What is a Brute Force Attack?
A brute force attack is a hacking technique that involves trying many different passwords with the hope of eventually guessing the right one correctly. The first step in any brute force attack is to choose a target; therefore, the hackers start by scanning networks looking for open ports and then try to guess passwords. If a hacker guesses the correct password, they’ll try to log in. Once logged in, they’ll have complete control over the network.
Brute force attacks target systems using large volumes of data aimed/ sent at them simultaneously; sending requests or a lot of useless information to a targeted server or service. These attacks are used to overwhelm servers and network devices.
In a brute force attack, the attacker uses a lot of computing power to try to break the system. As discussed before, the brute force attack is a method of guessing passwords or trying combinations of characters until they find one that works. The attacks are often automated, which means they’re done without human input; these types of attacks are often referred to as “hacking.”
How to Indicate Brute Force Attacks?
Several Actions That Indicate a Brute Force Attack, Such as –
- Repeated login attempts: A large number of failed login attempts within a short time is a clear indication of a brute force attack.
- High resource usage: Brute force attacks can cause high CPU or memory usage on the targeted server, as it is trying to process a large number of login attempts.
- Unusual network traffic: A brute force attack will generate a large amount of incoming traffic that can be detected by monitoring network traffic patterns.
- Suspicious IP addresses: Logs can be checked for suspicious IP addresses that are repeatedly trying to connect to the server.
How Do I Identify SSH Brute Force Attacks on a Linux Server?
To detect SSH brute force attempts on a Linux server (such as CentOS 7, Fedora 21, and RHEL 7), you can use the journalctl command with the following parameters –
# journalctl -u sshd | grep “Failed password”
This command will search the system logs for any entries related to the SSH service that include the string “Failed password“, which indicates a failed login attempt.
For older RedHat-based systems using upstart (such as CentOS 6 and RHEL 6), you can search for possible intrusion attempts in the /var/log/secure file by using the following command –
#cat /var/log/secure | grep “Failed password”
This command will search the /var/log/secure file for any entries that include the string “Failed password“.
How Do I Identify Brute Force Attacks on a Windows Server?
The Event Viewer is a built-in tool in Windows that allows you to view system and application logs. You can access the Event Viewer by going to the Start Menu, typing “Event Viewer” and pressing Enter. Look for logs related to security, system, and application in the Event Viewer.
The “Security Log” in the Event Viewer contains records of security-related events, such as login attempts. You can find the Security Log by expanding the Windows Logs folder in the Event Viewer and then clicking on “Security.”
Look for logs with event IDs 4625 and 4624, which indicate failed and successful login attempts respectively.
Note: It’s important to regularly check the logs and monitor the network traffic to identify any suspicious activity that may indicate a brute force attack.
In this blog, we have discussed various tools and methods that can be used to prevent brute-force attacks.
Top 5 Tools for Preventing Brute Force Attacks
1. IPBan
IPBan is an effective tool for preventing brute force attacks as it blocks repeated login attempts from a specific IP address. Brute force attacks typically involve automated scripts that repeatedly try to guess a user’s login credentials by trying different combinations of username and password. IPBan works when a large number of failed login attempts are coming from a single IP address. In this case, IPBan automatically blocks that IP from making further attempts.
The IPBan security app is developed for Windows and Linux to stop botnets and hackers. Security is the main goal of a server administrator, hence administrator-defined botnets and hackers in the firewall can also improve performance. Each failed login attempt consumes a large amount of CPU and system resources; this is mainly in remote desktop and SSH environments.
IPBan protects remote desktops (RDP), SSH, SMTP, and databases such as MySQL or SQL Server from failed login attempts. You can also add other protocols in Windows or Linux servers by editing the IPBan configuration file.
Requirements –
- IPBan needs .NET 6 SDK to build and debug code.
- IPBan requires IDE or terminal with administrator or root access.
Supported Platforms –
- Windows 8.1 or newer (x86, x64), Windows Server 2012 or newer (x86, x64), Linux (Ubuntu, Debian, CentOS, RedHat x64).
- IPBan Windows Server 2008 may work with some modifications. As Windows Server 2008 reached the end of its life, it is no longer officially supported.
