Skip to main content

Questions tagged [brute-force-attacks]

The tag has no usage guidance.

Filter by
Sorted by
Tagged with
65 votes
11 answers
65k views

Denyhosts vs fail2ban vs iptables- best way to prevent brute force logons?

I'm setting up a LAMP server and need to prevent SSH/FTP/etc. brute-force logon attempts from succeeding. I've seen many recommendations for both denyhosts and fail2ban, but few comparisons of the two....
spiffytech's user avatar
  • 1,123
52 votes
14 answers
11k views

Preventing brute force attacks against ssh?

What tool or technique do you use to prevent brute force attacks against your ssh port. I noticed in my Security logs, that I have millions of attempts to login as various users through ssh. This is ...
grieve's user avatar
  • 1,557
50 votes
13 answers
65k views

Ban IP address based on X number of unsuccessful login attempts?

Is it possible to ban an IP address after X number of unsuccessful login attempts to a Windows Server? Not to a particular account, which I know how to do, but to the whole machine. We get hit pretty ...
HeavyWave's user avatar
  • 755
32 votes
4 answers
58k views

Rate limiting with UFW: setting limits

UFW's man page mentions that it can setup iptables rate limiting for me: ufw supports connection rate limiting, which is useful for protecting against brute-force login attacks. ufw ...
Tom's user avatar
  • 631
27 votes
5 answers
90k views

How to stop/prevent SSH bruteforce [closed]

I'm very new to network administration, so please regard that I'm not that experienced yet. I have a Ubuntu root server with plesk panel. Yesterday my friends and I noticed that the quality of ...
user avatar
23 votes
6 answers
85k views

How to stop brute force attacks on Terminal Server (Win2008R2)?

I'm more familiar with Linux tools to stop brute force attacks, so I'm having trouble finding suitable tools for Windows. I'm running a Windows Server 2008 R2 with Terminal Server, and I'd like to ...
aleksikallio's user avatar
16 votes
11 answers
2k views

Is there a standard method of proving password security to non-mathematicians?

My client has a server that is being subjected to brute-force login attempts from a botnet. Due to the vagaries of the server and the client's client, we can't easily block the attempts through a ...
Porks's user avatar
  • 163
16 votes
12 answers
6k views

Securing SSH server against bruteforcing

I have a little SVN server, old dell optiplex running debian. I don't have that high demands on my server, because its just a little SVN server... but do want it to be secure. I just renewed my ...
Paul Peelen's user avatar
11 votes
5 answers
65k views

How to find source of 4625 Event ID in windows server 2012

I have many audit failure with event ID 4625 and Logon type 3 in my event log. Is this problem form my server(internal services or applications) ? Or this is brute force attack? Finally How can i ...
Mohsen Tavoosi محسن طاوسی's user avatar
11 votes
3 answers
85k views

What is the source of thousands of 4625 Logon Failure errors with Logon Type 8 (NetworkCleartext)?

I have a Windows Server 2008 R2 system that's showing thousands of 4625 Logon Failure errors with Logon Type 8 (NetworkCleartext) in the Security section of the Windows Logs every single day. There ...
kevinmicke's user avatar
10 votes
3 answers
6k views

Securing linux servers: iptables vs fail2ban

I would like to pick the community's brain regarding linux server security, specifically regarding brute-force attacks and using fail2ban vs custom iptables. There are a few similar questions out ...
kingmilo's user avatar
  • 211
10 votes
8 answers
483 views

Servers harrassed by individual on constantly changing IPs

We run a community product. There is an individual (a little PoS kid) in the UK that is harassing our site for the last 6 months. His daily task is to create a new account, post a bunch of illegal / ...
user avatar
10 votes
9 answers
16k views

How secure are passwords with under 20 characters length?

I recently received a recommandation for setting my password to above 20 characters. The algorithm used for encryption is AES with a 256 bit primary key. How secure is a, let's say, 8 char password ...
cmserv's user avatar
  • 195
10 votes
9 answers
9k views

Preventing brute-force attacks on MySQL?

I need to turn on networking for MySQLd, but every time I do, the server gets brute-forced into oblivion. Some mean password guessing script starts hammering on the server, opening a connection on ...
Keith Palmer Jr.'s user avatar
9 votes
3 answers
783 views

Prevent SSH attacks

I'm trying to setup iptables rules to only allow 3 attempts by an IP per minute to connect to the servir via SSH, and drop all the connections after to prevent SSH attacks; but it seems i'm doing ...
MGP's user avatar
  • 213
8 votes
2 answers
15k views

Blocking IPs in HAProxy

A client's website is currently under attack, and I've been called in to fix it. A huge number of IPs (easily over 5,000) is constantly hitting /login, presumably trying to bruteforce their way in. ...
Grim...'s user avatar
  • 391
8 votes
2 answers
21k views

Get Fail2Ban To Check findtime Every X Minutes

I have fail2ban set up with the following settings: bantime = 86400 findtime = 600 maxretry = 2 This is great as it stops any IPs who are brute forcing 3 times within 10 minutes. However, there ...
DomainsFeatured's user avatar
7 votes
4 answers
937 views

SSH public key authentication -- always require users to generate their own keypair?

I was working with a partner today that I needed to upload files to my server using scp. I have passwords turned off in the server's SSH configuration, so I wanted them to use public key ...
schinazi's user avatar
  • 173
7 votes
7 answers
8k views

Equivalent to denyhosts, but for HTTP requests?

My web server (apache2) is continually pounded by malicious bots, asking for URLs like these: /blog/tag/pnphpbb2//index.php?name=PNphpBB2&file=posting&mode=quote/index.php?name=PNphpBB2&...
slacy's user avatar
  • 930
7 votes
3 answers
8k views

Virus that tries to brute force attack Active Directory users (in alphabetical order)?

Users started complaining about slow network speed so I fired up Wireshark. Did some checking and found many PCs sending packets similar to the following (screenshot): I blurred out the text for the ...
Nate Pinchot's user avatar
7 votes
1 answer
526 views

Windows RDP: Attack targeting real account names

We have a Windows 2012 R2 server hosted in a datacenter, and we are using RDP for its administration. Automatic updates are enabled. RDP login is not allowed for the Administrator account, and there ...
Olivier Leneveu's user avatar
6 votes
4 answers
15k views

How to thwart PHPMyAdmin attacks?

We see a lot of requests for non-existent setup.php files in our access logs (see below). For some of our clients that use rewrite rules each of these requests will cause a PHP script to be executed, ...
Ton van den Heuvel's user avatar
5 votes
6 answers
4k views

What should I do if I find someone is brute forcing my server password?

I just checked the eventlog on my vps and found that someone is brute forcing both my sql server sa password and windows administrator password. (I have changed the account name from Administrator to ...
StarCub's user avatar
  • 247
5 votes
4 answers
4k views

How to secure servers from a cgi-bin/php POST request attack

We got a POST request to our server with the following in it: %63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%...
Dovid Bender's user avatar
5 votes
3 answers
1k views

How can I combat all of these brute force attacks?

I have 3 dedicated servers, all running CentOS that are physically located in Canada. On the newest server, cPHulk started detecting (and blacklisting) failed login attempts. It started the day that ...
somebodysomewhere's user avatar
5 votes
1 answer
10k views

How to Blacklist a Range of IPs in cPHulk Brute Force Attack Settings [closed]

Does anyone know how to define a range of IPs to blacklist in the cPHulk Brute Force attack settings? I am getting bombarded from IPS 103.26.193.* and 103.26.194.* I Googled it and cannot find ...
H. Ferrence's user avatar
5 votes
2 answers
1k views

What is the optimum ban duration of a brute force attack?

I use fail2ban to prevent brute force attacks on my production servers. Fail2ban bans an ip after 5 authentication failure and unbans it after 1 hour with my own configuration. I wonder that what is ...
efesaid's user avatar
  • 378
5 votes
2 answers
9k views

How to stop or prevent Postfix / smtpd / Sasl brute forcing

There are numerous attempts to connect to my mail server in order to send mail either unauthenticated or to guess username and password to, I suppose, accomplish the same. Should I fight against that,...
Miloš Đakonović's user avatar
5 votes
1 answer
3k views

Outgoing brute force attacks from my server

One of the servers I look after appears to be participating in brute force attacks against Wordpress installations. I've been on the receiving end of this many times, so am very familiar with steps ...
ticktockhouse's user avatar
5 votes
2 answers
2k views

Nginx: Rate limit failed basic auth attempts

Given a simple HTTP Basic Auth setup in Nginx (1.14.1 at time of writing) like this: server { ... location / { auth basic "HTTP Auth Required"; auth basic user file "/path/to/htpasswd"; ...
JinnKo's user avatar
  • 421
4 votes
5 answers
321 views

Grokking sophisticated dictionary attack

It appears that one of my servers is undergoing a sophisticated dictionary attack on ssh, in that I am seeing a bunch of usernames being tried on on of my servers alphabetically with password failures....
Brent 's user avatar
  • 23.5k
4 votes
2 answers
7k views

How to secure Outlook Web Access against Brute Force attack?

I'd like to secure Outlook Web Access with Exchange 2010 against a brute force attack using account lockout. What is the best way to do this? I have the following group policy: Computer ...
SLY's user avatar
  • 1,286
4 votes
1 answer
8k views

User account was locked out from exchange server - how to prevent in future?

