{"id":14821,"date":"2021-08-10T09:54:00","date_gmt":"2021-08-10T13:54:00","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=14821"},"modified":"2023-03-27T13:55:02","modified_gmt":"2023-03-27T17:55:02","slug":"15-brute-force-attack-prevention-techniques-you-should-know","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/15-brute-force-attack-prevention-techniques-you-should-know\/","title":{"rendered":"15 Brute Force Attack Prevention Techniques You Should Know"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\" id=\"h-whether-it-s-understanding-how-to-stop-a-brute-force-attack-on-your-server-or-how-to-prevent-brute-force-attacks-in-general-there-are-several-key-things-you-can-do-to-protect-your-business-here-s-what-to-know\">Whether it\u2019s understanding how to stop a brute force attack on your server or how to prevent brute force attacks in general, there are several key things you can do to protect your business. Here\u2019s what to know\u2026<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s no secret that bad guys love bad passwords. And I don\u2019t mean bad like passwords that contain naughty words \u2014 I mean passwords that are so easy to guess that my young niece could figure them out with minimal effort. Reusing old passwords or \u201ctweaking\u201d old passwords (which <a href=\"https:\/\/www.f5.com\/labs\/articles\/threat-intelligence\/2021-credential-stuffing-report\">70% of users admit to doing<\/a>) is also an issue. These types of insecure passwords make easy targets for brute force attacks. This is why brute force attack prevention should be a priority for your cyber security initiatives.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Brute force attacks are account hacking attempts that involve everything from cybercriminals guessing random or common passwords to capitalizing on leaked or stolen legitimate user credentials. These cyber attacks are no laughing matter. Bad guys often use scripts or bots to target the login pages on many sites and web apps, but these attacks also have other malicious uses as well.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Losses to businesses from these events vary in terms of direct and indirect costs. The United Kingdom\u2019s Information Commissioner\u2019s Office (ICO) reports that <a href=\"https:\/\/ico.org.uk\/about-the-ico\/news-and-events\/news-and-blogs\/2020\/03\/international-airline-fined-500-000-for-failing-to-secure-its-customers-personal-data\/\">Cathay Pacific (an international airline) suffered a brute force attack<\/a> in 2018 that resulted in a \u00a3500,000 non-compliance fine due to insufficient security measures. Understanding how to stop a brute force attack on your server can help prevent your company from making similar headlines.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, is there a one-size-fits-all solution for how to prevent brute force attacks? Not really. Brute force attack prevention typically boils down to a layered security approach coupled with a handful of tried-and-true tactics. Much like other types of cyber attack prevention methods, it\u2019s about eliminating as many vulnerabilities as possible in your cyber defenses and making yourself a tougher target than the guy next to you.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In this article, we\u2019ll cover several common brute force attack prevention techniques. We\u2019ll also walk you through how to stop a brute force attack on a server.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-to-prevent-brute-force-attacks-15-brute-force-attack-prevention-techniques\">How to Prevent Brute Force Attacks (15 Brute Force Attack Prevention Techniques)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To effectively stop brute force attacks from affecting your IT systems and customers, you first need to really understand what a brute force attack is. Since we\u2019ve already written an article talking about <a href=\"https:\/\/www.thesslstore.com\/blog\/brute-force-attack-definition-how-brute-force-works\">what a brute force attack is and how different types of brute force attacks work<\/a>, we figure we can just give you a quick overview before moving on to talking about the various brute force attack prevention techniques.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A brute force attack is both a category and specific method of cyber attack that\u2019s typically used to gain unauthorized access to accounts. Many brute force attacks fall within the category of password attacks, but they\u2019re also useful for trying to guess API, SSH and cryptographic keys and find hidden web pages. When used as a password attack method, it targets your authentication systems by pelting its login forms with password and username guesses until it finds a matching combination.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s no secret that bad guys want to gain unauthorized access to your organization\u2019s secure resources and sensitive data. As such, admin and privileged user accounts are particularly attractive targets because their accounts have greater access than others. &nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With all of this in mind, let\u2019s break down 15 brute force attack prevention techniques. These prevention methods will be categorized into six distinct categories to help make the content easy to follow.