- In CentOS and RedHat Linux, you will need to manually install IPtables and IPset using the Yum package manager.
- IPBan is not supported in Mac OS X.
- You can download the IPBan application from here.
Installing IPBan on a server can provide several benefits to help prevent brute force attacks:
- IPBan checks if a large number of failed login attempts are coming from the same IP address. Once it detects the IP, it automatically blocks the IP from making further attempts; this effectively stops the attack in its tracks and helps to protect the server.
- IPBan can greatly increase the security of a server by preventing unauthorized access and protecting sensitive information.
- IPBan can help in reducing the server load by blocking unauthorized accesses before they even reach the web application; this reduces the number of requests the server has to handle.
- By installing IPBan, we can also improve the performance of the server.
Overall, IPBan is a powerful and effective tool for preventing brute force attacks. It is also simple to set up and use. This makes it a great option for any website or server that needs to be protected from these types of attacks.
2. CSF
Config Server Firewall (CSF) is a web application firewall (WAF) that protects websites and servers from brute force attacks. Using the CSF, you can monitor user activity, track visitors, and ensure the website and server remain secure. In addition, you can monitor any changes in the network traffic flow and detect any security breaches.
Benefits of Installing a Firewall –
- Firewalls prevent unauthorized access to servers on private networks via software or hardware.
- Firewalls protect computer networks by monitoring and controlling the flow of data between internal systems and external devices.
- A firewall usually monitors incoming and outgoing packets (traffic) on a computer; filtering illegal content or blocking unwanted web requests.
- It prevents programs from sending information outside of the internal network unless the user specifically authorizes it to do so. Thus, stopping hackers from accessing sensitive data.
- You can set up rules in the firewall and block the IP address of failed login attempts system.
- If you have a WHM/ cPanel on the server, you can enable cPHulk Brute Force Protection. This feature protects the server against brute force attacks.
- It will prevent viruses from entering or spreading throughout a company’s network.
You can refer to this article to download CSF on your server.
3. EvlWatcher
EvlWatcher works similarly to a Fail2ban application on a Windows server. The EvlWatcher application checks server log files for failed login attempts and other distrustful activity. If EvlWatcher finds more than a predefined number of failed login attempts, it blocks IP addresses for a specified duration. By using EvlWatcher, you can prevent unauthorized access to your server.
EvlWatcher is an excellent application. Once you install it, it will automatically protect your server with its default rules that you can also change by editing config.xml. There is also a permanent IP ban list for those who repeatedly attempt to breach the server; they automatically land there after three strikes. You can alter the block time or make exceptions in the application.
On GitHub, the EvlWatcher project is still under active development.
You can download EvlWatcher from here.
4. Malwarebytes
A brute force attack involves guessing possible password combinations until the correct one is found. If this attack is successful, malware can spread across the network and decrypt encrypted data. So, Malwarebytes Premium protects servers against brute force attacks using advanced antivirus and anti-malware technology.
By exploiting RDP password vulnerabilities, cybercriminals carry out brute force attacks on servers, distributing malware in the form of ransomware and spyware. The Brute Force Protection feature of Malwarebytes reduces RDP connection exposure and stops attacks that are in progress.
If you are looking for an antivirus that provides real-time malware protection from widespread threats and brute force attacks, Malwarebytes Premium is a good option. Malwarebytes Premium provides you with optimum protection without the need for additional antivirus software. You can also manually scan your server on demand if you are concerned that you have recently been infected with a virus or an attempted brute force attack.
Malwarebytes is supported on Windows, Linux, Mac OS, Android, and Chrome OS.
Malwarebytes is free for 14 days after you install it on your device. At the end of the free trial, the program will run only the most basic functions and you can continue to use it without extra charge. To get proactive 24/7 real-time protection, you will need to purchase a Malwarebytes Premium license for one or two years.
You can download the Malwarebytes application from here.
5. Sentry
Sentry is a fully automated brute force protection application that protects SSH connections silently and seamlessly without the need for any user interaction. It is a secure and powerful protection tool against brute force attacks on Linux servers. Sentry is written in Perl. its installation and deployment are quite straightforward, and it does not require any dependencies.
