Detecting and preventing brute force login attacks


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » DirectAdmin

Detecting and preventing brute force login attacksLast Modified: Sep 30, 2012, 11:01 am
A common method of gaining access over a server is to use a technique called a brute force attack, or dictionary attack.  What the attacker will do, is use a script to try and login to an account with every possible password combination.  This tends to require tens of thousands of login attempts, but eventually, the right combination will be found, and they can login normally.

To prevent this, we can use a brute force login detection system.   DirectAdmin has 2 such systems for these attacks.

1) The original feature was created in DA 1.25.5, and will detect and block login attempts on DA itself (port 2222):
http://www.directadmin.com/features.php?id=573

This feature only applies to port 2222. It only blocks IPs on this port. It does not block IPs from other ports.

To enable this feature, go to:

Admin Level -> Admin Settings -> Blacklist IPs for excessive login attempts

use a value around 10-20.  Note that accessing the login page counts as one failed login, since it's an unauthorized access.  Keep that in mind when chosing a number.


2) The newer system works in tandem with the previous, and will scan the logs for the other services (apache, dovecot, exim, proftpd, sshd).
When an attack is detected DA will notify the Admins on the box that the attack is in progress.
DA will not block the IPs since that would require a firewall, and DA doesn't manage firewalls (see block_ip.sh below).

To enable the detection reporting, go to:

Admin Level -> Admin Settings -> Parse service logs for brute force attacks

The brute force monitor (BFM) page can be viewed at:

Admin Level -> Brute Force Monitor

Note that DA does have hook scripts which can be used to automatically block IPs in a firewall, if you have one setup.  We have an example on such a setup, here:
http://help.directadmin.com/item.php?id=380
 
Related Helpfiles
Basic system security
I wish to have a block_ip.sh so I can block IPs through DirectAdmin

2003 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST