Brute Force Attacks
BRUTE FORCE
A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. If your web site requires user authentication, you are a good target for a brute-force attack.
Ways to prevent a brute force attack.
· Limit failed login attempts
· Make the root user inaccessible via SSH by editing the sshd_config file
· Don’t use a default port, edit the port line in your sshd_configfile
· Use Captcha
· Limit logins to a specified IP address or range
· Two-factor authentications
· Unique login URLs
· Monitor server logs
Locking Accounts
The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts. Account lockouts can last a specific duration, such as one hour, or the accounts could remain locked until manually unlocked by an administrator. For Eg, after 3 unsuccessful login, the user account suspended for 1 Hour, etc, same as the bank’s account suspended for 1 day with 3 unauthentic logins.
Device Cookies
You may also consider locking out authentication attempts from known and unknown browsers or devices separately. The Slow Down Online Guessing Attacks with Device Cookies proposes a protocol technique for lockout mechanism based on information about if a specific browser has been already used for successful login.
Using CAPTCHAS
A completely automated public Turing test to tell computers and humans apart, or CAPTCHA, is a program that allows you to distinguish between humans and computers. For a CAPTCHA to be effective, humans must be able to answer the test correctly as close to 100 percent of the time as possible. Computers must fail as close to 100 percent of the time as possible.
If you are developing your own CAPTCHA, keep in mind that it is not how hard the question is that matters-it is how likely it is that a computer will get the correct answer. I once saw a CAPTCHA that presents the user with a picture of three zebras, with a multiple-choice question asking how many zebras were in the picture. To answer the question, you click one of three buttons. Again you can see on another hand 123456 is a type of CAPTCHA is using some sites, this is the simple one for stealing.
a simple CAPTCHA may still be effective against brute-force attacks. When you combine the chance of an attacker sending a correct username and password guess with the chance of guessing the CAPTCHA correctly, combined with other techniques described in this chapter, even a simple CAPTCHA could prove effective.
Other techniques you might want to consider are:
For advanced users who want to protect their accounts from attack, give them the option to allow login only from certain IP addresses.
· Assign unique login URLs to blocks of users so that not all users can access the site from the same URL.
· Use a CAPTCHA to prevent automated attacks
· Instead of completely locking out an account, place it in a lockdown mode with limited capabilities.
My suggestion is using reCAPTCHA V3, it is an open-source API of google and two-layer protection in concept. This reCAPTCHA can smell the malicious authentication and take action then and then by removing it. reCAPTCHA v3 will never interrupt your users, so you can run it whenever you like without affecting conversion. reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior.
Note: reCAPTCHA tokens expire after two minutes. If you’re protecting an action with reCAPTCHA, make sure to call execute when the user takes the action rather than on page load.
