18 Dec, 2017

Preventing Brute-Force Attacks On Websites

Learn what brute-force attacks are, how they can harm your website, and how to prevent them with a simple and effective method using .htaccess file.
Brute-force attacks are a significant portion of the modern web server attack landscape, and the goal of these attacks is to gain access to content management system (CMS) dashboards by guessing admin usernames and passwords. After access has been achieved, hackers gain full control of the compromised website and can use it to send spam, inject malicious JavaScript code into a database, or just redirect all visitors to a third-party resource to generate traffic (also known as traffic hijacking). In this post, you will learn that you don't have to be a security professional or seasoned webmaster to apply basic, and in the majority of the cases effective protection against brute-force attacks. By following the simple steps below, you will minimize the risk of a security breach through this attack vector and secure your database and sensitive information.
What is a Brute-Force Attack?
A brute-force attack is a password guessing attack comprised of multiple attempts to predict/discover a username and password. Attackers randomly generate usernames and passwords (or use a list of widely used account names and passwords like “admin” and “password”) to systematically try to login to the attacked CMS using generated credentials. When one attempt fails, the attacker generates other usernames and passwords and tries again. Brute-force attacks are performed by automated systems (software or scripts) and do not require much computational power - only HTTP Send and Receive requests are executed.

In a more complex form, scripts can be executed in multiple concurrent threads to send numerous login requests until the correct credentials have been found. Brute-force attacks issued from the same IP address can be detected and prevented by WAFs and CMS plugins. Complex brute-force attacks send login requests with generated usernames and passwords from multiple IP addresses by using botnets which may contain thousands of nodes that are used for the same purpose.
How People Try to Protect Against Brute-Force Attacks
Almost all CMSs provide a list of different plugins that can be used to protect from brute-force attacks. Several plugins offer the capability to blacklist IPs to block access from these addresses. Other plugins use databases that contain blacklisted IP addresses to block requests coming from the blacklisted IPs.

Some plugins block access to the login page after N unsuccessful attempts (i.e. account lockout) while other plugins use a captcha to protect against brute-force attacks. Unfortunately, none of these methods are perfect. Every brute-force HTTP request will be handled by the appropriate plugin which in turn uses resources on the attacked website. It makes the web site less responsive to the legitimate HTTP requests coming from real visitors.

When brute-force attacks emanate from recently infected machines, these IPs won't be present in the database of blacklisted IPs, which makes such plugins less efficient and require website administrators to manage and block these addresses manually. Altogether, there are no plugins that can protect from brute-force attacks without severely impacting the website's responsiveness and performance.
How to Really Protect Against Brute-Force Attacks?
Brute-force attack protection has two goals:

  1. Prevent attackers from accessing the CMS admin dashboard
  2. Preserve website resources to keep it responsive for real visitors
Achieving the First Goal
It is strongly recommended that passwords be at least 16 characters long and contain letters, numbers, and symbols to make brute-force attacks more difficult and time-consuming.
Achieving the Second Goal
There is a capability of blocking HTTP requests on the web server (Apache, Nginx and the rest) level without passing malicious HTTP requests to the PHP interpreter which in turn invokes the CMS’s protection plugin. Here we will provide an apache based example for a WordPress CMS which is the most popular combination of CMS and web server. The key point of this protection method is a “.htaccess” file used by the Apache web server for configuration purposes on a subdirectory level. Putting a specially crafted “.htaccess” file into website root directory will do the work and apply restrictions to the root and rest of the subfolders of the protected website.

The basic .htaccess file used by WordPress looks like the following:
# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase /
RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L] </IfModule> # END WordPress
We assume that the login page of the website is located at http(s)://mywebsite[.]com/wp-login.php.

If so, then the following set of rules will restrict access to http(s)://mywebsite[.]com/wp-login.php to IP address aaa.bbb.ccc.ddd; where aaa.bbb.ccc.ddd is the IP address of the website admin's machine:
ErrorDocument 401 default
ErrorDocument 403 default
<Files wp-login.php> Order deny,allow
Deny from all Allow from aaa.bbb.ccc.ddd
</Files> 
The value of the public IP address is available via the Google search string "my IP address". So now to protect your website from a massive brute-force attack, all that is needed is to add the last block of instructions to the .htaccess file which is already in the root directory of the website.
Conclusion
There are multiple ways to protect your website from brute-force attacks. Dedicated brute-force protection CMS plugins, captcha plugins, using strong passwords (when thousands of bots are heavily trying to guess it, they might won’t be able to do that but the overwhelming number of such attempts will exhaust the CPU and might lead to a DDoS), and login page URL customization are a few approaches. But all of the above methods are either less effective protections or just require too much of the resources of the hosting server. By whitelisting only your IP address access to the login page, you block all possibilities that anyone except you will be able to access admin dashboard login page unless you fail to patch new vulnerabilities.
Is your website flagged for malware, blocked by the search engines or disabled by the host?
As usual, we are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select from suitable ThreatSign! Anti-Malware Plan and get back online.

For other issues and help: Quttera's help-desk