Your website is under constant attack from hackers trying to log into your website? Every website with an admin panel experiences malicious login attempts.
The pace of technology has made it simple to program ways to guess your login and password. Limiting login attempts is not the answer. You need to stop anyone from accessing your admin page if they aren't supposed to be there.
Using a combination of detection methods and whitelisting, the Sucuri Website Firewall is able to stop brute force attempts in their tracks. Whether using bad bots, scanning tools, or semi-manual methods, you can stop unauthorized login attempts on your critical website access points. Save your website users from having credentials stolen and used for malicious purposes. We are able to protect any website against a number of different password cracking tools and methods.
In the hacker community, gaining access is the Holy Grail. With login credentials, attackers are able to achieve huge financial gains through the distribution of spam and malware. They can integrate complex attack sequences which could include various toolkits like the Blackhole Exploit kit. In the process, the cracker brings about damages to your brand, your visitors, and online presence.
The time between a brand new website going live and the first malicious login attempts is a few weeks at most. These login attempts come from automated botnets that are programmed to crawl the internet for websites and locate their login panels using preset conditions. The attacks are not targeted, and are not carried out manually. Once a login panel is found, tools are used to repeatedly guess passwords with the goal of gaining access. These bots work incredibly fast and the crackers that control them have huge amounts of data that help the computer guess more efficiently. Once the bot finds the matching password, the attacker can upload a shell, create new accounts, change passwords, upload malicious payloads, and totally destroy your business.
Due to the potential number of requests being sent, a brute force attack can actually function similarly to a DoS attack, taking many sites down due to high utilization of CPU/memory. The Sucuri Website Firewall prevents this from happening by filtering requests and using caching to speed up your website.
There is often a time delay once access is gained. This makes sense, as it allows for the traffic to die down and for the server logs to disappear, leaving no trace of the attacker. We have seen this too often. Some hosts will only retain up to 7 days of logs, and in some instances no more than 24 hours. This means that if they wait long enough, they can log in whenever they like and website owners are none the wiser. This makes incident handling difficult to achieve.
A very strong password does make it difficult for a brute force attack to be successful, but not impossible. Not only are we humans bad at choosing passwords, but there crackers continue to improve the password guessing game in a number of ways.
With less than one hundred characters on a typical keyboard, a very basic brute force attack will attempt to guess every possible combination of these characters until access is granted. This method works quickly if the password is short, but can be exhausting with longer passwords. To account for longer passwords, a dictionary attack is more common. Instead of guessing all the possible character combinations, it uses lists of common words from dictionaries and literature. The tools that hackers use to perform dictionary attacks are getting smarter and more complex every day.
Many companies have suffered password breaches, and attackers often release lists of passwords for other hackers to take advantage of. It's a trend that promises to continue, meaning that all the most common passwords are easily breakable within seconds. It isn't just the weak passwords, either. The tools used to perform dictionary attacks are highly customizable and the number of word lists have made it almost impossible to ensure that your password is a sufficient lock on your website. Breaches will continue to occur. Hackers look over the password dumps to reveal tricks that savvy people use to make their passwords memorable and strong at the same time.
There are a large selection of password cracking tools available to attackers looking to break into your website. The tools have various attack modes to make the attack efficient, and to cover as much ground as possible. For example, combinator attacks combine existing words from password lists. Mask attacks know how humans design passwords, and try common patterns from word lists. With computers able to guess passwords at hundreds of millions per second, the scary reality is that so-called strong passwords are crackable in under an hour of repeated attempts.
Hackers who steal password databases originally have a list of encrypted passwords. Passwords should never be stored in plain text, but often the same two encryption methods are used (MD5 or SHA1). These algorithms are easily reversed, allowing the attacker to create pre-computed rainbow tables that can match the encrypted output with the plain text password.hash
Most often, brute-force attacks are not targeted, but when they are, it is even more dangerous. Attackers can use information about website adminstrators and users through phishing lures, online profiles, and previous password dumps associated with the user email address. From here, crackers can make custom rule-based attacks that can leave you and your website completely exposed.
This is what it looks like when your web server / website come under a Denial of Service (DoS) attack. What you are seeing here are the various POST / GET requests being sent to your web server from around the world. These are mostly automated bots, not real users. This type of load, depending on your web server could easily crash your web server / website. It all depends on your configuration, are you using a Shared Host? Dedicated host?
The Sucuri Website Firewall protects against brute force and password guessing attempts. Our signatures detect fake browsers and bad bots, and block them automatically. We also have a strong correlation engine that detects brute force attempts and shuts them down without affecting your good users. The ability to detect and repel brute force attacks is fueled by the passionate research of our skilled security operations center.
To protect our clients against these attacks, we employ a solution that uses heuristic and signature based techniques. Incoming traffic is sanitized before reaching your website. If there are patterns matching a brute-force attack we block it before it ever reaches your website.
It isn’t enough just to limit login attempts. Attackers know that over-abusing the login form will draw suspicion through obvious patterns in server logs, built-in limitations, and alerts. With all of the technology available, a target can be pursued over months and even years by only sending a limited number of requests at one time.
When our system detects a specific bot trying to attack your site using a brute force technique, it is blocked automatically. Similarly, the use of automated tools to scan your website are also blocked, helping to keep your website off the radar of attackers in the first place.
You can be certain only you will able to log in to your website. When adding your site to our firewall, we will give you the option of blocking access to your admin pages and only people with whitelisted IPs will be able to login.
To add another layer of protection, you can enable the Protected Page option. You simply specify the page you want to protect, and choose whether to enable two-factor authentication with Google Authenticator, throw up a CAPTCHA to stop bots, or add an additional passcode.
Most brute-force attempts come from a handful of countries. If you aren’t doing business there, you can completely block all visitors from those IP ranges. We even have a button allowing you to block the top three attack countries by default.
