How Do I Handle a Brute-force Attack?

Handling Alerts

HSS uses brute-force detection algorithms and an IP address blacklist to effectively prevent brute-force attacks and block attacking IP addresses. Alerts will be reported.

If you receive an alert from HSS, log in to the HSS console to confirm and handle the alert.

• If your host is cracked and an intruder successfully logs in to the host, all hosts under your account may have been implanted with malicious programs. Take the following measures to handle the alert immediately to prevent further risks to the hosts:
  1. Check whether the source IP address used to log in to the host is trusted immediately.
  2. Change passwords of accounts involved.
  3. Scan for risky accounts and handle suspicious accounts immediately.
  4. Scan for malicious programs and remove them, if any, immediately.
• If your host is cracked and the attack source IP address is blocked by HSS, take the following measures to harden host security:
  1. Check the source IP address used to log in to the host and ensure it is trusted.
  2. Log in to the host and scan for OS risks.
  3. Upgrade the HSS protection capability if it is possible.
  4. Harden the host security group and firewall configurations based on site requirements.

Marking Alerts

After an alert is handled, you can mark the alert.

1. Log in to the management console.
2. Click in the upper part of the page and choose Security > SecMaster.
3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
   Figure 1 Workspace management page
   

4. In the navigation pane on the left, choose Threat Operations > Alert. The alert management page is displayed.
5. On the Alert tab, select Brute-force attacks and refresh the alert list.
6. Delete the non-threat alerts.