Protecting Your Server From Brute Force Attacks

Being a server admin, it is a vital responsibility to protect the servers from different types of attacks. The most common one among them is the brute force attacks, where the attacker tries to login to the server or email or any password protected area using trial and error method.  The most common form of a brute force attack is a dictionary attack. A person who is trying to get access to one of your accounts (web server, ftp, e-mail, ssh, etc.) uses a uses a list of common names and password combination with the help of an automated script.

We need to have a service which detects the login failures and if it detects too much of login failures from a specific IP, it triggers the firewall and the IP gets blocked and thereby protect the server and the account.

So the basic steps to protect your server against the brute force attack is:

  1. Use complex passwords – It is your data and your business. Why would you set a password which is quite guessable?
  2. Use nonstandard ports for services like SSH, FTP etc.
  3. Install a Brute Force Detection ( BFD )  service.

In order to detect brute force attacks, it is necessary to monitor the access log files for repeated failures. There are a few simple scripts available free on the Internet which will do this job quite well. One of it is CSF from ConfigServer.com and APF+BFD from RFXnetworks.com.

Mind you, both of the above tools depends on the Linux firewall called iptables and if your server doesn’t support APF, this tool is not for you.

The basic principle behind these tools is the firewall policy. By default, iptables ACCEPT all connections, which is potentially not good. So, APF and CSF changes that to DROP and ACCEPT connections only to specific ports.  That is the reason why the server stops responding in those servers where CSF or APF is installed when you run ” iptables -F “.

How to Install CSF

cd /root
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

If you are on a cPanel server, you need to login to WHM and then scroll down to ” ConfigServer Security and Firewall ” and then you need to enable the service by changing the test mode. You also need to confirm all your ports are enabled. The Configuration is very detailed and CSF have its own BDF called Login Failure Detection ( LFD )

Through the interface, you can add, search block and unblock IPs and range of IPs.

How to Install APF/BFD

cd /root
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
tar xfz apf-current.tar.gz
cd apf-*
./install.sh

By default, APF and CSF is setup to run in development mode which flushes firewall rules every 5 minutes. Running in development mode defeats the purpose of running APF, as it will automatically flush every 5 minutes. Configure the Ingress (inbound) TCP and UDP ports that need to be opened.

Edit the /etc/apf/ad/conf.antidos as you fit necessary, and start the APF firewall.

How to Install BFD

cd /root
wget http://rfxnetworks.com/downloads/bfd-current.tar.gz
tar xfz bfd-current.tar.gz
cd bfd-*
./install.sh

Read the README file, and edit the configuration file located in /usr/local/bfd/conf.bfd. Find ALERT=”0″ and replace it with ALERT=”1″.

Find:

EMAIL_USR="root"

and replace it with:

EMAIL_USR="username@yourdomain.com"

Installing APF, or BFD doesn’t mean that the server is secure – It is just an enhancement. You must watch the emails that CSF or APF send and keep your server under close watch and keep your passwords secure and keep the services running from common ports as much as possible. A secure server always mean peace of mind. Good luck!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close Menu