<\/p>\n\n\n<span style=\"--tl-form-height-m:966.781px;--tl-form-height-t:989px;--tl-form-height-d:989px;\" class=\"tl-placeholder-f-type-shortcode_12768 tl-preload-form\"><span><\/span><\/span>\n\n\n<h3 class=\"wp-block-heading\" id=\"h-implement-strict-access-controls-set-up-other-authentication-protections\">Implement Strict Access Controls &amp; Set Up Other Authentication Protections<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The general idea of access controls and access management is to ensure that only authorized, authenticated users can access your secure resources. This counts as everything from your network and web apps to other IT systems and data. In a basic sense, access management boils down to knowing:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If someone has the approval or permissions to access those resources (authorization), and<\/li>\n\n\n\n<li>If the person requesting access is, in fact, who they claim to be (authentication).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This combination of authorization and authentication is critical to identity and access management (IAM) and your organization\u2019s ability to develop a zero-trust architecture.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Understanding how to use access controls effectively and keep bad guys from finding your login pages is essential to understanding how to prevent brute force attacks from being successful. These practices and processes also help to limit exposure in the event that a brute force attack is successful.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This brings us to the first brute force attack prevention technique on our list\u2026<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-1-require-use-of-strong-unique-passwords-or-better-passphrases\">1. Require Use of Strong, Unique Passwords \u2014 Or, Better, Passphrases<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Require users to create unique passphrases in lieu of traditional passwords. For example, <em>Goldfish%MirrorHarp+Sickle<\/em> is a lot easier to remember than <em>3Ln`GW@09h*QaAwn$!<\/em>. The <a href=\"https:\/\/www.fbi.gov\/contact-us\/field-offices\/phoenix\/news\/press-releases\/fbi-tech-tuesday-strong-passphrases-and-account-protection\">FBI recommends using unique passphrases<\/a> that are at least 15 characters long and contain multiple words. The idea is that passwords that are long and consist of random words\/phrases are more secure and easier for people to remember than random gibberish. (So, you\u2019ll be less likely to write them down or reuse them to secure multiple accounts.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We specify unique password\/passphrases because users typically like to choose the easiest route when it comes to creating account secrets. This often results in users either creating crappy (insecure) passwords or re-using passwords across multiple accounts.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Knowing this, it\u2019s crucial for businesses to set strong password security requirements and create a password policy that you enforce. Check out <a href=\"https:\/\/pages.nist.gov\/800-63-3\/sp800-63b.html\">NIST\u2019s Digital Identity Guidelines (SP 800-63B)<\/a> for additional guidance when creating password-related policies.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-2-set-account-restrictions-so-only-the-users-who-need-access-have-access-to-key-systems\">2. Set Account Restrictions So Only the Users Who Need Access Have Access to Key Systems<\/h4>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"460\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/active-directory-access-control-1024x460.png\" alt=\"A brute force attack prevention graphic: A screenshot of Active Directory user groups and permissions\" class=\"wp-image-14824\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/active-directory-access-control-1024x460.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/active-directory-access-control-300x135.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/active-directory-access-control-768x345.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/active-directory-access-control.png 1173w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">An Active Directory screenshot that displays user and group permissions. The image has been edited to remove sensitive information.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This process often involves setting roles and permissions for users within your active directory (AD) or other access management systems to limit exposure in the event that an employee\u2019s account becomes compromised.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This process can also include setting remote access restrictions relating to remote desktop protocol (RDP) in particular. RDP is a common target for brute force attacks. <a href=\"https:\/\/info.edgescan.com\/vulnerability-stats-report-2021\">Edgescan\u2019s 2021 Vulnerability Statistics Report<\/a> shares that RDP exposures increased significantly in 2020:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cRemote desktop (RDP) and Secure Shell (SSH) exposures increased by 40%, likely due to the increase in remote working due to Covid-19. <\/em>RDP (and similar services) are easy and commonly used avenues for brute force or credential stuffing attacks, against weak user credentials.<em>\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-3-set-a-limit-for-how-many-failed-login-attempts-can-occur-within-a-certain-period\">3. Set a Limit for How Many Failed Login Attempts Can Occur Within a Certain Period<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">A couple of big red flags that you\u2019ll see with brute force attacks is a single IP attempting to log in to multiple accounts, or multiple IPs attempt to log in to a single user account. You can combat these issues by using rate limits and access use policy:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Setting and enforcing rate limits is a great way to limit the traffic on your web app, network or server. In this context, you can configure your resources to only allow a specified number of failed user login attempts within a set time period.