Loading...

Countermeasure Dictionary Attacks

In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or pass-phrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.

A good administrator will review every day his dashboard. Anomalies should be investigated in a reasonable amount of time. An example: awstats-2015-october So many hits from the Ukraine is rather unusual for this report. Analyzing the log files, we find dictionary attacks by trying to authenticate to WordPress (IP address masked) with POST requests.

access.log:xxx.xxx.xxx.xxx - - [20/Oct/2015:11:21:03 +0200] "POST http://cinhtau.net/wp/wp-login.php HTTP/1.1" 200 2909 "-" "-"
access.log:xxx.xxx.xxx.xxx - - [20/Oct/2015:11:22:21 +0200] "POST http://cinhtau.net/wp/wp-login.php HTTP/1.1" 200 2909 "-" "-"
access.log:xxx.xxx.xxx.xxx - - [20/Oct/2015:11:23:34 +0200] "POST http://cinhtau.net/wp/wp-login.php HTTP/1.1" 200 2909 "-" "-"
access.log:xxx.xxx.xxx.xxx - - [20/Oct/2015:11:24:40 +0200] "POST http://cinhtau.net/wp/wp-login.php HTTP/1.1" 200 2909 "-" "-"
..
access.log:xxx.xxx.xxx.xxx - - [20/Oct/2015:12:16:23 +0200] "POST http://cinhtau.net/wp/wp-login.php HTTP/1.1" 200 2909 "-" "-"
access.log:xxx.xxx.xxx.xxx - - [20/Oct/2015:12:17:26 +0200] "POST http://cinhtau.net/wp/wp-login.php HTTP/1.1" 200 2909 "-" "-"
access.log:xxx.xxx.xxx.xxx - - [20/Oct/2015:12:18:22 +0200] "POST http://cinhtau.net/wp/wp-login.php HTTP/1.1" 200 2909 "-" "-"
access.log:xxx.xxx.xxx.xxx - - [20/Oct/2015:12:19:33 +0200] "POST http://cinhtau.net/wp/wp-login.php HTTP/1.1" 200 2909 "-" "-"
..
access.log:xxx.xxx.xxx.xxx - - [20/Oct/2015:17:55:19 +0200] "POST http://cinhtau.net/wp/wp-login.php HTTP/1.1" 200 2909 "-" "-"

Countermeasures for Dictionary Attack can involve a login stop from the origin of attack. There is open-source software for that. Fail2ban scans log files and bans IP addresses that show the malicious signs - too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Using a detection algorithm like counter > 10 raised an alert via e-mail. Add the IP to your iptables configuration and drop all incoming packets.