Most network administrators, or any basic server security expert, know that keeping the RDP or Remote Desktop Protocol port open to the Internet or using a weak password leaves the network vulnerable to cyberattack. In this post we are going to discuss such tips and see how to do it Block brute force attacks At Windows Server.
What is a brute force attack?
Brute Force Attacks is basically hit-and-trial and is one of the least sophisticated hacking techniques. The hacker makes several attempts to guess your password and eventually finds the right one. But these are no less dangerous than the hacking techniques you see in movies. Just remember, a large number of hackers tried to guess your password. So if your password is weak or if you do nothing to block these attacks, you are vulnerable to data theft, loss of access to your network, and more.
Block brute force attacks on Windows Server
If you want to prevent or block brute force attacks on Windows Server, the following tips are for you.
- Use a strong password
- Limit failed login attempts
- Protect root account
- Change your port
- Activate CAPTCHA
- Use two-factor authentication
- Install EvlWatcher
Let’s talk about them in detail.
1]Use a strong password
First and foremost, when you set up your account, you need to make sure that you are using a strong password. It’s pretty self-explanatory, if the attackers try to guess your password, don’t give them any clue about your username or password. You should make sure that your username does not contain any clues about your password. Your password should not be associated with you or any other publicly available information about your company.
Read: How to adjust the password policy in Windows.
2]Limit failed login attempts
As you may already know how the brute force attacks work. So there will be a lot of unsuccessful attempts. By limiting failed login attempts, you can be sure that the attack will not be successful.
You can also use the ‘Account lockouts with progressive delays‘ Specialty. This way, after a few unsuccessful attempts, your account will be locked for a period of time, which will make life a lot easier for the network administrator.
Read: How to limit the number of attempts to log on to Windows.
3]Protect root account
The root account on a physical or virtual network is of paramount importance. It’s like the king in a game of chess. You have to make sure that it is not accessible. You can do this by using the sshd_config File and place the ‘Deny root users’ and ‘PermitRootLogin no’ Options.
Read: Harden Windows Login Password Policy and Account Lockout Policy.
4]Change your port
In most of the cases, the attacker tries to attack port number 22 as this is the default port. So you need to change the port that you want the SSHD to run on. To do this, go to the sshd_config File and use a non-standard port.
Read: Password spray attack definition and self-defense
The brute force attack can be prevented by using the CAPTCHA. It’s a great way to delay or stop the process entirely if the attack is being carried out by a robot or an AI. In some cases, the attacker breaks the CAPTCHA using some tools. However, not all attackers are equipped with this tool, so you should configure this feature. Keep in mind, however, that CAPTCHAs are not really easy to use and can affect the user experience.
Read: What is a credential stuffing attack?
6]Use two-factor authentication
Many large companies like Google and Microsoft use 2-factor authentication to protect their servers from many different types of attack, and brute force attacks are one of them. You can also use this security measure and secure your server.
Read: How attackers can bypass two-factor authentication.
EvlWatcher is a great tool for stopping brute force attacks. It keeps an eye on your server logs and checks to see if there have been a number of unsuccessful attempts with a particular IP or IPs. It then blocks this very IP for 2 hours, which slows down the pace of these attacks. You can even configure the application if you want to make exceptions or increase or decrease the block time. You can download EvlWatcher from github.com.
Read: Ransomware attacks, definition, examples, protection, removal.
How can I tell if my server is exposed to brute force attacks?
If you want to know whether or not your computer has been subjected to a brute force attack, you should check your server logs. If you see multiple failed attempts, you are under a brute force attack. If there are a lot of failed attempts at a single IP address or even multiple IPs in a given period of time, you should immediately check your client IPs and if you discover that those IPs are from attackers, block them.
I hope you find it useful.
Continue reading: Microsoft Assessment and Planning Toolkit: Identify Security Gaps.