How To Protect Your Webserver From Brute Force Attacks

In computer security, a brute force attack is a way to gain access to a remote server’s resources by trying multiple combinations of logon names and passwords until a valid one is found. Most of the time, this type of attack is performed by a script which uses a list of the most common-known usernames and passwords. The script tries to authenticate itself against a remote service like FTP, POP3 or SSH.

RFX Networks provides a free set of tools that provide protection against brute force attacks: APF and BFD.

Advanced Policy Firewall (APF)

This tool works in conjunction with iptables in order to allow or block access to some remote IP addresses. You can get more information about Advanced Policy Firewall at http://www.rfxnetworks.com/apf.php.

Brute Force Detection (BFD)

Triggered automatically by the cron daemon (every 10 minutes by default), BFD scans your webserver’s log files to find any repeated failed access attempts from the same remote host. If such an attack is found, BFD invokes APF in order to block the attacker’s IP address.

More information on BFD is available at http://www.rfxnetworks.com/bfd.php.

How To Install APF & BFD

Here’s a quick and dirty guide on how to install Advanced Policy Firewall and Brute Force Detection:

1. Download APF and BFD

# wget http://www.r-fx.ca/downloads/apf-current.tar.gz
# wget http://www.r-fx.ca/downloads/bfd-current.tar.gz

2. Extract all files from both archives

# tar xvzf apf-current.tar.gz
# tar xvzf bfd-current.tar.gz

3. Launch the APF installation script

# cd apf-[current version]
# ./install.sh

4. Execute the BFD installation script

# cd ../bfd-[current version]
# ./install.sh

5. Add your workstation’s IP address to the allowed hosts list

# apf -a [ip address]

6. Make sure that a cron task has been added in /etc/cron.d in order to trigger BFD every 10 minutes.

Over time, the blocked host file may grow significantly and this may alter your webserver’s performance. This may also slow down your server’s boot time as a reverse lookup is performed on each blocked IP address. To clean up your denied host list, simply edit /etc/apf/deny_hosts.rules and remove the oldest entries. When done, save the file and issue apf -r to flush and reload firewall rules.

Bookmark It