How Does HSS Intercept Brute Force Attacks?

Types of Detectable Brute Force Attacks

• Windows: SQL Server (automated blocking is not supported) and RDP
• Linux: MySQL, vfstpd, and SSH

• Added MySQL rule: IN_HIDS_MYSQLD_DENY_DROP
• Added vfstpd rule: IN_HIDS_VSFTPD_DENY_DROP
• Added SSH rule: If SSH on the server does not support the TCP Wrapper interception mode, the SSH uses iptables for interception. Therefore, the IN_HIDS_SSHD_DENY_DROP rule will be added to iptables. If you have configured an SSH login whitelist, the IN_HIDS_SSHD_DENY_DROP and IN_HIDS_SSHD_WHITE_LIST will be added to iptables.

Take the MySQL database as an example. Figure 1 shows the new rule.

Figure 1 Added MySQL rule

How Brute Force Attacks Are Intercepted

Alarm Policies

• If a hacker successfully cracks the password and logs in to a server, a real-time alarm will be immediately sent to specified recipients.
• If a brute-force attack and risks of account hacking are detected, a real-time alarm will be immediately sent to specified recipients.
• If a brute-force attack is detected and failed, and no unsafe settings (such as weak passwords) are detected on the server, no real-time alarms will be sent. HSS will summarize all attacks in a day in its daily alarm report. You can also view blocked attacks on the Detection & Response > Alarms page of the HSS console.

Viewing Brute Force Cracking Detection Results

1. Log in to the management console.
2. Click in the upper left corner of the page, select a region, and choose Security > Host Security Service. The HSS page is displayed.
3. In the navigation pane, choose Detection & Response > Alarms.
4. View the brute force cracking detection result of the server or container.
   • View the brute force cracking detection result of the server.
     1. Click the Server Alarms tab.
     2. In the Alarm Types area, select Abnormal User Behavior > Brute-force attacks to view alarm event records on the protected server.
     3. Click the value in the Blocked IP Addresses area to view the blocked attack source IP address, attack type, blocking status, blocking times, blocking start time, and latest blocking time.
        • Blocked indicates the brute-force attack has been blocked by HSS.
        • Canceled indicates you have unblocked the source IP address of the brute force attack.
          Note

          The default blocking duration is 12 hours. If a blocked IP address does not perform brute-force attacks in the default blocking duration, it will be automatically unblocked.

   • View the brute force cracking detection result of a container.
     1. Click the Container Alarms tab.
     2. In the Alarm Types area, select Abnormal User Behavior > Brute-force attacks to view alarm event records on the protected container.

Managing Blocked IP Addresses

• If a server is frequently attacked, you are advised to fix its vulnerabilities in a timely manner and eliminate risks.
• If a valid IP address is blocked by mistake (for example, after O&M personnel enter incorrect passwords for multiple times), manually unblock the IP address.
  Notice

  If you manually unblocked an IP address, but incorrect password attempts from this IP address exceed the threshold again, this IP address will be blocked again.