Home » Security » Security Tutorials

Quick Access

User login

Who's online

There are currently 0 users and 2 guests online.

Visitors Map

Site Counter

  • Site Counter: 353177
  • Registered Users: 16822
  • Published Nodes: 333
  • Your IP: 173.245.56.169
  • Since: 2008-09-09

Link Exchange

BlogCatalog Blog DirectoryTechnology blogs
Technology Business Directory - BTS LocalTop stories
Click hereTop Blog   Hacking & Security
         SecGeeks
       Megapanzer

Live Traffic Info

Preventing Brute Force Attacks



Blocking and preventing brute force attacks is one of the main things you want to do on your web server to add a layer of security. While someone might not be targeting your site or server specifically, they will have automated tools that will try to guess random usernames and passwords that are common against your system. They’re essentially forcing their way to user only authorized area’s of a system, such as FTP accounts, e-mail accounts, databases, script based administration areas and root or any shell access are most common attempts.
 They will try multiple login attempts, guessing usernames and passwords, trying to force their way onto your machine, This is a large topic with a lot of things to cover, I’ll try to do my best to help you understand how brute force attacks work, prevention, signs of an attack, and tools to help stop brute force attacks, This article will not cover session brute force attempts for web applications, in a future article I’ll cover that but for now we’re looking at main service daemons such as ftp and shell.


How the brute force attack works

1) Manual login attempts, they will try to type in a few usernames and passwords

2) Dictionary based attacks, automated scripts and programs will try guessing thousands of usernames and passwords from a dictionary file, sometimes a file for usernames and another file for passwords.

3) Generated logins, a cracking program will generate random usernames set by the user. They could generate numbers only, a combination of numbers and letters or other combinations.
[adsense:468x60:7403224149]


Signs of a brute force attempt

You can easily spot a brute force attempt by checking your servers log files, You will see a series of failed login attempts for the service they’re trying to break into.
Code:
# pico /var/log/secure
or
# tail –f /var/log/secure


Check for failed login attemps such as
Code:
Apr 11 19:02:10 fox proftpd[6950]: yourserver (usersip[usersip]) - USER theusername (Login failed): Incorrect password.



How to prevent a brute force attack

There are a few main ways to stop a brute force attack we’ll cover
1) restricting the amount of login attempts that a user can perform
2) banning a users IP after multiple failed login attempts
3) keep a close eye on your log files for suspicious login attempts


Tools to stop and prevent brute force hack attempts

Never enable demo or guest accounts as they will be the first way an attacker will get access into your system and further exploit it and never have more than one user in the root group.

[adsense:468x60:7403224149]


APF & BFD

There are many different tools you can use to prevent and stop brute force hackers, The two of them we’ll focus on in this article are APF firewall and BFD (brute force detection) developed by rfxnetworks.

APF is a firewall that works using iptables but has some nice features added and makes it easy to use, including Anti-Dos protection. BFD is a modular shell script for parsing applicable logs and checking for authentication failures. If it finds that your authentication failed the set amount of times for an application, it will ban your IP address using APF firewall.

The two of these make an excellent, automated brute force prevention package. BFD checks your logs every few minutes for multiple failed logins attempts, based on a set of rules, if the person fails to login X amount of times the IP is automatically banned at the firewall, preventing further attacks on your system.


LogWatch

LogWatch is highly recommended tool that sends you daily reports of system activity including disk space, failed login attempts and much more. If you have a Cpanel server LogWatch, should be installed by default.

Output can look like the following – which I received in an email report
Code:
Illegal users failed login attempts sample from LogWatch
   anonymous/none from (IP HERE): 8 Time(s)
   anonymous/password from (IP HERE): 8 Time(s)
   guest/none from (IP HERE): 8 Time(s)
   guest/password from (IP HERE): 8 Time(s)
   root/password from (IP HERE): 24 Time(s)



Report Attackers

Instead of simply blocking the IP and ignoring the user you can also report the attacker to the IP source upstream provider, such as an ISP, Lookup their IP: Go to DNSStuff.com and enter their IP the in IP Whois Lookup tool, It will give you information about the ISP, including company and website, Go to their website and look for an abuse section, compose an email including the attackers IP, time, any log snipplets and other relevant information.


Summing Up Brute Force Logins and Hack Attempts

Brute force attacks are more and more common these days as hacking tools are widely available for script kiddies to play with. Arming yourself with knowledge and tools to deal with such attacks can give you peace of mind knowing your system is relatively protected but it will never be 100% foolproof safe.
If you liked this post, buy me a beer.
Technorati Tags:Technorati Tags:
No votes yet

Search

Loading

Bookmark Us!

Share/Save

Page Rank

PageRank Checking Icon

Quotes

Be Human first, then Engineer

— Vismaya

View

Explore Tags

more tags

Follow Us
  • Virtual PC

    Virtual PC software ensures compliance while optimizing license costs.

  • Virtual Server

    Your company can protect and manage your virtual server with Symantec's tools.

  • Virtualization

    The right virtualization strategy can take you from a static infrastructure to a high-density cloud.