Preventing distributed password cracking attack

From: Brennan Cheung (ga972@yahoo.com)
Date: 04/09/03

• Next message: Security Alert: "SSRT3536 Potential Security Vulnerability in CIFS/9000 Server"
• Previous message: Colin M: "Re: Unencrypted password security question. at a major university"
• Next in thread: Bill Unruh: "Re: Preventing distributed password cracking attack"
• Reply: Bill Unruh: "Re: Preventing distributed password cracking attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: ga972@yahoo.com (Brennan Cheung)
Date: 8 Apr 2003 22:53:15 -0700

Hello,

I am running a web server that is frequently under attack by password
crackers. I am trying to gain a better understanding of how they are
attacking my site as well as how to prevent them from doing so.

I am running Apache on a Linux box and am using the normal .htpasswd
authorization to valid users.

Every now and then (usually 2-3 times a week from what I can tell) I
am hit by a massive password hacking attempt where they attempt at
least 30 logins per second.

I can understand using a password cracking program that can attempt
multiple logins and I have countermeasures that block an IP after a
certain number of bad attempts with a certain time period. The
problem is that, just recently, I had an attack came from 605 (yes,
six hundred five) different IP addresses in a 1 minute window.

Are these machines actually hijacked machines or are they proxy
servers? Is there any way of finding out who is responsible for these
attacks? What are they using to carry out such an attack and is there
a way to secure my site against it?

Any help would be greatly appreciated. These attacks are slowing down
my site quite significantly.

Thanks in advance.

• Next message: Security Alert: "SSRT3536 Potential Security Vulnerability in CIFS/9000 Server"
• Previous message: Colin M: "Re: Unencrypted password security question. at a major university"
• Next in thread: Bill Unruh: "Re: Preventing distributed password cracking attack"
• Reply: Bill Unruh: "Re: Preventing distributed password cracking attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: security? ? ? ... NASL (Nessus Attack Scripting Language) for coding up new vulnerability ... Thus a web server might have a policy something like: ... compromise your administrator workstations, or some router in some way to ... defacement might not be on the "home" page. ... (comp.os.linux.security) Re: Someone try to hack my machine? ... This is not a serious attack, but is simply a scan to see if your machine ... Apache too has its own vulnerabilities, and I advise you at least ... If tis Web server is intended for local users only, ... and it looks like these hackers are sending out same ... (comp.security.firewalls) [NT] Denial of Service Vulnerability in Xeneo Web Server ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Xeneo Web ... The condition is triggered when the web server receives a request ... attack URL: ... (Securiteam) RE: Need help to choose a security policy ... Firewall: ... < architecture (for example, you might have only one type of web server, ... pay attention to this attack. ... < Last but no least, if your IDS allows you to create custom rules, ... (Focus-IDS) Re: Data Cha0s PHP script attempt ... > banning bots like this from our web server all together. ... > The attack attempts to trick the uptime.php form into loading the given ... > URL through one of the form variables. ... > which isn't a JPG at all, but itself is a PHP page. ... (Incidents)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint