Brute-force attack

From Jonathan Gardner's Tech Wiki
Jump to: navigation, search

Method

A brute-force attack is an attack where the attacker tries to guess the password or even username of an account by guessing. This is different from a denial of service attack although it is similar in that the attacker is going to make a lot of guesses and perhaps behave like a DOS attack.

There are several good ways to protect against this type of attack.

  1. Use good, hard-to-guess passwords. Of course, if the password is hard to guess, it is hard to remember too. Many systems force the user to choose passwords that are "good", although too often this merely forces the users to write their passwords down.
  2. Prevent multiple guessing by shutting down accounts. If an attacker tries to guess and guesses wrong three times, let's say, then we can simply shut the account down. We can allow it to reopen after a certain amount of time automatically, or we can have them contact an administrator to reopen the account.
  3. Prevent multiple guessing by shutting down hosts who try to guess. Rather than shut down accounts, you can also shut down IP addresses or even ranges of people who guess wrong too often. Again, you can allow the hosts to regain access after a time or you can have an administrator open the host or host range.
  4. Blacklist known bad hosts. This would be done by coordinating with others whom you trust to keep a list of bad hosts on the internet and simply refusing to do business with them.
  5. Whitelisting known good hosts. Another option is to only allow good hosts whom you trust to use the service and attempt an authentication.

SSH

Currently, there are hosts on the internet trying to gain access to Linux boxes by brute-force attacking through SSH. Here are some best practices to limit their effectiveness.

  1. Don't run SSH. You can disable it quite easily.
  2. Only allow known hosts to connect to port 22. This is also easily done. The hardest part is figuring out which hosts you will allow.
  3. Use pam_abl. pam_abl will close accounts or blacklist hosts who fail authentication above a certain threshold. It is completely configurable and works for more than just SSH.

There are some other practices people use but I don't feel they are effective or are easy to implement.

  1. Limit which accounts can be used for SSH. Some people turn off root and other users for SSH. I feel like this hinders my productivity. As long as you have a good root password, having SSH open doesn't make your system much less safe.
  2. Use port knocking. I don't feel like this is an effective security measure since it relies on security through obscurity.
  3. Only allow SSH access with keys. I feel this hinders productivity too much. I don't carry my private keys around with me. I only put them on machines I can trust.