Preventing Brute Force Attacks Published: Apr 15, 2005
  • Rating

    4/5

Blocking and preventing brute force attacks is one of the main things you want to do on your web server to add a layer of security. While someone might not be targeting your site or server specifically, they will have automated tools that will try to gues

Preventing Brute Force Attacks

Overview:
Blocking and preventing brute force attacks is one of the main things you want to do on your web server to add a layer of security. While someone might not be targeting your site or server specifically, they will have automated tools that will try to guess random usernames and passwords that are common against your system. They’re essentially forcing their way to user only authorized area’s of a system, such as FTP accounts, e-mail accounts, databases, script based administration areas and root or any shell access are most common attempts. They will try multiple login attempts, guessing usernames and passwords, trying to force their way onto your machine.

This is a large topic with a lot of things to cover, I’ll try to do my best to help you understand how brute force attacks work, prevention, signs of an attack, and tools to help stop brute force attacks.

This article will not cover session brute force attempts for web applications, in a future article I’ll cover that but for now we’re looking at main service daemons such as ftp and shell. We only refer to prevention on Linux based systems, you might want to check out this article if you’re on Windows systems.


How the brute force attack works
Hackers can try to get into your system using a few different methods.

1) Manual login attempts, they will try to type in a few usernames and passwords

2) Dictionary based attacks, automated scripts and programs will try guessing thousands of usernames and passwords from a dictionary file, sometimes a file for usernames and another file for passwords.

3) Generated logins, a cracking program will generate random usernames set by the user. They could generate numbers only, a combination of numbers and letters or other combinations.

Signs of a brute force attempt
You can easily spot a brute force attempt by checking your servers log files. You will see a series of failed login attempts for the service they’re trying to break into.

# pico /var/log/secure
or
# tail –f /var/log/secure

Check for failed login attemps such as:
Apr 11 19:02:10 fox proftpd[6950]: yourserver (usersip[usersip]) - USER theusername (Login failed): Incorrect password.


How to prevent a brute force attack
There are a few main ways to stop a brute force attack we’ll cover;

1) restricting the amount of login attempts that a user can perform

2) banning a users IP after multiple failed login attempts

3) keep a close eye on your log files for suspicious login attempts


Tools to stop and prevent brute force hack attempts
Never enable demo or guest accounts as they will be the first way an attacker will get access into your system and further exploit it.

Never have more than one user in the root group.

APF & BFD (rfxnetworks.com)
There are many different tools you can use to prevent and stop brute force hackers. The two of them we’ll focus on in this article are APF firewall and BFD (brute force detection) developed by rfxnetworks.

APF is a firewall that works using iptables but has some nice features added and makes it easy to use, including Anti-Dos protection. BFD is a modular shell script for parsing applicable logs and checking for authentication failures. If it finds that your authentication failed the set amount of times for an application, it will ban your IP address using APF firewall.

The two of these make an excellent, automated brute force prevention package. BFD checks your logs every few minutes for multiple failed logins attempts, based on a set of rules, if the person fails to login X amount of times the IP is automatically banned at the firewall, preventing further attacks on your system.

Follow our APF Firewall tutorial and our BFD Tutorial installation and configuration guides.

LogWatch (logwatch.org)
LogWatch is highly recommended tool that sends you daily reports of system activity including disk space, failed login attempts and much more. If you have a Cpanel server LogWatch *should* be installed by default.

Output can look like the following – which I received in an email report =)

Illegal users failed login attempts sample from LogWatch
   anonymous/none from (IP HERE): 8 Time(s)
   anonymous/password from (IP HERE): 8 Time(s)
   guest/none from (IP HERE): 8 Time(s)
   guest/password from (IP HERE): 8 Time(s)
   root/password from (IP HERE): 24 Time(s)

Report Attackers
Instead of simply blocking the IP and ignoring the user you can also report the attacker to the IP source upstream provider, such as an ISP.

Lookup their IP: Go to DNSStuff.com and enter their IP the in IP Whois Lookup tool.
It will give you information about the ISP, including company and website.  Go to their website and look for an abuse section, such as abuse@company.com

Compose an email including the attackers IP, time, any log snipplets and other relevant information.

Summing Up Brute Force Logins and Hack Attempts
Brute force attacks are more and more common these days as hacking tools are widely available for script kiddies to play with. Arming yourself with knowledge and tools to deal with such attacks can give you peace of mind knowing your system is relatively protected but it will never be 100% foolproof safe.

Discuss This Article - Send Your Comments and other Brute Force Hack Discussion in our Hosting Forums


About the Author:
Steven Leggett is the editor of the server resource and hosting tutorial site, www.webhostgear.com and specializes in system administration and web development.

  • Rating

    4/5

Related Articles

Comments (12)

  • Gravatar - Jordan
    Jordan 10:20, April 21, 2005
    This is a very good security feature, however if a person is bruteforcing a site.<br />
    Can their true ip be logged if they are using proxy severs to bruteforce ( I dont think so)<br />
    also if someone wants to really piss someone off they can brute force every 15 minutes ( write a program to do this) and they will be for ever out of an account
  • Gravatar - Craig
    Craig 18:27, May 22, 2005
    About the Logwatch feature, the author mentions that he receives his reports in an email. Can someone tell me how?<br />
    <br />
  • Gravatar - Dan
    Dan 22:34, June 5, 2005
    To Craig who asked how to have logs emailed to him.<br />
    Go to your server and to Mail Manager. Put your email address into the Root section.<br />
    <br />
    Excellent article by the way.
  • Gravatar - John
    John 03:17, January 3, 2006
    A much more elegant solution than BFD is http://sshblack.com (sshblack) which will monitor logs in near real-time. It has features like white lists and it keeps its own database so it blocks and unblocks brute-forcers automatically.
  • Gravatar - Moses
    Moses 18:16, May 12, 2006
    i need tutorials on how to learn to hack a host or shell,i will be happy if any one can give it to me.<br />
    <br />
    Thanks,<br />
    moses
  • Gravatar - krishna
    krishna 13:02, July 11, 2006
    It is nice .<br />
    i want some more information regarding brute force attacks how to prevent brute force attacks
  • Gravatar - abhishek
    abhishek 18:25, July 13, 2006
    was jist mind-blowing, i want more of dis sort of informations. thanx!
  • Gravatar - urzevel
    urzevel 23:24, May 20, 2008
    Change your ssh port! that is one of the first things you should do. /etc/ssh/sshd_*.conf
  • Gravatar - Josiah Purtlebaugh
    Josiah Purtlebaugh 20:28, January 18, 2009
    @urzevel<br />
    <br />
    That is a terrible idea! Not only will it be harder for users to remember, but security through obscurity is no security at all.
  • Gravatar - krishna mandalia
    krishna mandalia 06:51, August 20, 2009
    can u tell me how to shut down pc through v.b 6,oracle etc....
  • Gravatar - somesh
    somesh 17:42, January 29, 2010
    Hi my ftp account has been hacked. can you help me to defend the future attacks?
  • Gravatar - Eurorgott
    Eurorgott 20:14, June 1, 2011
    purses <a href=http://www.zimbio.com/Louis+Vuitton/articles/t73EUUz1ZIh/Louis+Vuitton+Neverfull>Louis Vuitton Neverfull</a> i0plpbag

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2014 WebHostGear.com