How Do I Handle a Brute-force Attack?

Handling Alarm Events

HSS uses brute-force detection algorithms and an IP address blacklist to effectively prevent brute-force attacks and block attacking IP addresses. Alarm events will be reported.

If you receive an alarm event from HSS, log in to the HSS console to confirm and handle the alarm event.

• If your host is cracked and an intruder successfully logs in to the host, all hosts under your account may have been implanted with malicious programs. Take the following measures to handle the alarm event immediately to prevent further risks to the hosts:
  1. Check whether the source IP address used to log in to the host is trusted immediately.
  2. Change passwords of accounts involved.
  3. Scan for risky accounts and handle suspicious accounts immediately.
  4. Scan for malicious programs and remove them, if any, immediately.
• If your host is cracked and the attack source IP address is blocked by HSS, take the following measures to harden host security:
  1. Check the source IP address used to log in to the host and ensure it is trusted.
  2. Log in to the host and scan for OS risks.
  3. Upgrade the HSS protection capability if it is possible.
  4. Harden the host security group and firewall configurations based on site requirements.

For details, see How Do I Handle a Brute-Force Attack Alarm?

Marking Alarm Events

After an alarm event is handled, you can mark the alarm event.

1. Log in to the management console.
2. Click in the upper left corner of the page and choose Security & Compliance > Situation Awareness > Threat Alarms.
3. On the Alarms tab, select Brute-force attacks and refresh the alarm list.
4. Select an alarm and mark it as handled.

For details, see Viewing Alarms.