Jump to content

Ftp Honey Pot


CLI is Fun!

Recommended Posts

So I have a few questions regarding creating an FTP honey pot. I currently have an FTP server i use for uploading school documents, software tools and many other things my school provides for me. I’ve noticed since I’ve put my server out on the internet I’ve been getting daily attempts to access the Admin account that could last hours. So I wanted to create an admin account with a read only directory that had some files in it. But what I want to know is would it be legal to say embed a Trojan or another type of virus in to these files if so how would I go about doing that? I really want mess with these script kiddies that are trying to mess with my server!

Link to comment
Share on other sites

Infecting someone's else computer would definitely be illegal. I wouldn't recommend doing that, however there a couple of things you could.

1) Block his ip address, this may not be too effective as he could use a proxy server to change his IP address. But its worth a shot

2) Change the default ports on your FTP server. This is not fool proof but a more savvy user would be able to get around that.

3) Use strong password and do not use admin or administrator as your username

4) Rather than forwarding ports on your router, to your FTP server you could use OpenVPN to get into your internal LAN and access your FTP server without exposing your FTP server to the internet.

This is what I would do, but someone here in the forums might have a different approach.

Edited by Infiltrator
Link to comment
Share on other sites

The legalities of what you are asking depend on both your country and the country of the attacker (you should know which country you are in but it will be very hard to tell which country your attacker is coming from as they could be routed through proxies, etc).

You would be much better off simply moving away from FTP and over to SFTP using keys rather than passwords. Once you are no longer accepting passwords for remote authentication then all those attempts at guessing passwords will disappear.

Link to comment
Share on other sites

If its your physical machine and someone is attacking it, I say its open season. However, the reverse would be illegal to purposely infect someones machine, but if they logged into your machine and your network, its like someone breaking into your home. Self defense.

Link to comment
Share on other sites

If its your physical machine and someone is attacking it, I say its open season. However, the reverse would be illegal to purposely infect someones machine, but if they logged into your machine and your network, its like someone breaking into your home. Self defense.

Using the example of someone breaking into your house, it would also be arguable that if you leave your front door open hoping that someone enters so you can attack them, then it wouldn't be self defense. Instead it would be assault (it is very hard to argue self defense for something that is premeditated).

With leaving an open ftp account it would be arguable that you are giving the attacker permission to enter as if you didn't want someone to enter you would have used a password. As such they wouldn't be breaking the law, yet by leaving them a booby trapped file you could be breaking the law. Of course this all gets even more awkward if you give the account an easy to guess password hoping that they will guess it an pick up the file.

Note: As with all legal issues there are lots of grey areas and different countries have different rules and you should never take legal advice off strangers on the internet. Always get legal advice from lawyers/solicitors who are experts in your countries laws, yes it will cost you money but you are less likely to end up in prison from following bad advice.

Link to comment
Share on other sites

Using the example of someone breaking into your house, it would also be arguable that if you leave your front door open hoping that someone enters so you can attack them, then it wouldn't be self defense. Instead it would be assault (it is very hard to argue self defense for something that is premeditated).

With leaving an open ftp account it would be arguable that you are giving the attacker permission to enter as if you didn't want someone to enter you would have used a password. As such they wouldn't be breaking the law, yet by leaving them a booby trapped file you could be breaking the law. Of course this all gets even more awkward if you give the account an easy to guess password hoping that they will guess it an pick up the file.

Note: As with all legal issues there are lots of grey areas and different countries have different rules and you should never take legal advice off strangers on the internet. Always get legal advice from lawyers/solicitors who are experts in your countries laws, yes it will cost you money but you are less likely to end up in prison from following bad advice.

I never said anything about leaving the server open. What I said was, if someone LOGGED IN to your server, meaning they figured out the password or break-in, in some manner, and they are on your network, its open season. Openly attacking someone is at your own risk, and obviously not legal. Leaving them booby traps on your internal network is another story. If I left my front door open for whatever the reason, a stranger coming into my home had better have good reason to be there, or they will be getting a baseball bat upside their head.

Link to comment
Share on other sites

I never said anything about leaving the server open. What I said was, if someone LOGGED IN to your server, meaning they figured out the password or break-in, in some manner, and they are on your network, its open season. Openly attacking someone is at your own risk, and obviously not legal. Leaving them booby traps on your internal network is another story. If I left my front door open for whatever the reason, a stranger coming into my home had better have good reason to be there, or they will be getting a baseball bat upside their head.

An attacker logging in, in this situation could mean any of the following:

  • The attacker is given an account and password by the owner
  • The attacker finds an account without a password
  • The attacker guesses an easy password to the account (deliberately chosen to be easy to guess to draw the attacker in)
  • The attacker guesses a very hard to guess password (a password with the only intention of not being guessed)

In the first case the attacker isn't breaking the law, unless they then use an exploit or similar method to gain higher privileges than the account they have been given.

In the second case it is arguable that as their was no password set on the account it is a public account, and if it is a public account the attacker wouldn't be breaking the law.

In the third case it would be harder for the attacker to argue that it is a public account as it is password protected, but by deliberately using an easy to guess password then it would also be hard for the defender to argue that they didn't intend for an attacker to get in.

The fourth case would be a very strong defence for the defender but it would also be very unlikely that the attacker gained entry to the account as it wouldn't be a password they bots would try before they gave up and moved onto the next site.

So assuming that the fourth option isn't used, as the intention is to get the attacker to download and run the booby trapped code, there is a chance that the attacker would be able to argue that they didn't break the law in accessing the server (A lot would depend on the attackers country and their local laws for this).

Now the defender will have booby trapped code on their server and in some countries knowingly having the code is illegal, in others owning is fine but distribution is illegal and in others both are legal. So if the defender is in a counter where owning and/or distributing such code is illegal they would be breaking the law by using it to attack the attacker.

So to sum up the post, it all depends on how the attacker gains access and the laws in their country and the laws in the defenders country as to who would be breaking the law. Of course unless the defender is a government agency or large corporation and the attackers were in the same country as the defender it would be very unlikely to make it to court, so it is a bit of a mute point.

Link to comment
Share on other sites

Thanks for the advice on this. I have been doing an auto ban on all ip's that attempt to connect that fail to use the proper login credentials after the ten attempts. I would love to just use FTP over SSL however it seems my school dose not allow FTP over SSL so I cant force it. I wonder if I Just change the port the SSL connection is coming across to an no standardized port I wonder if the schools firewall will block it then. or dose any one have any ideas on how I could get around the SSL issue with my school. I will have to run a scan of the network when I go to class next and see what I can find. this should not raise any flags seeing that we do network scans all the time in our It security classes.

Link to comment
Share on other sites

Thanks for the advice on this. I have been doing an auto ban on all ip's that attempt to connect that fail to use the proper login credentials after the ten attempts. I would love to just use FTP over SSL however it seems my school dose not allow FTP over SSL so I cant force it. I wonder if I Just change the port the SSL connection is coming across to an no standardized port I wonder if the schools firewall will block it then. or dose any one have any ideas on how I could get around the SSL issue with my school. I will have to run a scan of the network when I go to class next and see what I can find. this should not raise any flags seeing that we do network scans all the time in our It security classes.

That will depend on what ports your school's network firewall is blocking, normally port 80 and 443 will be unblocked. But you will need to investigate, by changing your FTP to one of those ports and then trying accessing your FTP account from your school's network.

Link to comment
Share on other sites

  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...