Brute Force Attacks

Overview

In a brute force attack, every possible login credential is systematically tested until the actual result password is identified. Attackers guess and try login usernames and passwords remotely. If they guess correctly, they can attack and control systems.

As long as Host Security Service (HSS) is enabled, the professional edition SA can detect 22 types of brute-force attacks. If HSS is not enabled, the professional edition can detect 14, and the standard edition can detect 8. The basic edition does not support this feature.

Suggestion

If a brute force attack threat is detected, handle the threat by following the instructions in Table 1.

**Table 1** Suggestions on handling some brute force attack threats
Threat Alarm	Severity	Threat Description	Suggestion
SSH brute-force attack	Medium	Continuous attempts to log in to an ECS instance over SSH were detected, indicating that an attacker is attempting to hack into the ECS instance using SSH.	The SSH port is open to the public network. You are advised to perform the following operations: In the security group settings, forbid external SSH access. Configure hosts.deny in the ECS operating system.
RDP brute force attack	Medium	Continuous attempts to log in to an ECS instance over RDP were detected, indicating that an attacker is attempting to hack into the ECS instance using RDP.	The RDP port is open to the public network. You are advised to perform the following operations: In the security group settings, forbid external RDP access. Limit remote desktop access using tools like the Windows firewall in the ECS operating system.
Web brute force attack	Medium	Continuous attempts to log in to your web service (such as a login page) were detected, indicating that an attacker is attempting to hack into the web service (such as the web application login page).	The background management pages (such as phpMyAdmin and Tomcat management pages) of the application are open to the public network, and login verification is not performed for login pages for services that need to be accessed from the public network. You are advised to perform the following operations: In the security group settings, forbid external access to the background management system page. Configure brute force attack defenses for web applications, for instance, SMS two-factor verification and image verification codes.
MySQL brute-force attack	Medium	Continuous attempts to log in to MySQL instance on an ECS instance, indicating that an attacker is attempting to hack into the MySQL instance on the ECS instance.	The MySQL service port is open to the public network. You are advised to perform the following operations: In the security group settings, forbid external access to the MySQL instance. Configure the firewall policy on the OS to forbid external access. Unbind the EIP from the ECS where the MySQL instance is installed.
Microsoft SQL brute force attack	Medium	Continuous attempts to log in to Microsoft SQL Server on an ECS instance were detected, indicating that an attacker is attempting to hack into Microsoft SQL Server on the ECS instance.	The Microsoft SQL Server service port is open to the public network. You are advised to perform the following operations: In the security group settings, forbid external access to the Microsoft SQL Server instance. Configure the firewall policy on the OS to forbid external access. Unbind the EIP from the ECS where the Microsoft SQL Server instance is installed.
System brute force attack detection event	Medium	A brute force attack was detected. There are continuous attempts to log in to your ECS instance.	Log in to the HSS console and handle the issue.
Unauthorized system account	Medium	A brute force attack was detected. There are continuous attempts to log in to the ECS instance using an unauthorized system account.	Log in to the HSS console and handle the issue.
System crack success detection event	High	One of your ECS instances was hacked.	Log in to the HSS console and handle the issue.