Brute Force Attack Prevention for Cloud Hosts

Backed by extensive experience in security protection, Huawei is able to prevent brute force attacks through host hardening and protection solutions for mainstream operating systems.
Basic Hardening
  • Preparation

  • Linux

  • Windows

  • Network Policy Configuration

Preparation

Step 1: Preparation

  1. Download

    Click the link under "Download Link" to download the Excellent Practices and hardening scripts. You obtain two scripts after decompressing the downloaded script package: main.sh for Linux and srs.bat for Windows. Upload the desired script to the ECS to be hardened.

  2. Password Preparation

    Prepare passwords or key pairs (Linux) for OS accounts based on complexity requirements.

  3. Download Link

    Excellent Practices and hardening scripts

Linux

Step 2-1: Hardening Linux OSs

  1. Running the Script

    Run the hardening script (as shown in the preceding figure). The OS version and operation options are displayed. Select an option by typing the number.

  2. Option Description

    Note:

  3. 1:ALL

    When you type 1, operations 2 to 7 will be executed automatically to harden the system. After that, type 9 to exit.

  4. 2:Set Password Complexity Requirements

    Type 2 for the script to set the password complexity requirements. By default, the password must contain at least 12 characters comprising all of the following: digits, uppercase letters, lowercase letters, and special characters. If you want to set your own complexity requirements, follow the instructions in section 1.1.1 of the Best Practices.

  5. 3:Set Remote Login Configuration(SSH)

    When you enter 3, the script will set the SSH protocol version to 2. Then you complete the configuration as prompted. Before disabling the root user login, make sure that at least one user is available for remote login. Restart the SSH service when you finish.

  6. 4:Set Shell History and TMOUT

    When you select 4, the script will automatically configure HISTSIZE and HISTIMEFORMAT based on the Best Practices. Then, enter a value for the timeout period.

  7. 5:Set Key Login(SSH)

    Type 5 for the script to configure SSH. The script will inject the public key after it's entered.

  8. 6:Set SSH Port

    Note: Prior to selecting this option, prepare a pair of public and private keys as instructed in section 1.1.4 of the Best Practices. Restart the SSH service when you complete this option.

  9. 7:Set Su User

    Type 6 and a port ID. The script will configure the port that you specify. If the port is occupied, you will be prompted to provide another. You need to restart the SSH service when this configuration is done.

  10. 8:Recover Configuration

    Enter 7 and a username. The script will grant su permission to the user. Before selecting this option, ensure that you have created such a user.

  11. 9:Exit

    This option recovers the system to the configuration backed up earlier. When the recovery is complete, you may need to restart SSH as prompted.

  12. Select this option to exit the script when you have hardened or recovered the system.

  13. For customized configurations, see section 1.1 of the Excellent Practices.

    Excellent Practices of Bruteforce Attack Prevention for Cloud Hosts

Windows

Step 2-2: Hardening Windows OSs

  1. Running the Script

    Run the hardening script (as shown in the preceding figure). Select an option by typing the number.

  2. Option Description

    Note:

  3. (9)Recover the Configuration

    This option recovers the system to the configuration backed up earlier. When the recovery is complete, restart the system for the configuration to take effect.

  4. (1)All the operation

    When you type 1, operations 2 to 7 will be executed automatically to harden the system. After that, press Enter to exit.

  5. (2)Set password complexity

    Type 2 for the script to set the password complexity requirements based on the Excellent Practices. If you want to set your own requirements, follow the instructions in section 1.2.1 of the Excellent Practices.

  6. (3)Set password history check

    This option checks whether a password has been used before. Enter 3 and the script will configure the function automatically based on the Excellent Practices. If you want to configure it by yourself, follow the instructions in section 1.2.4 of the Excellent Practices.

  7. (4)Set password lock conf

    This option locks a user out after the user enters the wrong password for a configured number of times consecutively. When you select 4, the script will configure this function automatically. If you want to configure it by yourself, follow the instructions in section 1.2.3 of the Excellent Practices.

  8. (5)Set default account

    This option changes the username of the administrator account. Type 5 for the script to configure this function. You will be prompted to enter the username. For details, see section 1.2.2 of the Excellent Practices.

  9. (6)Set disconnect timeout

    Note: Remember the new username of the administrator; otherwise, you will fail to log in to the system.

  10. (7)Hide the last login account

    This option configures the timeout period of a session. Type 6 and the script will configure this function automatically. If you want to configure it by yourself, follow the instructions in section 1.2.6 of the Excellent Practices.

  11. (8)Exit

    This option allows you to hide the last login account. Enter 7 and the script will configure this function automatically. If you want to configure it by yourself, follow the instructions in section 1.2.5 of the Excellent Practices.

  12. Select this option to exit the script when you have hardened or recovered the system.

  13. For customized configurations, see section 1.2 of the Excellent Practices.

    Excellent Practices of Brute Force Attack Prevention for Cloud Hosts

Network Policy Configuration

Step 3: Configuring the Network Policy

  1. Access Control

    Use the security group function to control the access to management ports based on two principles: opening the fewest ports possible and blocking unauthorized requests sent to closed ports. As a result, only necessary, trusted sources are allowed access, thereby mitigating the potential for attacks.

  2. Alternatively, you can use iptables for Linux OSs or firewalls for Windows OSs for the same purpose. For configuration details, see chapter 2 of the Excellent Practices.

  3. Related Services

    Virtual Private Cloud

Solution Architecture

Introduction

This solution uses security services or products to enhance the security of cloud hosts against brute force attacks.

  1. Vulnerability Scan Service (VSS)

    VSS detects website vulnerabilities regularly and offers suggestions for addressing discovered risks. This enhances website security and prevents vulnerability exploits.

  2. Bastion host

    A bastion host is used to audit and control the access to your host. It narrows down the attack surface and mitigates maintenance-side intrusion risks.

  3. Two factor authentication (2FA)

    A 2FA system is recommended to strengthen login protection for cloud hosts.

  4. Security Expert Service (SES)

    You are advised to use SES to have your business systems assessed regularly. It detects risks and tailors solutions to prevent exploits. The Accurate Assessment mode is particularly recommended.

  5. Host security products

    You can deploy products such as Host Security Service (HSS) to monitor your hosts and prevent brute force attacks in real time. HSS also detects weak passwords.

Recommended Services
  • Host Security Service
    HSS is designed to offer excellent overall protection for your host. It provides login, system, and application protection capabilities to protect your host from intrusions, allowing you more time to focus on your businesses.
  • Security Expert Service
    SES is a professional service provided jointly by Huawei and an information security authority. It discovers security risks in your websites and offers vulnerability fixing suggestions. Better still, it tailors security solutions for your websites.
  • Virtual Private Cloud
    VPC enables you to create private, isolated virtual networks. You can configure IP address segments, subnets, and security groups. assign EIPs, and allocate bandwidth in a VPC.
Partners

Create an Account and Experience HUAWEI CLOUD for Free

Register Now