In my previous article, we discussed a general overview of brute force attacks. I wanted to add more details on how to set up the password policies, lockout policies, restriction on root SSH login, and check if your internet browser has enabled SSL/TLS certificate so that you have some basic protection in place.
Brute Force Attack Protection for Windows
✔️Use Strong and Unique Passwords/ Password Policies
Following the NIST framework’s password guidelines, it is a good practice to enhance password policy with the rules of:
The password must be at least 14 characters long.
The password must contain upper- and lower-case letters.
The password must contain a number.
The password must contain a non-alphanumeric character.
The password must be made up of random words/passphrases.
[ Implementation ]
Type
Local Group Policy
in the search bar and go toComputer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
.Set the minimum password length to
14
characters and save.Double-check the
Password must meet complexity requirements
isenabled
as a default setting. If not, update it to enabled.
✔️Limit Login Attempts/ Account Lockout Policies
Enforce account lockout after certain attempts through setting up the policies.
[ Implementation ]
Type
Local Group Policy
in the search bar and go toComputer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
.Set the
Account lockout threshold
to10
times along with30
minutes forAccount lockout duration
andReset the account lockout counter after
, as best practices suggested by Microsoft. Therefore, to effectively prevent the brute force attack or other external malicious login attempts.
✔️Enforce Secure, Encrypted Connections for Internet Browsers
Use SSL/TLS certificates to secure website connections over HTTPS and VPNs for remote workers to protect against brute force attacks targeting remote desktop protocols. Since TLS 1.0 and 1.1 protocols are no longer supported by newer versions of Windows, TLS 1.2 and above should be enabled.
[ Implementation ]
Microsoft Edge/Internet Explorer
From the Start Menu, type
Internet Options
to open the control panel.Click the
Advanced
tab and scroll down to theSecurity
category.Manually check the option box for
Use TLS 1.2
andUse TLS 1.3
.Un-check the option box for
Use TLS 1.1
andUse TLS 1.0
.Click
OK
and close it.Restart Microsoft Edge/Internet Explorer browser.
Google Chrome
Open the Chrome browser and enter
chrome://flags
in the address bar.Type
TLS 1.3
in the search flags box to see the available options.Enable
TLS 1.3 Early Data
andTLS 1.3 hybridized Kyber support
.Relaunch the Google Chrome browser.
Brute Force Attack Protection for Linux Ubuntu
✔️Use Strong and Unique Passwords/ Set Password Policy
We will be configuring the password length and the password complexity for Ubuntu.
The Pluggable Authentication Modules (PAM) are installed by default in DEB-based systems. Usually, the password and authentication-related configuration files are stored in /etc/pam.d/
directory in Debian-based systems and the password policies are defined in /etc/pam.d/common-password
file.
[Implementation - Password length]
Before making changes, run this command to backup just in case:
$ sudo cp /etc/pam.d/common-password /etc/pam.d/common-password.bak
To set the minimum password length, edit the
/etc/pam.d/common-password
file:$ sudo nano /etc/pam.d/common-password
Find the following line:
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
Add an extra word
minlen=14
at the end to set the minimum password length to 14.Now the line should look like below screenshot. Press
Ctrl+X
to exit then enterY
and hitenter
again to save the changes of this file.
[ Implementation - Password complexity ]
This setting enforces how many classes, i.e. upper-case, lower-case, and other characters, should be in a password.
First, install the password quality checking library using the command:
$ sudo apt install libpam-pwquality
Then, edit the
/etc/pam.d/common-password
file:$ sudo nano /etc/pam.d/common-password
To set at least one upper-case letter, one lower-case letter, and one other character for the password, add the following words at the end of the line:
ucredit=-1
(for upper-case)dcredit=-1
(for lower-case)ocredit=-1
(for other characters)
The line should look like this:
password requisite pam_pwquality.so retry=3 ucredit=-1 dcredit=-1 ocredit=-1
- Press
Ctrl+X
to exit, then enterY
and pressEnter
again to save the changes to this file.
✔️Restrict Root SSH Logins
Restrict root user access via SSH by configuring the argument of PermitRootLogin
to enhance security preventing attackers attempt to brute force the root password.
[ Implementation ]
Enable SSH by installing OpenSSH:
sudo apt update sudo apt install openssh-server -y
Open the SSH configuration file with a text editor:
sudo nano /etc/ssh/sshd_config
Find the line with
#PermitRootLogin
under theAuthentication
section and change it toPermitRootLogin no
(remove the hash).Press
Ctrl+X
to exit, then enterY
and pressEnter
again to save the changes to this file.Restart the sshd service with this command:
service sshd restart
From now on, any attempt to SSH to the server with the root account will be automatically denied.
✔️Enforce Secure, Encrypted Connections for Internet Browsers
Use SSL/TLS certificates to secure website connections over HTTPS and VPNs for remote workers to protect against brute force attacks targeting remote desktop protocols. Since TLS 1.0 and 1.1 protocols are no longer supported by newer versions of Windows, TLS 1.2 and above should be enabled.
[ Implementation ]
Mozilla Firefox
Open Firefox browser and type
about:config
to open options.In the Search field, enter
tls
.Find and double-click the entry for
security.tls.version.max
.Set the integer value to
4
.Find and double-click the entry for
security.tls.version.min
.Set the integer value to
3
to force the protocol of TLS 1.3.Click
OK
. and close the browser. Restart the Firefox.
So that's it! These are some quick and effective exercises for your Windows and Linux Ubuntu servers. There are many useful software options available that offer additional protection, such as firewalls, malware detection, and multi-factor authentication. These add more layers and complexity to your operating systems and networks. However, the implementations mentioned here can be done internally without needing extra software.
They are what we suggest to our client for improvement and I hope you find them quick and easy to set up on your machines as well!🖖