Blocking or preventing brute-force attacks is one of the most important security layers you can add to an organization. While someone might not be targeting your particular site or server, attackers use automated tools and, in some cases, are simply looking for random sites to break in to. They will attempt multiple logins, guessing usernames and passwords and trying to force their way into the machine.
You need to take a few things into account to lower your risk of dictionary attacks:
• Read, analyze, and manage your logs. As always it is important for many reasons, including compliance, to keep logs of server activity. By making it a routine to read and analyze logs, you can detect abnormal behavior and take the appropriate measures in time. For example, if you detect 50 bad login attempts from a single IP, most failed and some with different usernames, you can almost be sure that someone is attempting a dictionary attack.
For this reason, you should have the right tools to aid you with the hardest part of reviewing the logs—going through the data. You could use logwatch (http://www.logwatch.org), which sends you a daily report by email that covers disk usage, failed login attempts, and much more. Another tool you could use is Splunk (http://www.splunk.com), which has a free version. Basically, it provides a web-based search engine for your own logs.
• Add an IDS or IPS to your security measures. You can add an extra level of security by configuring an IDS/IPS solution that can take the liberty of blocking an IP after a predetermined number of failed logins or any other pattern you configure.
• Change or avoid default logins like admin, guest, demo, and such.
• Implement a strong password policy. As you might have noticed in reading this book, policies are a very important part of an organization's security. The policy should clearly state your security posture. After defining the policy, compliance should be mandatory. Basic tips for creating passwords at the server level are:
• Whenever possible use a phrase. Phrases are generally easy to remember and normally comply with the well-known and discussed parameters.
• A minimum length of eight characters.
• Must include upper- and lowercase characters.
• Must include numeric and/or punctuation characters.
• Implement incremental delays. This helps delay the process of brute-forcing the username and password. After each failed login attempt, the delay for the next login is incremented exponentially in a couple seconds. For example, the first time the delay can be two seconds, the next could be ten seconds, and so on. The delay will probably not irritate a human user too much, but when an attacker wants to make a couple thousand attempts in a few minutes, the delay will really slow him or her down. If implemented and if you take the origin IP into account, you can make dictionary attack useless against your organization.
• Carefully word your error messages. Last but not least, create the appropriate error messages in response to failed login attempts. You should make sure you don't give out too much information. Consider the difference between the following messages: "User ID not found," "Incorrect password," and "Incorrect username or password." The first one tells the attacker to keep on trying different usernames. The second tells the attacker to try different passwords for that username. The last one only discloses that the attempt failed. Be aware, however, that sometimes the attacker can still tell whether the password or login failed due to response latency (as explained in Chapter 11).
Was this article helpful?
Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.