Brute-Force Attack security – what is it and how to protect my site?

brute-force attack securityBrute-force attack is a way for someone to guess your account password by using a trial-error method. During a brute-force attack in a very short of time a high number of possible passwords are tried against your account. Brute-force attack methods are sophisticated in the sense that all possible combinations, of letters, numbers and special symbols are tried against your account password.

Most of these attacks are automated, and executed from one or many computers or powerful servers. Depending on the computing power, and the number of computers from which the attack is initiated, the brute-force attack can be a very serious threat for every site and web application.

The best friend for every brute-force attack is a weak account password. Passwords such as “123456″ and “pass” can be easily brute-forced in the range of minutes! Number one rule is to never use a week/dictionary based password – please, refer to the following blog article “How to select a strong password” for more information on this subject. Changing (where possible) your default site administrator username to a non-standard/non-dictionary word can also help significantly for the overall brute-force attack security.

The brute-force attack method is gaining significant attention and is becoming number one threat for most of the popular web applications. We have taken the time to describe some of the more effective way to combat these attacks depending on your application:

WordPress brute-force attack security:

1. Add a plugin towordpress-logo restrict the login attempts – a fact you should carefully consider is that by default WordPress will not provide you with a login limiter. Which is why it is up to you to add such plugin in order to protect your site. A plugin you can check is the Limit Login Attempts plugin which main goal is to do what its name suggests – limit the login attempts.

2. Pick a strong password – it is essential that your administrator and account password is very strong, preferably 12 characters in length.  Changing the default WP administrator username from ‘admin’ to something else is also a key. For more information on how to pick a strong password  please refer to the article How to select a strong password. Selecting a strong password is essential not only for your administrator password, but for all passwords needed for your site.

3. Change your password every few months, and do not use previously used passwords.

4. Change your WP Security keys along with changing your password. This will prompt all users to have to re-log in to your blog which will enhance your blog security. More information on how to change the WP security keys (salt) you can find in this blog post.

5. Review your log files – check your hosting log files, for multiple requests to your wp_login.php file. If you find something unusual, immediately change your password, and security keys. If you find certain IP, or as it is in most cases, group of IPs that are constantly accessing your wp_login.php page or your wp-admin section, that means that you are under a brute force attack and you should take extra measures to secure your WP blog.

You can find more WordPress security tips in our designated to WP blog post.

Joomla! brute-force attack security:joomla-logo

1. Select a strong password – For more information on how to pick a strong password  please refer to the article How to select a strong password. Selecting a strong password is essential not only for your administrator password, but for all passwords needed for your site.

2. Use extensions that could help you to secure your site against brute-force attacks, such as Securitycheck or Max Failed Login Attempts. The idea is to limit the number of computers (IPs) which can access your Joomla Administrator login page, and limit the number of allowed failed login attempts. If you notice computer IPs that are constantly being blocked for wrong logins, that means that you are under a brute-force attack and should take extra measures to protect your site.

3. Review your log files – your web site access log contains a lot of useful information. In case you notice that there are unusual “Gets”, and “Posts” to your administrator login page, then certainly you are under a brute-force attack and you must change your password, and install a login limitter plugin for your Joomla.

You can find additional Joomla security tips in our designated blog post.

Drupal brute force attack security:

1. Sdrupal-logoelecting a Strong Password – For more information on how to pick a strong password  please refer to the article How to select a strong password. Selecting a strong password is essential not only for your administrator password, but for all passwords needed for your site.

2. Add a CAPTCHA module to your login form which will ensure better protection since it will serve as a second wall to a brute-force attack. We recommend the CAPTCHA Drupal module, which will provide you with various of configuration options.

3.  Install additional security modules – you can use the Drupal Login Security module, which will serve as a login limiter or use Secure Password Hashes which will add extra ‘salt’ to your passwords, and provide your Drupal with an additional shield.

Protect your Magento site from brute force attackmagento-logo

1. Use a strong password – For more information on how to pick a strong password  please refer to the article How to select a strong password. Selecting a strong password is essential not only for your administrator password, but for all passwords needed for your site.

2. Use a customized admin URL – by default this is yoursite/admin, and every hacker wanting to break your account will start with it. In order to prevent this from happening you should follow these steps

1. Open your /app/etc/local.xml configuration file

2. Locate <![CDATA[admin]]> and replace ‘admin’ with the path you would like to use. For example if you change it to mylocalplace, the admin path will become /mylocalplace

After you have changed this URL, refresh your Magento cache – use an FTP client to delete the content of the var/cache/ directory and that’s it.

3. Restrict admin access only to certain IPs – you can do this via your .htaccess/web_config file. This will ensure that only known IPs will have access to your admin area.

4. Require SSL for all login pages - since Magento is used for e-commerce, the data is usually very sensitive. This is why it is recommended all login details to pass through a secure connection.

Final thoughts:

When adding protection against brute-force attacks, you should keep in mind two very important factors. The first is that this type attacks are after your password (user or admin passwords), trying to guess it by using different combinations, and variations. Meaning that you should make sure your password is strong and that you change it on a regular basis. It is also essential to change your default Administrator username – since most brute-force attacks use the standard for a given application Administrator username and rarely the attacks are trying to guess your Administrator username and password at the same time.

The second factor is that in most cases the brute-force attackds will trigger a lot of false login attempts – which can be seen either in your hosting account “access log” files, or if the application you use provide a dashboard where you can review your login history. If the application you are using for your site allows for login limit protection or there are extra “login limiter” plugins available that can be installed, you should activate/install them ASAP.

We would love to hear your comments, and thoughts on this very important matter. Please, share your thoughts with us in the section below.

Sincerely,

Elena @ MH Team

Leave a Reply

Blue Captcha Image
Refresh

*

This entry was posted on Wednesday, March 27th, 2013 at 9:54 am and is filed under Educational, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.