When the securing of infrastructures and accesses are concerned, we will never underline enough the interest of using strong passwords. The logic of this advice becomes obvious once one knows the existence of this bruteforce attack threat, and understands its functioning.
The goal is always the same: guessing the right password by multiplying attempts.
It is possible to bruteforce many types of authentication:
- Userr accounts on websites
- Login / password of mailboxes in POP3/IMAP
- Shell Access or FTP/SFTP
- VPN Access
The principal method remains the dictionary approach.
In practice, it is very simple to acquire a dictionary of potential passwords. It is actually a document listing common words, or for instance names, on which a pirate can base his attack. The orthographic correction dictionary of OS like Linux is a good base. There also are many dictionaries available online:
A good dictionary is targeted for a country and a language, and potentially for a user category. Many attackers have dictionaries targeted for a certain population, which includes the most common words, children names, pet names, combination of dates of birth, credit card numbers, phone numbers, license plate number, etc…
Incidentally, some tools, like those we evoked earlier, will conduct hybrid attacks by combining the possibilities, for instance the name Kevin and a date of birth.
XKCD perfectly summarized the problem in this little comic: http://xkcd.com/936/
If the attacked system does not decree a limitation of the number of authentication attempts, the bruteforce attack can take a lot of time, but it has significant chances to come to a successful conclusion. A pertinent defense consists in allowing only a certain number of failed attempts before deactivating the account, or to increase the minimum time between two attempts.
Though simple, this securing approach enables to considerably slow down, or even stop the attacker. The potential length of the attack will often discourage him and incite him to change targets.
CerberHost’s answers to bruteforce attacks
One of the tools used by CerberHost to protect websites against these attacks is “Fail2ban”, which is an opensource component that will limit the number of attempts. Other mechanisms report to our firewall, NAXSI. The latter includes a filtration by IP reputation; thus, IPs making too many failed attempts will be blocked.
It is also advised to set up a limitation of the number of tries directly within the framework or used tool.
CerberHost protects your website against all Top 10 OWASP attacks, and much more.
To discover CerberHost in pictures, watch its presentation video HERE.