security:misc:preventing-brute-force-attacks

Preventing brute-force attacks

Blocking and preventing brute force attacks is one of the main things you want to do on your web server to add a layer of security.

How brute force attacks work

Hackers can try to get into your system using a few different methods.

  1. Manual login attempts, they will try to type in a few usernames and passwords
  2. Dictionary based attacks, automated scripts and programs will try guessing thousands of usernames and passwords from a dictionary file, sometimes a file for usernames and another file for passwords. This is one of many reasons it is very important to choose a strong password.
  3. Generated logins, a cracking program will generate random usernames set by the user. They could generate numbers only, a combination of numbers and letters or other combinations.

Signs of brute force attacks

You can easily spot a brute force attempt by checking your servers log files. You will see a series of failed login attempts for the service they are trying to break into.

less /var/log/secure or tail -f /var/log/secure

Check for failed login attemps such as:

Apr 11 19:02:10 fox proftpd[6950]: yourserver (usersip[usersip]) - USER theusername (Login failed): Incorrect password.

Preventing brute force attacks

There are a few main ways to prevent the majority of brute force attempts.

  1. Restrict the amount of login attempts user(s) are able to perform.
  2. Ban users' IP addresses after multiple failed login attempts.
  3. Monitor your log files for suspicious login attempts (actively).

Helpful Tools

  • Never enable demo or guest accounts as they will be the first way an attacker will get access into your system and further exploit it.
  • Never have more than one user in the root group.
  • APF & BFD
  • LogWatch
  • Report Attackers
  • CSF/LFD
  • cpHulk
security/misc/preventing-brute-force-attacks.txt · Last modified: 2016/10/23 19:54 by Marjorie S.