I had a bizarre instance this morning and I'm hoping someone can help me shed some light as to what's happened. A user complained about being locked out this morning. After resetting the password, ...
DKNUCKLES's user avatar
  • 3,998
4 votes
3 answers
9k views

Check IP who is visiting my site on nginx

I don't really want to know about this since I would like to keep it really private and give my visitor their privacy as much as possible (Not that my blog is popular though). I just installed Ubuntu ...
alicoding's user avatar
4 votes
1 answer
802 views

How can I stop brute force with IIS6 basic http authentication?

Is there a way to restrict incorrect login attempts and add some sort of timeout to stop basic auth being brute forced, using IIS?
Andrew's user avatar
  • 53
4 votes
2 answers
3k views

mod_security ruleset for Joomla! admin

I run several hosting servers and recently I have experienced a lot of bruteforce attacks against joomla-based websites. Attackers seem to try a bruteforce against administrator/index.php page. I ...
godzillante's user avatar
4 votes
3 answers
9k views

Prevent brute force attacks in Microsoft FTP Server (IIS6/7)

Looking over my ftp-server logfiles, I find a lot of brute force attacks, where the same IP-address tries 100s of username/password combinations. Is there something I can do to make life harder on ...
Kjensen's user avatar
  • 1,079
4 votes
1 answer
176 views

Attempt to access SQL Server with the user SA [duplicate]

Possible Duplicate: Attempt to access SQL Server with the user SA I'm suffering an attempted invasion by brute force. A bot is trying to figure out the sa password. How do I restrict logins 3 ...
ridermansb's user avatar
4 votes
1 answer
4k views

How to use fail2ban to parse Nginx access log to count 404's and ban ip addresses?

How can I use fail2ban to parse Nginx access log to count 404's and 502's, and ban ip addresses with too many requests?
deb's user avatar
  • 245
3 votes
10 answers
949 views

Ubuntu Server SSH

I have a server with ubuntu. I do work on it over SSH. I had a problem with brute force attempts over port 22. I changed the port and I assumed it fixed the brute force problem. Am I right or are the ...
user avatar
3 votes
3 answers
2k views

Remote users attempting to gain access to root mysqld

I have just reviewed my syslog file and notice a TON of entries of the following: Aug 25 13:06:17 ssrv001 mysqld: 150825 13:06:17 [Warning] Access denied for user 'root'@'61.160.232.48' (using ...
nullReference's user avatar
3 votes
4 answers
2k views

Server attack monitor

We've been getting some attacks on our server I think, because our server gets down every day now. I want to monitor what is causing the server to go down or if there is any attack from some site or ...
Basit's user avatar
  • 61
3 votes
3 answers
5k views

How long should I make my SSL cert valid for?

* sgsax hates ssl certs < Landon> indeed < Landon> next time my servers cert expires I'm just going to make one for 100 years or something ridiculously long Is there ...
jldugger's user avatar
  • 14.5k
3 votes
2 answers
1k views

Fighting Off Network Flooding

my website sometimes gets attacked by people. You can see such an attack at 18:00 and later on a bigger attack at 22:30. Basicly the servers network card gets flooded by incoming requests. My ...
Mr.Boon's user avatar
  • 1,481
3 votes
3 answers
3k views

Win2008R2 :Brute force attack prevention

I am using Windows 2008 R2. I am wondering if there is any way to block a brute force attack. I seeked here and there and I could not find a way to block an IP address after its makes some failing ...
user385411's user avatar
3 votes
3 answers
5k views

Most common account names used in ssh brute force attacks

Does anyone maintain lists of the most frequently guessed account names that are used by attackers brute-forcing ssh? For your amusement, from my main server's logs over the last month (43 313 failed ...
Charles Stewart's user avatar
3 votes
3 answers
15k views

SSHD: Difference between "connection closed..." and "disconnected from..." in log file

The sshd service on my Ubuntu server is under constant attack for various IP and user id. According to /var/log/auth.log file, there are three different types of fails from unknown id and IP address: ...
codechimp's user avatar
  • 133
3 votes
1 answer
172 views

Apache / Ubuntu 9.04: How do I counter-threats and improve the security of my server environment?

Our server hosts over a thousand sites, and some of them seem to have been hijacked by malicious scripts. These scripts run actions normally performed by a legitimate user en masse, causing severe ...
SFox's user avatar
  • 133
3 votes
1 answer
4k views

What's the right way to block brute force of HTTP basic auth?

Here's my thought, Set a threshold like 30 times in a minute, then block this IP for a few minutes. But If the attacker forge the source IP address, this could block legitimate user immediately. ...
daisy's user avatar
  • 757
3 votes
1 answer
2k views

Auto-ban IP from "wp-login.php" attackers

When I look at my Apache log other_vhosts_access.log, I see many many attempts, from a few different IP per month like this: www.example.com:80 91.200.x.x - - [25/Jun/2017:17:20:19 +0200] "POST /wp-...
Basj's user avatar
  • 769

1
2 3 4 5