Whether it’s understanding how to stop a brute force attack on your server or how to prevent brute force attacks in general, there are several key things you can do to protect your business. Here’s what to know…
It’s no secret that bad guys love bad passwords. And I don’t mean bad like passwords that contain naughty words — I mean passwords that are so easy to guess that my young niece could figure them out with minimal effort. Reusing old passwords or “tweaking” old passwords (which 70% of users admit to doing) is also an issue. These types of insecure passwords make easy targets for brute force attacks. This is why brute force attack prevention should be a priority for your cyber security initiatives.
Brute force attacks are account hacking attempts that involve everything from cybercriminals guessing random or common passwords to capitalizing on leaked or stolen legitimate user credentials. These cyber attacks are no laughing matter. Bad guys often use scripts or bots to target the login pages on many sites and web apps, but these attacks also have other malicious uses as well.
Losses to businesses from these events vary in terms of direct and indirect costs. The United Kingdom’s Information Commissioner’s Office (ICO) reports that Cathay Pacific (an international airline) suffered a brute force attack in 2018 that resulted in a £500,000 non-compliance fine due to insufficient security measures. Understanding how to stop a brute force attack on your server can help prevent your company from making similar headlines.
So, is there a one-size-fits-all solution for how to prevent brute force attacks? Not really. Brute force attack prevention typically boils down to a layered security approach coupled with a handful of tried-and-true tactics. Much like other types of cyber attack prevention methods, it’s about eliminating as many vulnerabilities as possible in your cyber defenses and making yourself a tougher target than the guy next to you.
In this article, we’ll cover several common brute force attack prevention techniques. We’ll also walk you through how to stop a brute force attack on a server.
Let’s hash it out.
How to Prevent Brute Force Attacks (15 Brute Force Attack Prevention Techniques)
To effectively stop brute force attacks from affecting your IT systems and customers, you first need to really understand what a brute force attack is. Since we’ve already written an article talking about what a brute force attack is and how different types of brute force attacks work, we figure we can just give you a quick overview before moving on to talking about the various brute force attack prevention techniques.
A brute force attack is both a category and specific method of cyber attack that’s typically used to gain unauthorized access to accounts. Many brute force attacks fall within the category of password attacks, but they’re also useful for trying to guess API, SSH and cryptographic keys and find hidden web pages. When used as a password attack method, it targets your authentication systems by pelting its login forms with password and username guesses until it finds a matching combination.
It’s no secret that bad guys want to gain unauthorized access to your organization’s secure resources and sensitive data. As such, admin and privileged user accounts are particularly attractive targets because their accounts have greater access than others.
With all of this in mind, let’s break down 15 brute force attack prevention techniques. These prevention methods will be categorized into six distinct categories to help make the content easy to follow.
Implement Strict Access Controls & Set Up Other Authentication Protections
The general idea of access controls and access management is to ensure that only authorized, authenticated users can access your secure resources. This counts as everything from your network and web apps to other IT systems and data. In a basic sense, access management boils down to knowing:
- If someone has the approval or permissions to access those resources (authorization), and
- If the person requesting access is, in fact, who they claim to be (authentication).
This combination of authorization and authentication is critical to identity and access management (IAM) and your organization’s ability to develop a zero-trust architecture.
Understanding how to use access controls effectively and keep bad guys from finding your login pages is essential to understanding how to prevent brute force attacks from being successful. These practices and processes also help to limit exposure in the event that a brute force attack is successful.
This brings us to the first brute force attack prevention technique on our list…
1. Require Use of Strong, Unique Passwords — Or, Better, Passphrases
Require users to create unique passphrases in lieu of traditional passwords. For example, Goldfish%MirrorHarp+Sickle is a lot easier to remember than 3Ln`GW@09h*QaAwn$!. The FBI recommends using unique passphrases that are at least 15 characters long and contain multiple words. The idea is that passwords that are long and consist of random words/phrases are more secure and easier for people to remember than random gibberish. (So, you’ll be less likely to write them down or reuse them to secure multiple accounts.)
We specify unique password/passphrases because users typically like to choose the easiest route when it comes to creating account secrets. This often results in users either creating crappy (insecure) passwords or re-using passwords across multiple accounts.
Knowing this, it’s crucial for businesses to set strong password security requirements and create a password policy that you enforce. Check out NIST’s Digital Identity Guidelines (SP 800-63B) for additional guidance when creating password-related policies.
