Brute-Force Attacks occur when an attacker attempts to calculate every possible combination that could make up a password and test against your site to see if it is a correct password. This can be done either by using dictionary words or trying to guess the key created by key derivation functions to encrypt passwords into a secret value.
Attackers use a computer program or script, which automatically attempts all possible combinations to gain access. As computer hardware becomes faster and capable of doing more calculations per second, brute force attacks have become more popular as a means to obtain sensitive information stored in databases and other web applications.
Recognizing Brute-Force Attacks
Brute-force attacks are detectable by their volume, rather than the type. You’ll notice a large amount of failed login attempts in your web logs. You may also see the same account logging in over and over with different passwords and from multiple IP addresses.
Here is a list of logs to check:
- /var/log/maillog or /var/log/mail.log – Email service logs
- /var/log/exim_mainlog – Exim logs
- /var/log/messages – FTP logs
- /var/log/auth.log or /var/log/secure – Contains user authorization information
You can check these logs either by command line or within WHM under the ConfigServer Security & Firewall (CSF) home page. You can search (grep) system logs or watch (tail) system logs from there.
Defending Against Brute-Force Attacks
ConfigServer Security & Firewall with Login Failure Daemon
Most of our managed cPanel servers have ConfigServer Security & Firewall (CSF) enabled with iptables and Login Failure Daemon (LFD), a service built into CSF. LFD periodically checks for potential threats to a server. It looks for brute-force login attempts and if found, will block the IP address attempting to attack your server.
You can also enable cPHulk as another method of Brute-Force Detection. cPHulk is a security feature on cPanel servers that locks down the cPanel and WHM logins, SSH logins, FTP logins and IMAP/POP3 logins. It will block IP’s after too many failed logins from a single IP address.
Security Best Practices
In addition to checking your logs and using LFD, there are additional security best practices you can implement to secure your server. Here is a list of these best practices which are linked to articles to help you secure your server:
- Create a secure password.
- Require strong passwords.
- Set up alternate SSH users.
- Use SSH keys.
- Use reCaptcha for user registrations to help keep brute-force bots from being able to enter your site with fictional credentials.