to my box and try guessing 'Administrator' passwords once every five seconds or so.

So, your week lasts for about 5 seconds?

SFTP. It's 2011. (3, Insightful)

bedouin (248624) | more than 3 years ago | (#36185404)

Unless you're running an anonymous FTP to download Linux ISOs or something there's no need for it.

Cyberduck for OS X, FileZilla for Windows, and gFTP all do SFTP and are free. If you're already using SFTP then only allow specific users and disable root access. Key authentication is ideal like others have mentioned but sometimes a hassle.

The first (and hopefully last time) I was rooted was in '99 on a Redhat box through FTP using a buffer overflow. Since then I learned my lesson.

Just FTP? (1)

mistralol (987952) | more than 3 years ago | (#36185442)

Really It is about time we came up with some good ideas to try to prevent this sort of things. We see it on blogs (backlink spam) We see it on smtp We see it on rdp We see it on website We see it on outlook web access We see it on almost every service!

Use fail2ban or denyhosts (1)

fincan (989293) | more than 3 years ago | (#36185510)

Either use Fail2Ban or denyhosts, assuming you are using some sort of a linux/unix server. Both of them allows you to set thresholds so that it blocks further attempts from that particular IP for a preset amount of time. So you can set something like: if username is valid, allow 5 password attempts, then ban for 10 minutes if username is invalid, allow 2 attempts, then ban for 30 minutes if username is root or admin, block the ip until the world ends (which is two days from now apparently).

Secure any 3rd party NAS boxes on Windows networks (0)

Anonymous Coward | more than 3 years ago | (#36185568)

We had a dictionary attack recently where a bot group with unrelated addresses tried to log in to our 3rd party NAS. The NAS had a guessable admin name (but fortunately, a long and complex password. Our sysadmin is paranoid - I like him).

Simple user/password authentication, with no inbuilt three-strikes lockout (wtf? Cheeeep...) It was coming in via IAS vector. Simple fix for us, we shut down IAS on the affected machine. YMMV.

But there's a hint -- if you buy a cheap 3rd party NAS, you have to secure that sucker.

Let them in. (1)

VortexCortex (1117377) | more than 3 years ago | (#36185580)

I wrote a (T)FTP server that after 6 trys gives the user a 6 minute delay; after another 10 tries another delay (15 minutes) is applied, but after 20 to 30 (psedo- random) total failed attempts in one day, the user (irregardless of username) is given what seems like access to the system. They can list a limited set of small "files and directories", although none actually exist, and all simulated file contents are mundane, boring, and severely rate limited.

Only one fake "guest" account is allowed at a time, any new intruders gaining access cause the previous guest connection to disconnect.

I've resisted removing the "honeypot" since I've observed several interesting effects due to this "feature":

  1. Users that will not contact the admin or request a new password, and instead keep trying will eventually "gain access"; Upon finding their files missing, will then contact the admin.
    "Oh, this again? We could use more funding for better servers, oh well. I'll have it fixed in a jiffy, but you'll have to select a new password again, sorry."
  2. The time delays slow down brute force attacks considerably, many attackers will tune their scripts to avoid triggering the blockage (by adding delays to their scripts).
  3. Most intruders will get bored and quickly stop showing up.
  4. Network resource consumption due to a brute force attack is mitigated; Most attack scripts stop when they gain access.
  5. Some attack bots will just recursively scrape the meager "contents", and quickly move on to another target.
  6. Log contains less failed attempt lines -- additionally I can just grep for "Dummy FTP Access Granted to ..." to determine offending IP ranges or usernames.
  7. Attackers that reason all accounts have shitty/same passwords, will "hack" a few accounts, then determine that no-one uses the server and move along.

I've used fuzzing and several attack toolkits to test the system's security (as well as peer review), and our current version also supports SFTP (which many users have transitioned to over the years).

Did you trace the IP address? (1)

damn_registrars (1103043) | more than 3 years ago | (#36185618)

I would bet that if it is coming from a single IP at a time, it is coming from a country where English is not the primary language. You can try to report it, but you'll likely get a reply in a language you cannot read and the correspondence will stop there.

Alternately, if you are seeing distributed (botnet) attempts, there isn't much point in trying. You'll have dozens (if not more) of different addresses, and they are almost always all transient anyways. You could spend your time going through all the addresses, finding all the ISPs, but you'll likely end up with many copies of the same problem I just described.

In other words, just make sure you don't allow logins of the names they try. Don't just stop with "a really good password" as so many others have tried; rather ban those usernames entirely from remote login. I've even seen phone book attacks on my system where they try a long list of common first names (Aaron, all the way to Zelda).
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>