2. Set Account Restrictions So Only the Users Who Need Access Have Access to Key Systems
This process often involves setting roles and permissions for users within your active directory (AD) or other access management systems to limit exposure in the event that an employee’s account becomes compromised.
This process can also include setting remote access restrictions relating to remote desktop protocol (RDP) in particular. RDP is a common target for brute force attacks. Edgescan’s 2021 Vulnerability Statistics Report shares that RDP exposures increased significantly in 2020:
“Remote desktop (RDP) and Secure Shell (SSH) exposures increased by 40%, likely due to the increase in remote working due to Covid-19. RDP (and similar services) are easy and commonly used avenues for brute force or credential stuffing attacks, against weak user credentials.”
3. Set a Limit for How Many Failed Login Attempts Can Occur Within a Certain Period
A couple of big red flags that you’ll see with brute force attacks is a single IP attempting to log in to multiple accounts, or multiple IPs attempt to log in to a single user account. You can combat these issues by using rate limits and access use policy:
- Setting and enforcing rate limits is a great way to limit the traffic on your web app, network or server. In this context, you can configure your resources to only allow a specified number of failed user login attempts within a set time period.
- With an account use policy, you can set accounts to lock out users after so many failed attempts.
Secure Your Login Pages and Other Web Apps Using These Protection Measures
It’s no secret that the login pages on sites and web apps are the primary targets in most brute force attacks. Data from Verizon’s 2021 Data Breach Investigations Report (DBIR) shows that 89% of data breaches targeting web apps involved the use of brute force or stolen credentials.
This is why you must take extra care to fortify these defenses to the best of your ability. Here are a few of the ways you can do this:
4. Employ CAPTCHA as Part of Your Login Page Requirements
You know that dreaded “Click here to prove you’re not a bot” challenge box you have to click on many websites? That’s CAPTCHA, which stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.” (Yeah, I know, that’s way more letters than just C-A-P-T-C-H-A but I didn’t name it…)
These tools come in many varieties, some of which may require you to calculate simple mathematical equations, identify elements in photographs, or solve word problems. But I’ll be honest: Whenever I’ve had to solve CAPTCHA in recent months, my mind always goes to this humorous video:
Regardless of how annoying (and frustrating) this site security feature may be at times, it does have some value. CAPTCHA can be useful in preventing account takeovers, fraudulent purchases, and other use cases. The idea behind a CAPTCHA as an effective security tool is that it requires correct answers almost 100% of the time. The idea is that this should be a task that’s easy for humans but incredibly difficult for machines.
You can use a tool like reCAPTCHA on your website to prevent most bots from being able to pummel your login forms. Google even has an enterprise version that enables you to use it for site-wide coverage and an API to integrate the tool into mobile applications.
5. Use an Allowlist to Limit Access to Specific Pages
Allowlists (AKA whitelists) are a great way to limit to ensure that only select users, IP addresses, or domains can access your pages, web apps, emails, applications, and other systems. For example, using an allowlist enables you to specify which IP addresses can access your login pages. Any access attempts made by IP addresses other than those you’ve included on that list will be blocked automatically.
Why not use a blocklist (AKA blacklists) instead? Well, you can. It’s just that you’d have to know which IP addresses to block ahead of time. And it becomes even more complicated if attackers are using proxy IP addresses because it makes their traffic look like it’s coming from IP addresses that are different than their own.
However, using a blocklist can be an effective security measure in some cases, such as if:
- You observe many failed login attempts or unusual traffic originating from IP addresses in specific geographic areas, and
- You know none of your legitimate users will access your pages from those geographic areas.
Obviously, this won’t help you so much if an attacker is just cycling through lists of proxy IPs or using some types of automated systems. But some of the contributors at OWASP have a potential solution for that issue that involves using changing site response behaviors by generating unique failed login error messages. (Click on the link in the previous sentence to learn more about all of that.)
6. Change the URLs of Your Login Pages
While using something like example.com/blog/login.php makes these pages easy for your team to remember, it also makes them easy for hackers to guess and automated tools and bots to target with brute force attacks. But if you use a unique URL for these critical pages — say, example.com/blog/w00t-login-here.php instead, then you make your authentication pages a lot harder for bad guys to find.
We had to do this ourselves here at Hashed Out earlier this year. Why? Because some schmuck(s) repeatedly…