How to Protect Windows and Linux Ubuntu Servers from Brute Force Attacks

How to Protect Windows and Linux Ubuntu Servers from Brute Force Attacks

·

5 min read

In my previous article, we discussed a general overview of brute force attacks. I wanted to add more details on how to set up the password policies, lockout policies, restriction on root SSH login, and check if your internet browser has enabled SSL/TLS certificate so that you have some basic protection in place.


Brute Force Attack Protection for Windows

✔️Use Strong and Unique Passwords/ Password Policies

Following the NIST framework’s password guidelines, it is a good practice to enhance password policy with the rules of:

  • The password must be at least 14 characters long.

  • The password must contain upper- and lower-case letters.

  • The password must contain a number.

  • The password must contain a non-alphanumeric character.

  • The password must be made up of random words/passphrases.

[ Implementation ]

  1. Type Local Group Policy in the search bar and go to Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy.

  2. Set the minimum password length to 14 characters and save.

  3. Double-check the Password must meet complexity requirements is enabled as a default setting. If not, update it to enabled.

✔️Limit Login Attempts/ Account Lockout Policies

Enforce account lockout after certain attempts through setting up the policies.

[ Implementation ]

  1. Type Local Group Policy in the search bar and go to Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

  2. Set the Account lockout threshold to 10 times along with 30 minutes for Account lockout duration and Reset the account lockout counter after, as best practices suggested by Microsoft. Therefore, to effectively prevent the brute force attack or other external malicious login attempts.

✔️Enforce Secure, Encrypted Connections for Internet Browsers

Use SSL/TLS certificates to secure website connections over HTTPS and VPNs for remote workers to protect against brute force attacks targeting remote desktop protocols. Since TLS 1.0 and 1.1 protocols are no longer supported by newer versions of Windows, TLS 1.2 and above should be enabled.

[ Implementation ]

Microsoft Edge/Internet Explorer

  1. From the Start Menu, type Internet Options to open the control panel.

  2. Click the Advanced tab and scroll down to the Security category.

  3. Manually check the option box for Use TLS 1.2 and Use TLS 1.3.

  4. Un-check the option box for Use TLS 1.1 and Use TLS 1.0.

  5. Click OK and close it.

  6. Restart Microsoft Edge/Internet Explorer browser.

Google Chrome

  1. Open the Chrome browser and enter chrome://flags in the address bar.

  2. Type TLS 1.3 in the search flags box to see the available options.

  3. Enable TLS 1.3 Early Data and TLS 1.3 hybridized Kyber support.

  4. Relaunch the Google Chrome browser.


Brute Force Attack Protection for Linux Ubuntu

✔️Use Strong and Unique Passwords/ Set Password Policy

We will be configuring the password length and the password complexity for Ubuntu.

The Pluggable Authentication Modules (PAM) are installed by default in DEB-based systems. Usually, the password and authentication-related configuration files are stored in /etc/pam.d/ directory in Debian-based systems and the password policies are defined in /etc/pam.d/common-password file.

[Implementation - Password length]

  1. Before making changes, run this command to backup just in case:

     $ sudo cp /etc/pam.d/common-password /etc/pam.d/common-password.bak
    
  2. To set the minimum password length, edit the /etc/pam.d/common-password file:

     $ sudo nano /etc/pam.d/common-password
    
  3. Find the following line:

     password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
    
  4. Add an extra word minlen=14 at the end to set the minimum password length to 14.

  5. Now the line should look like below screenshot. Press Ctrl+X to exit then enter Y and hit enter again to save the changes of this file.

[ Implementation - Password complexity ]

This setting enforces how many classes, i.e. upper-case, lower-case, and other characters, should be in a password.

  1. First, install the password quality checking library using the command:

     $ sudo apt install libpam-pwquality
    
  2. Then, edit the /etc/pam.d/common-password file:

     $ sudo nano /etc/pam.d/common-password
    
  3. To set at least one upper-case letter, one lower-case letter, and one other character for the password, add the following words at the end of the line:

    • ucredit=-1 (for upper-case)

    • dcredit=-1 (for lower-case)

    • ocredit=-1 (for other characters)

The line should look like this:

    password    requisite   pam_pwquality.so retry=3 ucredit=-1 dcredit=-1 ocredit=-1
  1. Press Ctrl+X to exit, then enter Y and press Enter again to save the changes to this file.

✔️Restrict Root SSH Logins

Restrict root user access via SSH by configuring the argument of PermitRootLogin to enhance security preventing attackers attempt to brute force the root password.

[ Implementation ]

  1. Enable SSH by installing OpenSSH:

     sudo apt update
     sudo apt install openssh-server -y
    
  2. Open the SSH configuration file with a text editor:

     sudo nano /etc/ssh/sshd_config
    
  3. Find the line with #PermitRootLogin under the Authentication section and change it to PermitRootLogin no (remove the hash).

  4. Press Ctrl+X to exit, then enter Y and press Enter again to save the changes to this file.

  5. Restart the sshd service with this command:

     service sshd restart
    
  6. From now on, any attempt to SSH to the server with the root account will be automatically denied.

✔️Enforce Secure, Encrypted Connections for Internet Browsers

Use SSL/TLS certificates to secure website connections over HTTPS and VPNs for remote workers to protect against brute force attacks targeting remote desktop protocols. Since TLS 1.0 and 1.1 protocols are no longer supported by newer versions of Windows, TLS 1.2 and above should be enabled.

[ Implementation ]

Mozilla Firefox

  1. Open Firefox browser and type about:config to open options.

  2. In the Search field, enter tls.

  3. Find and double-click the entry for security.tls.version.max.

  4. Set the integer value to 4.

  5. Find and double-click the entry for security.tls.version.min.

  6. Set the integer value to 3 to force the protocol of TLS 1.3.

  7. Click OK. and close the browser. Restart the Firefox.


So that's it! These are some quick and effective exercises for your Windows and Linux Ubuntu servers. There are many useful software options available that offer additional protection, such as firewalls, malware detection, and multi-factor authentication. These add more layers and complexity to your operating systems and networks. However, the implementations mentioned here can be done internally without needing extra software.

They are what we suggest to our client for improvement and I hope you find them quick and easy to set up on your machines as well!🖖

Did you find this article valuable?

Support Ketty C. by becoming a sponsor. Any amount is appreciated!