<\/li>\n\n\n\n<li>With an account use policy, you can set accounts to lock out users after so many failed attempts.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"973\" height=\"815\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/wordpress-failed-login-example.jpg\" alt=\"A compilation image of two WordPress.org screenshots that showcase a login attempt limit warning and a failed login attempt notice\" class=\"wp-image-14825\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/wordpress-failed-login-example.jpg 973w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/wordpress-failed-login-example-300x251.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/wordpress-failed-login-example-768x643.jpg 768w\" sizes=\"auto, (max-width: 973px) 100vw, 973px\" \/><figcaption class=\"wp-element-caption\">A compilation image we created featuring two screenshots of WordPress.org login attempt limit and error messages. Source of the original screenshots: <a href=\"https:\/\/wordpress.org\/plugins\/limit-login-attempts-reloaded\/\">WordPress.org<\/a>.<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-secure-your-login-pages-and-other-web-apps-using-these-protection-measures\">Secure Your Login Pages and Other Web Apps Using These Protection Measures<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s no secret that the login pages on sites and web apps are the primary targets in most brute force attacks. Data from <a href=\"https:\/\/www.verizon.com\/business\/resources\/reports\/dbir\/\">Verizon\u2019s 2021 Data Breach Investigations Report (DBIR)<\/a> shows that 89% of data breaches targeting web apps involved the use of brute force or stolen credentials.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is why you must take extra care to fortify these defenses to the best of your ability. Here are a few of the ways you can do this:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-4-employ-captcha-as-part-of-your-login-page-requirements\">4. Employ CAPTCHA as Part of Your Login Page Requirements<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">You know that dreaded \u201cClick here to prove you\u2019re not a bot\u201d challenge box you have to click on many websites? That\u2019s <a href=\"https:\/\/csrc.nist.gov\/glossary\/term\/Completely_Automated_Public_Turing_test_to_tell_Computers_and_Humans_Apart\">CAPTCHA<\/a>, which stands for \u201cCompletely Automated Public Turing test to tell Computers and Humans Apart.\u201d (Yeah, I know, that\u2019s way more letters than just C-A-P-T-C-H-A but I didn\u2019t name it&#8230;)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These tools come in many varieties, some of which may require you to calculate simple mathematical equations, identify elements in photographs, or solve word problems. But I\u2019ll be honest: Whenever I\u2019ve had to solve CAPTCHA in recent months, my mind always goes to this humorous video:<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Verifying that you&#039;re not a robot\" width=\"960\" height=\"540\" src=\"https:\/\/www.youtube.com\/embed\/LButXcZ57pc?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Regardless of how annoying (and frustrating) this site security feature may be at times, it does have some value. CAPTCHA can be useful in preventing account takeovers, fraudulent purchases, and other use cases. The idea behind a CAPTCHA as an effective security tool is that it requires correct answers almost 100% of the time. The idea is that this should be a task that\u2019s easy for humans but incredibly difficult for machines.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can use a tool like <a href=\"https:\/\/www.google.com\/recaptcha\/about\/\">reCAPTCHA<\/a> on your website to prevent most bots from being able to pummel your login forms. Google even has an enterprise version that enables you to use it for site-wide coverage and an API to integrate the tool into mobile applications. &nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-5-use-an-allowlist-to-limit-access-to-specific-pages\">5. Use an Allowlist to Limit Access to Specific Pages<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Allowlists (AKA whitelists) are a great way to limit to ensure that only select users, IP addresses, or domains can access your pages, web apps, emails, applications, and other systems. For example, using an allowlist enables you to specify which IP addresses can access your login pages. Any access attempts made by IP addresses other than those you\u2019ve included on that list will be blocked automatically.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"501\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/sitelock-dashboard-whitelist-by-ip-for-page-1024x501.png\" alt=\"A brute force attack prevention graphic: A SiteLock dashboard screenshot that shows allowlist (whitelist) IP restrictions\" class=\"wp-image-14826\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/sitelock-dashboard-whitelist-by-ip-for-page-1024x501.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/sitelock-dashboard-whitelist-by-ip-for-page-300x147.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/sitelock-dashboard-whitelist-by-ip-for-page-768x375.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/sitelock-dashboard-whitelist-by-ip-for-page-1536x751.png 1536w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/sitelock-dashboard-whitelist-by-ip-for-page-2048x1001.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">A screenshot of how you can allowlist IP addresses in the SiteLock dashboard. Image courtesy of Logan Kipp, Director of Sales Engineering at <a href=\"https:\/\/www.sitelock.com\/\">SiteLock<\/a>.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Why not use a blocklist (AKA blacklists) instead? Well, you can. It\u2019s just that you\u2019d have to know which IP addresses to block ahead of time. And it becomes even more complicated if attackers are using proxy IP addresses because it makes their traffic look like it\u2019s coming from IP addresses that are different than their own.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, using a blocklist can be an effective security measure in some cases, such as if:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You observe many failed login attempts or unusual traffic originating from IP addresses in specific geographic areas, and<\/li>\n\n\n\n<li>You know none of your legitimate users will access your pages from those geographic areas.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Obviously, this won\u2019t help you so much if an attacker is just cycling through lists of proxy IPs or using some types of automated systems. But some of the <a href=\"https:\/\/owasp.org\/www-community\/controls\/Blocking_Brute_Force_Attacks\">contributors at OWASP<\/a> have a potential solution for that issue that involves using changing site response behaviors by generating unique failed login error messages. (Click on the link in the previous sentence to learn more about all of that.)<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-6-change-the-urls-of-your-login-pages\">6. Change the URLs of Your Login Pages<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">While using something like <em>example.com\/blog\/login.php<\/em> makes these pages easy for your team to remember, it also makes them easy for hackers to guess and automated tools and bots to target with brute force attacks. But if you use a unique URL for these critical pages \u2014 say, <em>example.com\/blog\/w00t-login-here.php<\/em> instead, then you make your authentication pages a lot harder for bad guys to find.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We had to do this ourselves here at Hashed Out earlier this year. Why? Because some schmuck(s) repeatedly tried to force their way into our blog dashboard. This is one of the ways we chose to shut down their brute force attacks. It\u2019s not a foolproof method, but at a minimum it reduces the server load caused by lazy brute forcers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-create-layers-of-security-to-strengthen-your-network-and-server-security-defenses\">Create Layers of Security to Strengthen Your Network and Server Security Defenses<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This next section focuses on site-related brute force attack prevention techniques. The idea here is that you want to use multiple layers of cyber defenses to protect your organization. This includes various network security tools that help you monitor and block unusual traffic.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">One of the most important ways to protect your IT environment from brute force attacks is to keep all of your software, firmware, add-ons and extensions patched and updated. Cybercriminals love to exploit vulnerabilities to gain access to related or connected systems. However, you can take some other steps to ensure your devices, sites, and networks are operating with the strongest defenses.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-7-adopt-network-security-and-threat-detection-tools\">7. Adopt Network Security and Threat Detection Tools<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">A web application firewall (WAF) is a great tool that can help you to detect and thwart credential stuffing attacks. However, it\u2019s not perfect and can be ineffective against botnet brute force attacks that involve multiple attackers using unique IP addresses. This is why you should be using other types of protection as well.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Intrusion detection systems (IDS) help you to identify and report network security incidents and vulnerability exploits \u2014 but they do have limitations. You can\u2019t use IDS to prevent or respond to these issues \u2014 that requires another related set of tools. Security information and event management (SIEM) software is a great way to identify, analyze and respond to threats in real time. SIEM helps you catch brute force attacks in action so you can do what needs to be done to rain on the bad guys\u2019 parades.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, we understand that these tools \u2014 and the experts needed to operate them effectively \u2014 can be pretty pricy for smaller in-house operations. This is where using a managed security service provider may be a good option.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-8-require-employees-to-use-secure-encrypted-connections\">8. Require Employees to Use Secure, Encrypted Connections<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">If you\u2019ve been reading Hashed Out for a while, you know that encryption is essential to cybersecurity. We typically talk about it in terms of securing website connections via HTTPS through SSL\/TLS certificates. However, virtual private networks (VPNs) are also useful tools \u2014 particularly when you have employees and admins working remotely.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you require VPN use for remote access \u2014 and have a VPN gateway set up to keep remote VPN traffic separate from your local network \u2014 it can help to prevent the RDP-focused brute force attacks we mentioned earlier. &nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"948\" height=\"736\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/forticlient-vpn-login-screen.png\" alt=\"A screenshot of the FortiClient VPN login page\" class=\"wp-image-14828\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/forticlient-vpn-login-screen.png 948w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/forticlient-vpn-login-screen-300x233.