/BearFTP

Honeypot FTP server written in .NET Core (C#) for both Linux and Windows.

Primary LanguageC#

BearFTP

Dare to hack a bear?

BearFTP is a honeypot FTP server, designed to log hackers' attempts and report them to public IP blacklist databases.

Featuring:

  • Configuration support (no need to recompile)
  • Edit files and content of files located on server
  • Tested on FileZilla and WinSCP.
  • AntiNmap, AntiMetasploit, Report even those ones, who try to download your files!
  • Works on both Windows and Linux
  • Pure TCPClients, expect good performance!
  • PASV mode support (only PASV, for now...)

This software was tested and runs perfectly on:

  • Windows 10 x64 (.NET CORE 3.1)
  • Linux Ubuntu 18.04

Technologies

We use several projects as dependencies to run smoothly:

Installation

BearFTP requires .NET Core 3.1 or higher.

Download binaries from Release tab or compile it yourself.

If you are on Windows, run

C:/BearFTP/BearFTP/bin/Release/netcoreapp3.1> ./BearFTP.exe

For Linux, run

$ dotnet BearFTP.dll

The program should exit with an error. Proceed to editing the config.json

{
  "PortDef": 21,
  "PortPasv": 21,
  "Hostname": "127.0.0.1",
  "Banner": "My very own FTP server located at %host%",
  "Token": "",
  "Report": true,
  "Ban": true,
  "PunishScans": true,
  "AllowAnonymous": false,
  "PerIPLogs": false,
  "AnonStat": true,
  "ConsoleLogging": true,
  "ActiveMode": true,
  "Max_PerSecond": 5,
  "Max_Total": 6,
  "BanLength": 3600,
  "MaxErrors": 6,
  "BufferSize": 8192,
  "MaxThreads": 50,
  "Files": [
  {
    "Name": "readme.txt",
    "Content": "Hello!"
  }]
}
Key Value
PortDef Replace with port you want to use for new connections (21 by default)
PortPasv Replace with port for PASV mode (1222 by default)
Hostname Replace with an actual public IPv4 of your PC/server. Used to initiate PASV connections. Please use IPv4, we dont support domains
Banner Banner sent right after TCP handshake. %host% will be replaced with current hostname
Token AbuseIPDB token to report bad ones
Report Should we report suspicious actions?
Ban Should we ban users on suspicious actions? (Ban is 1 hour long to prevent people from being double-reported)
PunishScans Should we ban/report nmap scanners?
AllowAnonymous Should we allow users to login with "anonymous" username?
PerIPLogs Create logs for individual IPs. Requires "iplogs" folder
AnonStat Do you want to send anonymous statistics on version usage? (We only see BearFTP version you use. No private info)
ConsoleLogging Should we log attempts to the console?
ActiveMode Should we allow Active mode usage? (PORT command)
Max_PerSecond Max. amount of connections per second from an IP. Only applies to base socket
Max_Total Max. amount of active connections from an IP. Applies to both base and PASV
BanLength Length (in seconds) of a ban. 3600 seconds = 1 hour.
MaxErrors Max.amount of attempts to execute an invalid FTP command.
BufferSize Buffer size on RETR for files. Somewhere around 2048-8192 is fine. Determines the speed of a download.
MaxThreads Maximal amount of threads, controlled by clients, that can be spawned by BearFTP
Files[] Array of files.
Files[Name] Filename
Files[Content] Contents of files (string). Start with --- to make it load from a file (example: "---file.exe")

To make it work, you should change PortPasv to any other value, so PortPasv is not equal to PortDef. Other options are optional. We highly dont recommend using files with size of more than 4 MB! You should not use honeypot as a real FTP server to share files!

Development

Want to contribute? Great!

We use VS2019 and .NET core 3.1 for development.

Here's our CURRENT todo list:

  • Administrator commands (adding files right through FTP!)
  • Implement directories
  • Add more features (more advanced ban system, reports to other IP blacklists)

License

MIT