Sentry detects and prevents brute force attacks against SSH daemon (SSHd). SSH brute force attacks are blocked by Sentry using TCP wrappers and several popular firewalls; it was designed to protect the SSH daemon; however, this also works with FTP and MUA services. You can easily extend Sentry to support additional blocking lists. Its primary objective is to reduce the number of resources.
To detect malicious connections, Sentry employs flexible rules. It is generally considered suspicious when a user attempts to log in to a system using an invalid username or password. This is particularly true for the SSH protocol, which is used to access and manage servers remotely. When an invalid user attempts to log in via SSH, the server will typically reject the login attempt and may log the event as a security alert. You can see script-related rules of Sentry in the configuration section.
Please refer to this article for information on how to download the Sentry tool on the server.
Techniques for Preventing Brute Force Attacks
1. Use a strong password.
The first thing you should do is create a strong password. A strong password means that it is difficult to guess and uses characters that are not commonly used. You can use any character you want, just make sure they aren’t commonly used. If you’re using a dictionary word, try to avoid words that people might easily guess. For example, if you’re trying to create a password that includes the word ‘password’, don’t choose something like ‘[email protected]’. Instead, go with something like ‘passw0rd’ or’my_secret_password’.
2. Don’t reuse passwords.
By reusing the same password on multiple accounts, you are increasing the risk that an attacker will be able to gain access to multiple accounts with a single set of login credentials. This can have serious consequences, such as financial loss or the theft of personal information.
It’s important to avoid reusing passwords as it also increases the risk of a brute force attack. If you have the same password for multiple websites, then someone who gets access to your email account can also get access to those sites. So, if you change your password on one site, make sure you change it everywhere else too. Using unique passwords for each account, and using a password manager to generate and store them securely can help to prevent brute force attacks.
3. Change your password frequently.
Changing your password often is an important practice to prevent brute force attacks as this attack involves guessing login credentials repeatedly to gain access. By regularly changing your password, you make it more difficult for an attacker to guess the correct login credentials.
It’s recommended that you change your password at least every three months or more frequently if you suspect that your account may have been compromised. When creating a new password, it’s important to use a strong, unique password that contains a mix of letters, numbers, and special characters. Avoid using easily guessable information such as your name, birth date, or common words.
4. Keep your software updated.
It is important to keep your computer’s software updated to maintain unbreachable security. Software developers release updates that contain important security fixes that can help your computer stay protected from viruses, malware, and other online threats. By regularly checking for and installing updates, you can help keep your computer secure and running smoothly. It’s also a good idea to regularly check the websites of the software you use to see if any important updates are available.
5. Use two-factor authentication (2FA).
By adding two-factor authentication, you can make your login information more secure. In this, you’ll need to enter your username, password, and a text message code sent to your phone or email address when logging in. This helps protect your data further even if someone steals your username/ password combination.
6. Change the RDP/ SSH service default ports.
Microsoft Windows OS comes with Remote Desktop Services on default port 3389. Since it is a commonly used port, it can be an easy target for brute force attacks against remote desktops.
By referring to this article, you can easily change the RDP port 3389 to a non-standard port on your Windows VPS/ Dedicated server.
Similarly, the SSH service also comes with the 22 port. You can change this port by referring to our articles;
- For CentOS, refer to this article.
- For Ubuntu, refer to this article.
7. Restrict access to RDP service for specific IP addresses
The IP-based restriction allows administrators to restrict access to specific services to only a registered IP address range. To secure RDP connections, many administrators choose to use IP-based restrictions. This allows only certain IP addresses to connect to the RDP port. This can help prevent unauthorized access and protect against potential security threats.
You can refer to this article to set IP-based restrictions.
Conclusion
Brute force attacks can be prevented by employing multiple tools and techniques, which we have discussed in this article. From using strong passwords and multi-factor authentication to using the non-standard port for RDP/ SSH services, restricting access to RDP/ SSH services for specific IP addresses is essential in staying safe from brute force attacks.
It’s also important to monitor your server’s logs and network traffic to identify any suspicious activity that may indicate a brute-force attack. In addition, several online tools that are available online can help to prevent brute force attacks by blocking repeated login attempts from a single IP address.
Thus, taking these simple steps will ensure your data and other personal information stays secure from hackers.