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/forticlient-vpn-login-screen-768x596.png 768w\" sizes=\"auto, (max-width: 948px) 100vw, 948px\" \/><figcaption class=\"wp-element-caption\">A screenshot of a VPN login screen for remote access.<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-9-manually-change-your-default-ports-to-hide-your-connections\">9. Manually Change Your Default Ports to Hide Your Connections<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Bad guys like easy targets because they spend less time and energy to achieve a decent ROI. By changing your connections to default to different ports, you\u2019re basically hiding your connections from them \u2014 or, at the very least, you\u2019re making those connections significantly harder for bad guys to find.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Use Secure Password Storage Methods &amp; Implementations<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Figuring out the best way to store passwords is critical for your organization\u2019s security from user and admin perspectives. Here are a few of the ways that you and your employees can help keep your passwords secure.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">10. Use a Password Manager<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.newswire.com\/news\/new-research-most-people-have-70-80-passwords-21103705\">NordPass data<\/a> shows the average person juggles between 70 and 80 passwords. If your users have issues remembering their passwords or require many password resets, then this section is for you.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Password managers are a great option for users who want to generate and store complex passwords. These tools allow you to store all of your complex passwords and long passphrases in a way that requires you only to remember your master password to access or use. It really doesn\u2019t get much easier than that.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">11. Only Store SALTED Password Hashes On Your Servers<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Storing plaintext passwords on public-facing servers is a big security issue and is something companies actively try to avoid doing. Instead, organizations typically store users\u2019 password <em>hashes<\/em> on their servers instead because using password digests an easy way to verify their password entries on the back end during authentication without having to know their plaintext passwords. (This still isn\u2019t secure enough and requires an additional step that involves a salt \u2014 and we\u2019ll tell you why in a moment.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When users log in to their accounts, the passwords they type are run through a <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-hash-function-in-cryptography-a-beginners-guide\/\">one-way pseudorandom function (i.e., a hash)<\/a>. Then, their resulting hash values are checked against their organizations\u2019 list of stored hash digests on the back end. If the results match, then the organization knows the user entered the correct password. If not, then the authentication fails and returns an error response to the user. &nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But a mistake that companies do make is opting to store encrypted passwords or unsalted password hashes on their public-facing servers. Even if plaintext passwords are encrypted or are simply hashed (unsalted), they\u2019re still at risk. If you accidentally misconfigure the database or an authorized user\u2019s credentials get compromised via an SQL injection attack, that encrypted or hashed data could become leaked or stolen.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If bad guys get their hands on your decryption key, then your encrypted data is no longer secure. They can use that key to decrypt your customers\u2019 password data and see the plaintext values.<\/li>\n\n\n\n<li>Although hash digests are too costly (both in time and resources) for cybercriminals to reverse, bad guys have another card up their sleeves. They can use password cracking techniques (i.e., rainbow table attacks) to try to match unsalted password hashes to lists of known password hashes. This process can help them map back to the original password.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This is why the best course of action is to only store <strong><em>salted password hashes<\/em><\/strong> instead. A salt is a unique, random value. When you add a salt to your password, it means you\u2019re adding a unique, random integer to the end of each password prior to hashing it. This results in the generation of a unique hash value. So, even if two individual users use identical passwords, the unique salt values alter the hash inputs individually so the resulting password hashes are unique.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here\u2019s an example of how this process looks from our article on <a href=\"https:\/\/www.thesslstore.com\/blog\/password-security-what-your-organization-needs-to-know\/\">password security<\/a>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"198\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/password-security-salt-password-hashing-1024x198.png\" alt=\"A diagram that showcases how to add a salt to the hashing process\" class=\"wp-image-14265\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/password-security-salt-password-hashing-1024x198.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/password-security-salt-password-hashing-300x58.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/password-security-salt-password-hashing-768x148.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/password-security-salt-password-hashing.png 1353w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-or-better-still-adopt-passwordless-authentication-for-your-business\">&#8230; Or, Better Still, Adopt Passwordless Authentication for Your Business<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/certificate-authentication-passwordless-authentication.png\" alt=\"A client authentication certificate doesn't require you to enter cumbersome and hard-to-remember passwords to authenticate\" class=\"wp-image-14502\" width=\"336\" height=\"340\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/certificate-authentication-passwordless-authentication.png 665w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/certificate-authentication-passwordless-authentication-297x300.png 297w\" sizes=\"auto, (max-width: 336px) 100vw, 336px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Another way to eliminate the risk of brute force attacks is by eliminating passwords altogether. Passwordless authentication allows your employees to identify themselves and authenticate to access your secure resources. Some methods of passwordless authentication include:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">12. Require the Use of Multi-Factor Authentication<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Traditional multi-factor authentication (MFA) typically offers three categories of identifying factors to choose from for authentication:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>something you know (like a password or PIN),<\/li>\n\n\n\n<li>something you have (like a key fob, token, or CAC), and<\/li>\n\n\n\n<li>something you are (biometrics such as a facial scan or fingerprint).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Traditionally, the \u201csomething you know\u201d factor is almost always a password. But in passwordless MFA, a password is replaced with an alternate (ideally more secure) different factor. Some types of MFA even include other verification factors like <em>somewhere you are<\/em> (geolocation data) and <em>something you do<\/em> (behavioral patterns that are observed and logged using AI).<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"559\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/sitelock-dashboard-configure-2fa-by-page-1024x559.png\" alt=\"A brute force attack prevention graphic: a SiteLock dashboard screenshot that showcases how to set two-factor authentication for specific pages\" class=\"wp-image-14829\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/sitelock-dashboard-configure-2fa-by-page-1024x559.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/sitelock-dashboard-configure-2fa-by-page-300x164.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/sitelock-dashboard-configure-2fa-by-page-768x419.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/sitelock-dashboard-configure-2fa-by-page-1536x838.png 1536w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/sitelock-dashboard-configure-2fa-by-page-2048x1118.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">A screenshot of how you can configure a page to use two-factor authentication in the SiteLock dashboard. Image courtesy of Logan Kipp, Director of Sales Engineering at <a href=\"https:\/\/www.sitelock.com\/\">SiteLock<\/a>.<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">13. Adopt PKI-Based Authentication Certificate-Based Authentication<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">As we\u2019ve discovered, users often don\u2019t use passwords that are secure enough to make them a viable stand-alone security measure. And since many MFA methods use passwords as one of the first authentication factors, this doesn\u2019t always mitigate the issue. This is why some companies use alternative authentication methods instead that rely on public key encryption.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Certificate-Based Authentication<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">Certificate-based authentication is another method of passwordless authentication we\u2019ve talked about before. It allows a user to authenticate automatically because of a digital certificate and cryptographic key that\u2019s stored on their device. The user\u2019s identity is tied to that certificate, so when implemented with proper access controls, the user can access any sites, web apps or other IT systems their user profile has permissions for from that device.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When they open their web browser, the server or application they\u2019re connecting to requests that client certificate as an additional component of the traditional connection process. This digital certificate allows the user on that device to access resources without ever having to remember or type in a password.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When paired with a trusted platform module (TPM), this authentication method becomes even more secure. This tamper-resistant security hardware helps you to ensure that no one can steal or alter the user\u2019s cryptographic keys. &nbsp;<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">SSH Key-Based Authentication<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">This authentication option really is a bit more niche as it applies typically to admin-type accounts and not general users. (Admins commonly use SSH for remote system access and management for networks and other IT systems.) But, still, it\u2019s something worth mentioning in this type of article.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SSH authentication typically involves a user manually entering their login credentials or using an SSH key to authenticate automatically. Since we\u2019re talking about <em>passwordless<\/em> authentication methods in this section, the first method doesn\u2019t really apply. A key-based authentication method is more secure because SSH keys are brute force attack resistant (provided you take the appropriate steps to keep your keys secure and properly manage them).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To learn more about SSH keys and explore some <a href=\"https:\/\/www.thesslstore.com\/blog\/14-ssh-key-management-best-practices-you-need-to-know\/\">SSH key management best practices<\/a>, be sure to check out our related article that addresses that topic.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Secure Your Human Firewall By Making Employees Tougher Targets<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">I\u2019ve said this before, but your employees and other users can either be your organization\u2019s greatest defense or its biggest weakness when it comes to security. The difference lies in their cyber awareness and their ability to apply what they know in real-life situations.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is where cyber awareness and phishing training can help.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">14. Provide Mandatory Cyber Awareness Training<\/h4>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/brute-force-attack-prevention-cyber-awareness-training.png\" alt=\"An illustration of someone teaching cyber awareness training\" class=\"wp-image-14823\" width=\"480\" height=\"449\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/brute-force-attack-prevention-cyber-awareness-training.png 657w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/brute-force-attack-prevention-cyber-awareness-training-300x281.png 300w\" sizes=\"auto, (max-width: 480px) 100vw, 480px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">This should be a no-brainer, but since many companies still don\u2019t offer some type of cyber awareness training, it\u2019s worth mentioning. Cyber awareness training is an invaluable tool that helps users learn about real-world threats and how to respond to them. Your training sessions should cover everything from common phishing scams and social engineering tactics to what your employees should do if they encounter something suspicious or unusual.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">One important note: be sure to use real examples in your training. Honestly, examples of phishing emails shouldn\u2019t be hard to come by \u2014 just take a look at your email junk and trash folders. But sharing real-world examples of phishing emails and screenshots of fake websites found in the wild can make the difference between adequate training materials and really great ones.<\/p>\n\n\n\n\n\n<p class=\"wp-block-paragraph\">But in addition to holding face-to-face or online training sessions, you can take employee training a step further with testing. This leads us to our next point\u2026<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">15. Carry out Cyber Attack and Phishing Tests or Simulations<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">An easy way to gauge the effectiveness of your cyber awareness and phishing training is to set up tests. This method helps you to see what training has been effective and identify areas where employees are struggling to apply their knowledge.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">One such example is to send fake spam emails to your employees (without their knowledge) to see who:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Opens any of the emails,<\/li>\n\n\n\n<li>Clicks on any of the messages\u2019 links, or<\/li>\n\n\n\n<li>Reports the messages as spam.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">You can use all of this data to figure out what areas of knowledge may be lacking to provide additional training. It also may help you identify new areas of opportunity for future training sessions or modules.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Final Thoughts on Brute Force Attack Prevention<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Brute force attacks aren\u2019t new and they\u2019re certainly not going anywhere anytime soon. The truth is that cyber threats are continually changing, and your organization\u2019s defenses must evolve to meet them head on.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Cybercriminals know that no technology is 100% secure and they continually try to find new ways to circumvent your organization\u2019s security measures. This is why every company must actively take steps to update and improve their cyber defenses to counteract these malicious efforts. We hope some of these brute force attack prevention techniques help guide you on the road to making your organization more secure.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Whether it\u2019s understanding how to stop a brute force attack on your server or how to prevent brute force attacks in general, there are several key things you can do&#8230;<\/p>\n","protected":false},"author":17,"featured_media":14822,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16,10200],"tags":[13124,13130],"class_list":["post-14821","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","category-monthly-digest","tag-brute-force-attack","tag-brute-force-attack-prevention","post-with-tags"],"views":26496,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/07\/brute-force-attack-prevention-feature.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/14821","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=14821"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/14821\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/14822"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=14821"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=14821"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=14821"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}