Updated on 2024-02-27 GMT+08:00

How Do I Defend Against Brute-force Attacks?

Preventive Measures

Configure your applications and networks to enhance security.

  • Applications
    • Using SSH keys for login

      Enable SSH key login for server resources and application servers. A user can log in only if its private key matches the public key. For details about how to create a key pair, see Creating a Key Pair.

    • Enabling 2FA

      2FA requires users to provide verification codes before they log in. The codes will be sent to their mobile phones or email boxes.

      Choose Installation and Configuration. On the Two-Factor Authentication tab, select servers and click Enable 2FA. For details, see Enabling 2FA.

  • Network
    • Configuring the SSH login whitelist

      The SSH login whitelist allows logins from only whitelisted IP address to prevent account cracking. For details, see Configuring an SSH Login IP Address Whitelist.

    • Using non-default ports

      Change the default remote management ports 22 and 3389 to other ports. For details, see How Can I Change a Remote Login Port?

    • Configure security group rules to prevent the attacking IP addresses from accessing your service ports.

      You are advised to allow only specified IP addresses to access open remote management ports (for example, for SSH and remote desktop login).

      HSS prevents brute-force attacks on server accounts in real time and blocks attack source IP addresses. You can configure security group rules to control access to your servers.

      For a port used for remote login, you can set IP addresses that are allowed to remotely log in to your ECSs.

      To allow IP address 192.168.20.2 to remotely access Linux ECSs in a security group over the SSH protocol and port 22, you can configure the following security group rule.

      Table 1 Setting IP addresses to remotely connect to ECSs

      Direction

      Protocol/Application

      Port

      Source IP Address

      Inbound

      SSH (22)

      22

      For example, 192.168.20.2/32

    • Set a strong password.

      Password policy check and weak password detection can find accounts that use weak passwords on your servers. You can view and handle password risks on the console.

      For details, see How Do I Install a PAM and Set a Proper Password Complexity Policy? and How Do I Set a Secure Password?

Brute-force Attack Defense FAQs

more