How Do I Defend Against Brute-force Attacks?
Preventive Measures
Configure your applications and networks to enhance security.
- Applications
- Using SSH keys for login
Enable SSH key login for server resources and application servers. A user can log in only if its private key matches the public key. For details about how to create a key pair, see Creating a Key Pair.
- Enabling 2FA
2FA requires users to provide verification codes before they log in. The codes will be sent to their mobile phones or email boxes.
Choose Installation and Configuration. On the Two-Factor Authentication tab, select servers and click Enable 2FA. For details, see Enabling 2FA.
- Using SSH keys for login
- Network
- Configuring the SSH login whitelist
The SSH login whitelist allows logins from only whitelisted IP address to prevent account cracking. For details, see Configuring an SSH Login IP Address Whitelist.
- Using non-default ports
Change the default remote management ports 22 and 3389 to other ports. For details, see How Can I Change a Remote Login Port?
- Configure security group rules to prevent the attacking IP addresses from accessing your service ports.
You are advised to allow only specified IP addresses to access open remote management ports (for example, for SSH and remote desktop login).
HSS prevents brute-force attacks on server accounts in real time and blocks attack source IP addresses. You can configure security group rules to control access to your servers.
For a port used for remote login, you can set IP addresses that are allowed to remotely log in to your ECSs.
To allow IP address 192.168.20.2 to remotely access Linux ECSs in a security group over the SSH protocol and port 22, you can configure the following security group rule.
Table 1 Setting IP addresses to remotely connect to ECSs Direction
Protocol/Application
Port
Source IP Address
Inbound
SSH (22)
22
For example, 192.168.20.2/32
- Set a strong password.
Password policy check and weak password detection can find accounts that use weak passwords on your servers. You can view and handle password risks on the console.
For details, see How Do I Install a PAM and Set a Proper Password Complexity Policy? and How Do I Set a Secure Password?
- Configuring the SSH login whitelist
Brute-force Attack Defense FAQs
- How Does HSS Block Brute-Force Attacks?
- How Do I Handle a Brute-force Attack Alarm?
- How Do I Defend Against Brute-force Attacks?
- What Do I Do If the Account Cracking Prevention Function Does Not Take Effect on Some Accounts for Linux Servers?
- How Do I Unblock an IP Address?
- What Do I Do If HSS Frequently Reports Brute-force Alarms?
- How Do I Handle Alarms on the Brute-Force Attacks Launched from a HUAWEI CLOUD IP Address?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbotmore