One of the most common forms of attack that your server could come under is a brute force attack. These attacks are commonly used against software where there are no other known or easily used exploits available to gain access. It is a long winded and slow method to compromise a server. They tend to be performed by an automated attacking script; here’s how.
What is a Brute Force Attack?
A brute force attack is at it’s core the cyber equivalent of trying every single key on a key-ring in a door until one works.
A brute force attack works anywhere there is a request for user credentials. Brute force attacks are when an automated system will repeatedly try to log into the server, slowly work through username and password combinations until it finds one that works. The system will then either then use this to gain access to infect the server, or record for later use.
Obviously trying every single possible username and password combination would be an incredibly slow process. So hackers will often use known usernames. This is sometimes successful as Linux systems often use “root” as the common username. Similarly, Windows systems use “Administrator” username. Various web based services commonly use admin usernames, sometimes these are shortened to “admin”. There are databases chock full of commonly used passwords gathered from various data breaches. The passwords are then tried in order. These are based on how common their usage has been in the past.
Once these attacks are automated, they will continue until eventually the server is compromised. So, how can these attacks be defended?
Wherever possible try to restrict access to any service that may be subject to a brute force attack by using a firewall. On Linux systems use the SSH service, for Windows use the RDP service, and with control panels such as cPanel you can restrict port 2087 used by WHM. In many cases, legitimate users of the server’s administrative systems will be coming from a limited number of IP addresses, and restricting access to those coming from only those IPs is the easiest way to prevent most (sometimes all, if the pool of IPs is small enough) brute force attacks.
Remove Remote Access
Rename or remove remote access for administrative accounts with common names. On Windows the Administrator account can be renamed, on Linux the SSH settings have an option to disallow remote logins. This will restrict the chances of success that an attacker will get and mean they will be wasting their time trying to attack the common user names.
Limit Login Attempts
On services that support it, limit the number of consecutive login attempts that can be made before locking the account either temporarily or permanently. Even putting a minute’s cooldown after three consecutive login attempts will significantly slow down a script’s attempts to compromise a server.
Enable 2 factor authentication wherever you can. This commonly takes the form of being asked for a second passcode after your password has been provided. The passcode may be provided from an app on your phone, a USB key, a key ring with a display, or be sent to you by e-mail or SMS. These codes are normally time based meaning that they are only valid for a limited period of time. This means that even if the attacker gets the right password then the chances of them guessing the right code are slim, and with the codes changing constantly they’d also need to keep guessing a new seemingly random code.
Set alerts for invalid login attempts where possible. An alert for each may be a bit much, but once three failed attempts has been reached, sending an alert is a good way of letting you know that account is being attacked on your server.