What Is A Brute Force Attack?
A brute force attack is a hacking technique that involves trying many different passwords to eventually guess the right one correctly.
The first step in any brute force attack is to choose a target. Therefore, hackers start by scanning networks, looking for open ports, and then trying to guess passwords. If they guess the correct password, they’ll try to log in. Once logged in, they’ll have complete control over the network.
Brute force attacks target systems using large volumes of data aimed/ sent at them simultaneously, sending requests or useless information to a targeted server or service. These attacks are used to overwhelm servers and network devices.
The attacks are often automated, meaning they’re done without human input; these attacks are often called “hacking.”
How to Identify Brute Force Attacks?
Several Actions That Indicate a Brute Force Attack, Such as –
-
Repeated login attempts:
Many failed login attempts within a short time indicate a brute force attack.
-
High resource usage:
Brute force attacks can cause high CPU or memory usage on the targeted server, as it is trying to process many login attempts.
-
Unusual network traffic:
A brute force attack will generate a large amount of incoming traffic that can be detected by monitoring network traffic patterns.
-
Suspicious IP addresses:
Logs can be checked for suspicious IP addresses repeatedly trying to connect to the server.
How Do I Identify SSH Brute Force Attacks on a Linux Server?
To detect SSH brute force attempts on a Linux server (such as CentOS 7, Fedora 21, and RHEL 7), you can use the journalctl command with the following parameters –
# journalctl -u sshd | grep “Failed password”
This command will search the system logs for any entries related to the SSH service that include the string “Failed password“, which indicates a failed login attempt.
For older RedHat-based systems using Upstart (such as CentOS 6 and RHEL 6), you can search for possible intrusion attempts in the /var/log/secure file by using the following command –
#cat /var/log/secure | grep “Failed password”
This command will search the /var/log/secure file for entries that include the string “Failed password“.
How Do I Identify Brute Force Attacks On A Windows Server?
The Event Viewer is a built-in tool in Windows that allows you to view system and application logs. You can access it by going to the Start Menu, typing “Event Viewer,” and pressing Enter. In the Event Viewer, look for security, system, and application logs.
The “Security Log” in the Event Viewer contains records of security-related events, such as login attempts. You can find the Security Log by expanding the Windows Logs folder in the Event Viewer and clicking “Security.”
Look for logs with event IDs 4625 and 4624, respectively, which indicate failed and successful login attempts.
Note: It’s important to regularly check the logs and monitor the network traffic to identify any suspicious activity that may indicate a brute force attack.
In this blog, we have discussed various tools and methods that can be used to prevent brute-force attacks.
Top 5 Tools for Preventing Brute Force Attacks
1. IPBan
IPBan is an effective tool for preventing brute force attacks and blocking repeated login attempts from a specific IP address. It works when many failed login attempts come from a single IP address. In this case, IPBan automatically blocks that IP from making further attempts.
The IPBan security app is developed for Windows and Linux to stop botnets and hackers. Security is the main goal of a server administrator; hence, administrator-defined botnets and hackers in the firewall can also improve performance.
Each failed login attempt consumes many CPU and system resources, mainly in remote desktop and SSH environments.
IPBan protects remote desktops (RDP), SSH, SMTP, and databases such as MySQL or SQL Server from failed login attempts. By editing the IPBan configuration file, you can also add other protocols to Windows or Linux servers.
IPBan can help reduce the server load by blocking unauthorized accesses before they even reach the web application; this reduces the number of requests the server has to handle.
Requirements –
- .NET 6 SDK to build and debug code.
- IDE or terminal with administrator or root access.
Supported Platforms –
- Windows 8.1 or newer (x86, x64), Windows Server 2012 or newer (x86, x64), Linux (Ubuntu, Debian, CentOS, RedHat x64).
- IPBan Windows Server 2008 may work with some modifications. However, as Windows Server 2008 has reached the end of its life, it is no longer officially supported.
- In CentOS and RedHat Linux, you must manually install IPtables and IPset using the Yum package manager.
- IPBan is not supported in Mac OS X.
2. CSF
Config Server Firewall (CSF) is a web application firewall (WAF) that protects websites and servers from brute force attacks. Using the CSF, you can monitor user activity, track visitors, and ensure the website and server remain secure. In addition, you can monitor any changes in the network traffic flow and detect any security breaches.
Benefits Of Installing A Firewall –
- Firewalls prevent unauthorized access to servers on private networks via software or hardware.
- Firewalls protect computer networks by monitoring and controlling data flow between internal systems and external devices.
- A firewall usually monitors incoming and outgoing packets (traffic) on a computer, filtering illegal content or blocking unwanted web requests.
- It prevents programs from sending information outside the internal network unless the user specifically authorizes it. Thus stopping hackers from accessing sensitive data.
- You can set up rules in the firewall to block the IP address of the system’s failed login attempts.
- If you have a WHM/ cPanel on the server, you can enable cPHulk Brute Force Protection. This feature protects the server against brute-force attacks.
- It will prevent viruses from entering or spreading throughout a company’s network.
You can refer to this article to download CSF on your server.
3. EvlWatcher
EvlWatcher works similarly to a Fail2ban application on a Windows server. The EvlWatcher application checks server log files for failed login attempts and other distrustful activity. If EvlWatcher finds more than a predefined number of failed login attempts, it blocks IP addresses for a specified duration. By using EvlWatcher, you can prevent unauthorized access to your server.
EvlWatcher is an excellent application. Once you install it, it will automatically protect your server with its default rules that you can also change by editing config.xml. There is also a permanent IP ban list for those who repeatedly attempt to breach the server; they automatically land there after three strikes. You can alter the block time or make exceptions in the application.
