Questions tagged [brute-force-attacks]
The brute-force-attacks tag has no usage guidance.
203
questions
65
votes
11
answers
65k
views
Denyhosts vs fail2ban vs iptables- best way to prevent brute force logons?
I'm setting up a LAMP server and need to prevent SSH/FTP/etc. brute-force logon attempts from succeeding. I've seen many recommendations for both denyhosts and fail2ban, but few comparisons of the two....
52
votes
14
answers
11k
views
Preventing brute force attacks against ssh?
What tool or technique do you use to prevent brute force attacks against your ssh port. I noticed in my Security logs, that I have millions of attempts to login as various users through ssh.
This is ...
50
votes
13
answers
65k
views
Ban IP address based on X number of unsuccessful login attempts?
Is it possible to ban an IP address after X number of unsuccessful login attempts to a Windows Server? Not to a particular account, which I know how to do, but to the whole machine.
We get hit pretty ...
32
votes
4
answers
58k
views
Rate limiting with UFW: setting limits
UFW's man page mentions that it can setup iptables rate limiting for me:
ufw supports connection rate limiting, which is useful for
protecting
against brute-force login attacks. ufw ...
27
votes
5
answers
90k
views
How to stop/prevent SSH bruteforce [closed]
I'm very new to network administration, so please regard that I'm not that experienced yet.
I have a Ubuntu root server with plesk panel.
Yesterday my friends and I noticed that the quality of ...
23
votes
6
answers
85k
views
How to stop brute force attacks on Terminal Server (Win2008R2)?
I'm more familiar with Linux tools to stop brute force attacks, so I'm having trouble finding suitable tools for Windows. I'm running a Windows Server 2008 R2 with Terminal Server, and I'd like to ...
16
votes
11
answers
2k
views
Is there a standard method of proving password security to non-mathematicians?
My client has a server that is being subjected to brute-force login attempts from a botnet. Due to the vagaries of the server and the client's client, we can't easily block the attempts through a ...
16
votes
12
answers
6k
views
Securing SSH server against bruteforcing
I have a little SVN server, old dell optiplex running debian. I don't have that high demands on my server, because its just a little SVN server... but do want it to be secure.
I just renewed my ...
11
votes
5
answers
65k
views
How to find source of 4625 Event ID in windows server 2012
I have many audit failure with event ID 4625 and Logon type 3 in my event log.
Is this problem form my server(internal services or applications) ?
Or this is brute force attack?
Finally How can i ...
11
votes
3
answers
85k
views
What is the source of thousands of 4625 Logon Failure errors with Logon Type 8 (NetworkCleartext)?
I have a Windows Server 2008 R2 system that's showing thousands of 4625 Logon Failure errors with Logon Type 8 (NetworkCleartext) in the Security section of the Windows Logs every single day. There ...
10
votes
3
answers
6k
views
Securing linux servers: iptables vs fail2ban
I would like to pick the community's brain regarding linux server security, specifically regarding brute-force attacks and using fail2ban vs custom iptables.
There are a few similar questions out ...
10
votes
8
answers
483
views
Servers harrassed by individual on constantly changing IPs
We run a community product. There is an individual (a little PoS kid) in the UK that is harassing our site for the last 6 months. His daily task is to create a new account, post a bunch of illegal / ...
10
votes
9
answers
16k
views
How secure are passwords with under 20 characters length?
I recently received a recommandation for setting my password to above 20 characters. The algorithm used for encryption is AES with a 256 bit primary key. How secure is a, let's say, 8 char password ...
10
votes
9
answers
9k
views
Preventing brute-force attacks on MySQL?
I need to turn on networking for MySQLd, but every time I do, the server gets brute-forced into oblivion. Some mean password guessing script starts hammering on the server, opening a connection on ...
9
votes
3
answers
783
views
Prevent SSH attacks
I'm trying to setup iptables rules to only allow 3 attempts by an IP per minute to connect to the servir via SSH, and drop all the connections after to prevent SSH attacks; but it seems i'm doing ...
8
votes
2
answers
15k
views
Blocking IPs in HAProxy
A client's website is currently under attack, and I've been called in to fix it.
A huge number of IPs (easily over 5,000) is constantly hitting /login, presumably trying to bruteforce their way in.
...
8
votes
2
answers
21k
views
Get Fail2Ban To Check findtime Every X Minutes
I have fail2ban set up with the following settings:
bantime = 86400
findtime = 600
maxretry = 2
This is great as it stops any IPs who are brute forcing 3 times within 10 minutes. However, there ...
7
votes
4
answers
937
views
SSH public key authentication -- always require users to generate their own keypair?
I was working with a partner today that I needed to upload files to my server using scp. I have passwords turned off in the server's SSH configuration, so I wanted them to use public key ...
7
votes
7
answers
8k
views
Equivalent to denyhosts, but for HTTP requests?
My web server (apache2) is continually pounded by malicious bots, asking for URLs like these:
/blog/tag/pnphpbb2//index.php?name=PNphpBB2&file=posting&mode=quote/index.php?name=PNphpBB2&...
7
votes
3
answers
8k
views
Virus that tries to brute force attack Active Directory users (in alphabetical order)?
Users started complaining about slow network speed so I fired up Wireshark. Did some checking and found many PCs sending packets similar to the following (screenshot):
I blurred out the text for the ...
7
votes
1
answer
526
views
Windows RDP: Attack targeting real account names
We have a Windows 2012 R2 server hosted in a datacenter, and we are using RDP for its administration. Automatic updates are enabled.
RDP login is not allowed for the Administrator account, and there ...
6
votes
4
answers
15k
views
How to thwart PHPMyAdmin attacks?
We see a lot of requests for non-existent setup.php files in our access logs (see below). For some of our clients that use rewrite rules each of these requests will cause a PHP script to be executed, ...
5
votes
6
answers
4k
views
What should I do if I find someone is brute forcing my server password?
I just checked the eventlog on my vps and found that someone is brute forcing both my sql server sa password and windows administrator password. (I have changed the account name from Administrator to ...
5
votes
4
answers
4k
views
How to secure servers from a cgi-bin/php POST request attack
We got a POST request to our server with the following in it:
%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%...
5
votes
3
answers
1k
views
How can I combat all of these brute force attacks?
I have 3 dedicated servers, all running CentOS that are physically located in Canada.
On the newest server, cPHulk started detecting (and blacklisting) failed login attempts. It started the day that ...
5
votes
1
answer
10k
views
How to Blacklist a Range of IPs in cPHulk Brute Force Attack Settings [closed]
Does anyone know how to define a range of IPs to blacklist in the cPHulk Brute Force attack settings?
I am getting bombarded from IPS 103.26.193.* and 103.26.194.*
I Googled it and cannot find ...
5
votes
2
answers
1k
views
What is the optimum ban duration of a brute force attack?
I use fail2ban to prevent brute force attacks on my production servers. Fail2ban bans an ip after 5 authentication failure and unbans it after 1 hour with my own configuration. I wonder that what is ...
5
votes
2
answers
9k
views
How to stop or prevent Postfix / smtpd / Sasl brute forcing
There are numerous attempts to connect to my mail server in order to send mail either unauthenticated or to guess username and password to, I suppose, accomplish the same.
Should I fight against that,...
5
votes
1
answer
3k
views
Outgoing brute force attacks from my server
One of the servers I look after appears to be participating in brute force attacks against Wordpress installations.
I've been on the receiving end of this many times, so am very familiar with steps ...
5
votes
2
answers
2k
views
Nginx: Rate limit failed basic auth attempts
Given a simple HTTP Basic Auth setup in Nginx (1.14.1 at time of writing) like this:
server {
...
location / {
auth basic "HTTP Auth Required";
auth basic user file "/path/to/htpasswd";
...
4
votes
5
answers
321
views
Grokking sophisticated dictionary attack
It appears that one of my servers is undergoing a sophisticated dictionary attack on ssh, in that I am seeing a bunch of usernames being tried on on of my servers alphabetically with password failures....
4
votes
2
answers
7k
views
How to secure Outlook Web Access against Brute Force attack?
I'd like to secure Outlook Web Access with Exchange 2010 against a brute force attack using account lockout.
What is the best way to do this?
I have the following group policy:
Computer ...
4
votes
1
answer
8k
views
User account was locked out from exchange server - how to prevent in future?
I had a bizarre instance this morning and I'm hoping someone can help me shed some light as to what's happened.
A user complained about being locked out this morning. After resetting the password, ...
