It never fails — the moment you plug a server into a publicly accessible network, you become a target.
Ouch, what a downer way to start a blog post, right?
Well, unfortunately, the truth and impact of this statement is one of the most overlooked nuggets of information I could ever think to offer someone managing a server or web application.
Whether you’re a financial firm holding sensitive and nefariously sought after data, or a hobbyist blogging about obscure collectible cheese graters, attempts at intrusions will happen.
Why the inevitability? Brute force login attacks make it extremely easy for hackers to target you.
Before I explain how they work and how to defend yourself, it’s important to address a common (and dangerous) misconception regarding network security. And that’s the idea that there needs to be motive to the attack or intrinsic value in what is attempting to be hacked. While that might be true for someone sitting behind a keyboard manually attempting to guess your password, the vast majority of attempts to break security on a server are automated and not targeted at anything or anyone in particular.
What Are Brute Force Attacks?
Brute force attacks are comparable to what is playfully known as the “infinite monkey theorem,” which posits that given an infinite number of time, even a monkey typing randomly could reproduce Shakespeare.
If a hacker were to set an objective as simple as, “I want to log in to a server, and not particularly any specific server,” they would just need to automate a process that “guesses” passwords on many, many different servers, and quickly.
Conceptualizing the brute force script doesn’t take much creativity either:
TARGET IP address 0.0.0.1 over whatever remote protocol you wish to log in to.
IF the server responds back asking for a username, use “ADMIN,” since that’s statistically pretty common.
IF the server asks for a password, use one from this dictionary file.
REPEAT, move on to the next port/IP until you get in.
Something as lightweight as that could run hundreds of thousands of times per second, against as many IP addresses as the attacking computer’s resources could handle.
Brute force attacks are a “set it and forget it” way of hacking, and unfortunately, they are extremely effective.
Preventing Brute Force Attacks
However, this method of security breach is extremely easy to circumvent. We just have to think like the script. If you’re a managed hosting provider customer, your vendor should already be covering this for you. If you’re on your own, however, here are three tactics to defend yourself against a brute force attack:
1. Reduce the Surface Area
If a bruteforce script relies on the presence of a visible port in order to access your server, don’t give it the time of day! One of the best security tips to follow in any scenario is to reduce the “surface area” your server has over public networks. That means if you can limit access to a port on a firewall, do so. Scope a remote access port to your specific static IP so that no one else can even make login attempts on that port. Don’t have a static IP? Configure a VPN and scope that VPN’s range so that only those users may access sensitive service ports. Anything you can do to limit the network access of these important ports, the better.
2. Don’t Be Predictable
Brute force scripts are crafted based on a game of statistics. If the two components of a successful access attempt are to have both a correct user name, and a correct password, make sure both are not “predictable” or “simple.” For instance, I mentioned earlier that “Admin” was a common user name. It’s a general default username that service developers and hardware manufacturers expect you to change in most cases. Don’t give away half of your security advantage in using a default username convention. Be creative! Instead of “Admin”, try “Admin-<your name here>” or something equally as specific to your usage of that login. On this same note, avoid using common passwords.
Believe it or not, in 2017, there are still commonly used passwords that typically represent a numeric sequence (such as 123456) or an equally predictable word (such as “password” or “password123”). Avoid single, simple words and names, as these are very common in “dictionary files” (I mean, sometimes they’re literally dictionaries.)
3. Add a Step
You can throw a wrench in the brute force works by introducing an additional variable during the login phase. The VPN idea I mentioned earlier is ideal, because in order to get into a properly scoped service port, you’d need to break both the credentials to the VPN connection, and the credentials to the service login you’re attempting to exploit.
Another effective and increasingly popular idea for adding an additional layer of security is “multi-factor authentication.” This option requires users to hit “accept” on a phone app when attempting to log in, or requires them to be dialed by an automated caller and press 1 for verification. In these cases, the malicious 3rd party would need the user’s phone, user name, password, and possibly VPN credentials.
To recap, brute force attacks make it easy to target servers indiscriminately. But they’re also easy to prevent. These sorts of attacks are typically going for “low hanging fruit” so following the above steps for public facing servers will tremendously reduce your risk of compromise.