A brute force attack works anywhere there is a request for user credentials. Brute force attacks are when an automated system will repeatedly try to log into the server, slowly work through username and password combinations until it finds one that works. The system will then either then use this to gain access to infect the server or record for later use.
Obviously trying every single possible username and password combination would be an incredibly slow process. So hackers will often use known usernames. This is sometimes successful as Linux systems often use “root” as the common username. Similarly, Windows systems use “Administrator” username. Various web-based services commonly use admin usernames, sometimes these are shortened to “admin”. There are databases chock full of commonly used passwords gathered from various data breaches. The passwords are then tried in order. These are based on how common their usage has been in the past.
Once these attacks are automated, they will continue until eventually the server is compromised. So, how can these attacks be defended?
Wherever possible try to restrict access to any service that may be subject to a brute force attack by using a firewall. On Linux systems use the SSH service, for Windows use the RDP service, and with control panels such as cPanel you can restrict port 2087 used by WHM. In many cases, legitimate users of the server’s administrative systems will be coming from a limited number of IP addresses, and restricting access to those coming from only those IPs is the easiest way to prevent most (sometimes all, if the pool of IPs is small enough) brute force attacks.
Remove Remote Access
Rename or remove remote access for administrative accounts with common names. On Windows, the Administrator account can be renamed, on Linux the SSH settings have an option to disallow remote logins. This will restrict the chances of success that an attacker will get and mean they will be wasting their time trying to attack the common user names.
Limit Login Attempts
On services that support it, limit the number of consecutive login attempts that can be made before locking the account either temporarily or permanently. Even putting a minute’s cooldown after three consecutive login attempts will significantly slow down a script’s attempts to compromise a server.
Enable two-factor authentication wherever you can. This commonly takes the form of being asked for a second passcode after your password has been provided. The passcode may be provided from an app on your phone, a USB key, a keyring with a display, or be sent to you by e-mail or SMS. These codes are normally time-based meaning that they are only valid for a limited period of time. This means that even if the attacker gets the right password then the chances of them guessing the right code is slim, and with the codes changing constantly they’d also need to keep guessing a new seemingly random code.
Set alerts for invalid login attempts where possible. An alert for each may be a bit much, but once three failed attempts has been reached, sending an alert is a good way of letting you know that account is being attacked on your server.
This next one is one is pretty much limited to web applications. Increase security by moving or renaming administration scripts, and adding additional security checks such as an .htaccess password. For example, brute force attacks against WordPress normally target the wp-admin section of the site. Hiding these files or adding additional security will work to slow down attacks to that part of the site.
While brute force attacks are some of the most dangerous attacks against your server, there are plenty of methods you can use to protect against them. Which methods are relevant depends on the software that you are trying to protect, but most software can make use of at least some of these methods.