What is a Brute Force Attack?
A brute force attack is one of the most basic and ineffective hacking techniques. Brute force attacks, as the term indicates, are not delicate. The assumption behind such an attack is that if you guess a password an endless number of times, you will ultimately be correct.
By attempting to guess the username/email and password, the attacker hopes to acquire forced access to a user account. The goal is usually to utilize the compromised account to launch a large-scale assault, steal important data, take down the system, or do all three.
It takes little ingenuity or knowledge to write code that conducts this sort of attack, and there are even readily accessible automated systems that submit thousands of password tries each second.
Brute Force Attacks: How to Spot Them
It’s simple to spot and examine a brute force attack. Examining your Apache access log or Linux log files might help you find them. As seen below, the assault will result in a sequence of failed login attempts:
Is Account Lockout Effective
When dealing with brute force attacks, it’s usual practice to lock out accounts after a particular amount of false password tries. Unfortunately, it alone isn’t always enough.
Hackers can carry out large-scale assaults by attempting a single password on thousands of systems. This approach, unlike attempting several passwords on a single server, does not result in an account lockout, and it skillfully avoids this protective feature.
For example, if a server is frequently attacked, several hundred user accounts may be locked out regularly. Denial-of-service attacks would be easy prey for your server. To identify and halt DDoS assaults, be proactive.
Is it Beneficial to Speak in “LEET-speak”
“Leetspeak” is an online language that converts any text into ASCII characters and encodes it.
Leetspeak was a good technique to add another “security layer” to your password management for a while. Hackers, on the other hand, have figured out how to use dictionaries to replace letters with popular Leet characters. Other common encryption techniques, such as SHA-1, are similarly vulnerable.
Techniques to Prevent Brute Force Attacks
There are a variety of techniques for stopping or preventing brute force attacks.
A robust password policy is the most evident. Strong passwords should be enforced by every online application or public server. Standard user accounts, for example, must have at least eight characters, a number, capital and lowercase letters, and a special character. Furthermore, servers should mandate password updates regularly.
Let’s look into some more options for preventing a brute force attack.
Limit failed login attempts
Make the root user inaccessible via SSH by editing the sshd_config file
Don’t use a default port, edit the port line in your sshd_configfile
Limit logins to a specified IP address or range
Unique login URLs
Monitor server logs
1. Account Lockouts After Failed Attempts
As previously indicated, enacting an account lockout after a series of failed login attempts is futile since it puts your server vulnerable to denial-of-service assaults. This procedure, however, becomes considerably more successful when conducted with successive delays.
After a certain number of unsuccessful login attempts, account lockouts with progressive delays lock an account for a specific time. Automated brute force assault methods will become less helpful as a result. Admins will also save time by not having to unlock hundreds of accounts every 10 minutes or so.
2. Disable SSH access for the root user
Attempts to brute force SSH passwords on a server’s root user are common. By modifying the sshd config file, ensure that the root user is not accessible through SSH. Set the parameters for ‘DenyUsers root’ and ‘PermitRootLogin no’.
3. Make a change to the Default Port.
The default port 22 is used in most automated SSH assaults. As a result, running sshd on a separate port could be a good strategy to avoid brute force attacks.
Edit the port line in your sshd config file to change to a non-standard port.
4. Make use of CAPTCHA
On the internet, we’ve all become accustomed to seeing a CAPTCHA. Nobody enjoys deciphering anything that appears like it was scrawled by a two-year-old, yet techniques like CAPTCHA make automated bots useless.
Even though hackers have started employing optical character recognition software to get around this safety measure, the simple necessity to input a phrase or the number of cats on a produced image is quite effective against bots.
Keep in mind that using technologies like CAPTCHA has a detrimental influence on the user experience.
5. Limit Logins to a Specific IP Address or Range of IP Addresses
If you only allow access from a specific IP address or range, brute force attackers will have to work extra hard to get past that barrier and acquire access.
It’s like erecting a security fence around your most sensitive information, and anyone who doesn’t come from the correct IP address is denied access.
You may do this by assigning a static IP address to a remote access port. You can use a VPN instead of a static IP address if you don’t have one. One disadvantage is that it may not be suited to all applications.
6. Make use of two-factor authentication (2FA)
Many people consider two-factor authentication to be the first line of security against brute force assaults. The danger of a data breach is considerably reduced when such a solution is implemented.
The beauty of 2FA is that a password alone isn’t sufficient. An attacker would need access to your smartphone or email client even if they cracked the password. Some determined attackers may try to breach that barrier, but the majority will turn around and go for a less difficult victim.
7. Make Login URLs That Are Unique
Create separate login URLs for each user group. Although this will not prevent a brute force assault, adding that more variable makes things more difficult and time-consuming for an attacker.
8. Keep an eye on the server logs.
Be careful to thoroughly examine your log files. Log files are critical for system upkeep, as administrators are well aware.
UK Cyber Security Ltd is here to help
Please check out our Cyber Essentials Checklist
Please check out our Free Cyber Insurance
If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks. Or just get in touch by clicking contact us