How To Prevent Brute Force Attacks
Blocking and preventing brute force attacks is one of the main things you want to do on your web server to add a layer of security. While someone might not be targeting your site or server specifically, they will have automated tools that will try to guess random usernames and passwords that are common against your system. They’re essentially forcing their way to user only authorized area’s of a system, such as FTP accounts, e-mail accounts, databases, script based administration areas and root or any shell access are most common attempts. They will try multiple login attempts, guessing usernames and passwords, trying to force their way onto your machine.
This is a large topic with a lot of things to cover, I’ll try to do my best to help you understand how brute force attacks work, prevention, signs of an attack, and tools to help stop brute force attacks.
This article will not cover session brute force attempts for web applications, in a future article I’ll cover that but for now we’re looking at main service daemons such as ftp and shell. We only refer to prevention on Linux based systems, you might want to check out this article if you’re on Windows systems.
How the brute force attack works Hackers can try to get into your system using a few different methods.
1) Manual login attempts, they will try to type in a few usernames and passwords
2) Dictionary based attacks, automated scripts and programs will try guessing thousands of usernames and passwords from a dictionary file, sometimes a file for usernames and another file for passwords.
3) Generated logins, a cracking program will generate random usernames set by the user. They could generate numbers only, a combination of numbers and letters or other combinations.
Signs of a Brute Force Attempt
You can easily spot a brute force attempt by checking your servers log files. You will see a series of failed login attempts for the service they’re trying to break into.
# vi /var/log/secure or # tail –f /var/log/secure
Check for failed login attemps such as:
Jan 20 17:06:18 fox proftpd: yourserver (usersip[usersip]) - USER theusername (Login failed): Incorrect password.
How to Prevent Brute Force Attack
There are a few main ways to stop a brute force attack we’ll cover;
1) restricting the amount of login attempts that a user can perform
2) banning a users IP after multiple failed login attempts
3) keep a close eye on your log files for suspicious login attempts
Tools to stop and prevent brute force hack attempts Never enable demo or guest accounts as they will be the first way an attacker will get access into your system and further exploit it.
Never have more than one user in the root group.
APF & BFD There are many different tools you can use to prevent and stop brute force hackers. The two of them we’ll focus on in this article are APF firewall and BFD (brute force detection) developed by rfxnetworks.
APF is a firewall that works using iptables but has some nice features added and makes it easy to use, including Anti-Dos protection. BFD is a modular shell script for parsing applicable logs and checking for authentication failures. If it finds that your authentication failed the set amount of times for an application, it will ban your IP address using APF firewall.
The two of these make an excellent, automated brute force prevention package. BFD checks your logs every few minutes for multiple failed logins attempts, based on a set of rules, if the person fails to login X amount of times the IP is automatically banned at the firewall, preventing further attacks on your system.
Follow our APF Firewall tutorial and our BFD Tutorial installation and configuration guides.
LogWatch is highly recommended tool that sends you daily reports of system activity including disk space, failed login attempts and much more. If you have a Cpanel server LogWatch *should* be installed by default.
Output can look like the following – which I received in an email report =)
Illegal users failed login attempts sample from LogWatch
anonymous/none from (IP HERE): 10 Time(s) anonymous/password from (IP HERE): 9 Time(s) guest/none from (IP HERE): 7 Time(s) guest/password from (IP HERE): 12 Time(s) root/password from (IP HERE): 32 Time(s)
Instead of simply blocking the IP and ignoring the user you can also report the attacker to the IP source upstream provider, such as an ISP.
Lookup their IP: Go to DNSStuff.com and enter their IP the in IP Whois Lookup tool. It will give you information about the ISP, including company and website. Go to their website and look for an abuse section, such as [email protected]
Compose an email including the attackers IP, time, any log snipplets and other relevant information.