On GitHub, the EvlWatcher project is still under active development.
4. Malwarebytes
A brute force attack involves guessing possible password combinations until the correct one is found. If this attack succeeds, malware can spread across the network, and decrypt encrypted data. So, Malwarebytes Premium protects servers against brute force attacks using advanced antivirus and anti-malware technology.
Cybercriminals exploit RDP password vulnerabilities to carry out brute force attacks on servers, distributing malware such as ransomware and spyware. Malwarebytes’ Brute Force Protection feature reduces RDP connection exposure and stops attacks in progress.
If you are looking for an antivirus that provides real-time malware protection from widespread threats and brute force attacks, Malwarebytes Premium is a good option. It provides optimum protection without the need for additional antivirus software. You can also manually scan your server on demand if you are concerned that you have recently been infected with a virus or attempted brute force attack.
Malwarebytes is supported on Windows, Linux, Mac OS, Android, and Chrome OS.
Malwarebytes is free for 14 days after you install it on your device. At the end of the free trial, the program will run only the most basic functions, and you can continue using it without extra charge. To get proactive 24/7 real-time protection, you must purchase a Malwarebytes Premium license for one or two years.
5. Sentry
Sentry is a fully automated brute force protection application that protects SSH connections silently and seamlessly without user interaction. It is a secure and powerful protection tool against brute-force attacks on Linux servers. Sentry is written in Perl. its installation and deployment are quite straightforward, and it does not require any dependencies.
Sentry detects and prevents brute-force attacks against the SSH daemon (SSHd). It blocks SSH brute-force attacks using TCP wrappers and several popular firewalls.
Although Sentry was designed to protect the SSH daemon, it also works with FTP and MUA services. You can easily extend Sentry to support additional blocking lists. Its primary objective is to reduce the number of resources.
Sentry employs flexible rules to detect malicious connections. It is generally considered suspicious when a user attempts to log in to a system using an invalid username or password.
This is particularly true for the SSH protocol, which is used to access and manage servers remotely.
When an invalid user attempts to log in via SSH, the server typically rejects the login attempt and may log the event as a security alert. The configuration section contains script-related rules for Sentry.
Techniques For Preventing Brute Force Attacks
-
Use a strong password.
The first thing you should do is create a strong password. A strong password means it is difficult to guess and uses characters that are not commonly used. You can use any character you want; just make sure they aren’t commonly used.
If you’re using a dictionary word, try to avoid words that people might easily guess. For example, if you’re trying to create a password that includes the word ‘password’, don’t choose something like ‘p@ssword’. Instead, go with something like ‘passw0rd’ or’my_secret_password’.
-
Don’t reuse passwords.
By reusing the same password on multiple accounts, you are increasing the risk that an attacker will be able to gain access to multiple accounts with a single set of login credentials. This can have serious consequences, such as financial loss or the theft of personal information.
It’s important to avoid reusing passwords as it increases the risk of a brute-force attack. If you have the same password for multiple websites, someone accessing your email account can also access those sites. So, if you change your password on one site, change it everywhere else, too. Using unique passwords for each account and a password manager to generate and store them securely can help prevent brute-force attacks.
-
Change your password frequently.
Changing your password often is an important practice to prevent brute force attacks, as this attack involves repeatedly guessing login credentials to gain access. Regularly changing your password makes it more difficult for an attacker to guess the correct login credentials.
You should change your password at least every three months or more frequently if you suspect your account may have been compromised. When creating a new password, it’s important to use a strong, unique password containing letters, numbers, and special characters. Avoid using easily guessable information such as your name, birth date, or common words.
-
Keep your software updated.
It is important to update your computer’s software to maintain unbreachable security. Software developers release updates that contain important security fixes that can help your computer stay protected from viruses, malware, and other online threats.
Regularly checking for and installing updates can help keep your computer secure and running smoothly. It’s also a good idea to check your software’s websites to see if any important updates are available.
-
Use two-factor authentication (2FA).
By adding two-factor authentication, you can make your login information more secure. When logging in, you’ll need to enter your username, password, and a text message code sent to your phone or email address. This helps protect your data further, even if someone steals your username/ password combination.
-
Change the RDP/ SSH service default ports.
Microsoft Windows OS comes with Remote Desktop Services on the default port 3389. Since this port is commonly used, it can be an easy target for brute-force attacks against remote desktops.
Refer to this article to easily change RDP port 3389 to a non-standard port on your Windows VPS/ Dedicated server.
Similarly, the SSH service also comes with the 22 port. You can change this port by referring to our articles;
- For CentOS, refer to this article.
- For Ubuntu, refer to this article.
-
Restrict Access To Rdp Service For Specific IP addresses
IP-based restrictions allow administrators to restrict access to specific services to only a registered IP address range. Many administrators choose to use IP-based restrictions to secure RDP connections. This allows only certain IP addresses to connect to the RDP port, which can help prevent unauthorized access and protect against potential security threats.
You can refer to this article to set IP-based restrictions.
Conclusion
Brute force attacks can be prevented by employing multiple tools and techniques, which we have discussed in this article. From using strong passwords and multi-factor authentication to using the non-standard port for RDP/ SSH services, restricting access to RDP/ SSH services for specific IP addresses is essential in staying safe from brute force attacks.
It’s also important to monitor your server’s logs and network traffic to identify any suspicious activity indicating a brute-force attack. In addition, several online tools can help prevent brute-force attacks by blocking repeated login attempts from a single IP address.
Thus, these simple steps will ensure that your data and other personal information are secure from hackers.