4
votes
3
answers
9k
views
Check IP who is visiting my site on nginx
I don't really want to know about this since I would like to keep it really private and give my visitor their privacy as much as possible (Not that my blog is popular though).
I just installed Ubuntu ...
4
votes
1
answer
802
views
How can I stop brute force with IIS6 basic http authentication?
Is there a way to restrict incorrect login attempts and add some sort of timeout to stop basic auth being brute forced, using IIS?
4
votes
2
answers
3k
views
mod_security ruleset for Joomla! admin
I run several hosting servers and recently I have experienced a lot of bruteforce attacks against joomla-based websites. Attackers seem to try a bruteforce against administrator/index.php page.
I ...
4
votes
3
answers
9k
views
Prevent brute force attacks in Microsoft FTP Server (IIS6/7)
Looking over my ftp-server logfiles, I find a lot of brute force attacks, where the same IP-address tries 100s of username/password combinations.
Is there something I can do to make life harder on ...
4
votes
1
answer
176
views
Attempt to access SQL Server with the user SA [duplicate]
Possible Duplicate:
Attempt to access SQL Server with the user SA
I'm suffering an attempted invasion by brute force.
A bot is trying to figure out the sa password. How do I restrict logins 3 ...
4
votes
1
answer
4k
views
How to use fail2ban to parse Nginx access log to count 404's and ban ip addresses?
How can I use fail2ban to parse Nginx access log to count 404's and 502's, and ban ip addresses with too many requests?
3
votes
10
answers
949
views
Ubuntu Server SSH
I have a server with ubuntu. I do work on it over SSH. I had a problem with brute force attempts over port 22. I changed the port and I assumed it fixed the brute force problem. Am I right or are the ...
3
votes
3
answers
2k
views
Remote users attempting to gain access to root mysqld
I have just reviewed my syslog file and notice a TON of entries of the following:
Aug 25 13:06:17 ssrv001 mysqld: 150825 13:06:17 [Warning] Access denied for user 'root'@'61.160.232.48' (using ...
3
votes
4
answers
2k
views
Server attack monitor
We've been getting some attacks on our server I think, because our server gets down every day now. I want to monitor what is causing the server to go down or if there is any attack from some site or ...
3
votes
3
answers
5k
views
How long should I make my SSL cert valid for?
* sgsax hates ssl certs
< Landon> indeed
< Landon> next time my servers cert expires I'm just going to make one
for 100 years or something ridiculously long
Is there ...
3
votes
2
answers
1k
views
Fighting Off Network Flooding
my website sometimes gets attacked by people. You can see such an attack at 18:00 and later on a bigger attack at 22:30. Basicly the servers network card gets flooded by incoming requests.
My ...
3
votes
3
answers
3k
views
Win2008R2 :Brute force attack prevention
I am using Windows 2008 R2.
I am wondering if there is any way to block a brute force attack.
I seeked here and there and I could not find a way to block an IP address after its makes some failing ...
3
votes
3
answers
5k
views
Most common account names used in ssh brute force attacks
Does anyone maintain lists of the most frequently guessed account names that are used by attackers brute-forcing ssh?
For your amusement, from my main server's logs over the last month (43 313 failed ...
3
votes
3
answers
15k
views
SSHD: Difference between "connection closed..." and "disconnected from..." in log file
The sshd service on my Ubuntu server is under constant attack for various IP and user id.
According to /var/log/auth.log file, there are three different types of fails from unknown id and IP address:
...
3
votes
1
answer
172
views
Apache / Ubuntu 9.04: How do I counter-threats and improve the security of my server environment?
Our server hosts over a thousand sites, and some of them seem to have been hijacked by malicious scripts. These scripts run actions normally performed by a legitimate user en masse, causing severe ...
3
votes
1
answer
4k
views
What's the right way to block brute force of HTTP basic auth?
Here's my thought,
Set a threshold like 30 times in a minute, then block this IP for a few minutes.
But If the attacker forge the source IP address, this could block legitimate user immediately.
...
3
votes
1
answer
2k
views
Auto-ban IP from "wp-login.php" attackers
When I look at my Apache log other_vhosts_access.log, I see many many attempts, from a few different IP per month like this:
www.example.com:80 91.200.x.x - - [25/Jun/2017:17:20:19 +0200] "POST /wp-...