Your Cart is Empty Reseller Login or Sign up FAQ Search

How to protect a server against brute force attacks

Brute force attacks essentially allow an attacker to run an automated application/script that will try to determine an account's password from a given list of passwords (dictionary file). The very nature of this attack gives us guidance on what to avoid, at the minimum, in order to protect our system - weak passwords. A weak password will contain fewer than 8 characters (all lower-case usually), will be in the form of a word that has some easily identifiable meaning to us, is contained in dictionaries or is just a few consecutive numbers (123456 in most cases). Contrary to that, a strong password will take the form of a totally random sequence of upper and lower-case letters, different numbers, special characters - one, which will not be used anywhere else by us, for any other purpose.

If you are running cPanel/WHM on your server, you could take advantage of the "cPHulk Brute Force Protection" system under "Security Center". You will be provided with many convenient and easy to configure rules based on failed login attempts, IPs and timing. DirectAdmin users should check "Administrator Settings" at the Admin Access level and proceed to the "Security" section for a similar configuration against the most common brute force and DoS/DDoS attacks.

Each of the dedicated servers that is offering comes with the popular "iptables" firewall installed. Using the following set of rules under "iptables", you can prevent more than two connections to the SSH port (22) from being initiated every minute and block the host's IP address for five minutes:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 300 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force"

iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 300 --hitcount 3 --rttl --name SSH -j DROP

The Secure Shell service appears to be the most frequent target of such attacks. However, other vital services such as the FTP, Email, IMAP server, etc. are vulnerable as well. Even when you are using entirely secured passwords, the process of initiating large numbers of simultaneous connections leads to an increased resource usage and low server productivity, as well as to reduced network capabilities. This lies at the basis of the so-called Distributed Denial of Service (DDoS) attacks that attempt to overload the system, thus leading to a system failure. A useful application that tracks for abusive activities using logs from different services is "sshguard", available for download from the following address:

« Back to menu