Simple & powerful brute-force protection

According to different stats brute-force attack is still very popular method in the hands of Cyber-Criminals. This type of attack is an attempt by a cracker to gain illegitimate access to your system (admin area mostly) by attempting to login using common usernames & passwords in rapid succession. And to obfuscate their malicious activity, the attack is executed from multiple IP addresses, either via proxy or possibly a botnet. That's why we decided to write a short guide about blocking Brute Force Attacks , a simple method which for all popular CMS, not only Joomla! and WordPress.

Simple but still very harmful attack

The password is one of the most common means of authentication.  The disadvantage is that login/password authentication is a weak security plan as a they can be guessed. Leaving the administrator account as "admin" and weak passwords are possibly the biggest security risk in Joomla! and any other CMS. A Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Depending on the password's length and complexity, there could be trillions of possible combinations. The main password-cracking methods  are dictionary  attacks, brute-force attacks, and rainbow attacks.  They start with dictionary words or slightly modified dictionary words because most people will use those rather than a completely random password. These attacks are called dictionary attacks or hybrid brute-force attacks.

Typical threats related with Brute-force attacks :

• Attacker script can beat a password-based authentication system at least.
• Risk of flood on your site with unnecessary traffic.

Preventing brute force attacks 

There are a number of techniques for preventing brute force attacks. The first is to implement a strong passwords policy. At a minimum, requiring users to choose passwords of eight letters or more with some complexity (mix letters and numbers, and requiring one special character) is an excellent defence against brute force attacks when combined with one of the techniques outlined above.

There several plugins for CMS, but we want to introduce .htaccess method which does not have any known conflicts with any other plugin or theme. Setting up secondary HTTP password protection is an excellent way to further lock things down. With .htaccess it is very easy to password protect a /administrator folder (and whole back-end area). The method is called htaccess password protection or htaccess authentication, and works by uploading two files called .htaccess and .htpasswd in the directory you want to password protect. Please follow those steps:

1. Create a new .htaccess file
2. Inside add following code:
   

   # basic password protection 
   <IfModule mod_auth.c> 
   AuthUserFile /path/to/.htpasswd 
   AuthName "Extra username and password required" 
   AuthType Basic 
   <Limit GET POST> 
   Require valid-user 
   </Limit> 
   </IfModule>

3. You need to change “/path/to/.htpasswd” with the full path to your .htpasswd file. The easiest way would be take path from configuration.php file line 59: public $log_path
4. Upload changed file into /administrator folder
5. Create a 2nd file named .htpasswd
6. Inside put values created by this creator : http://www.htaccesstools.com/htpasswd-generator/
7. Next you need to upload the .htpasswd file which contains the username and password to enter the password protected folder into /logs  folder. Of course you can use other not only "/logs" folder also a new one, but you have to remember to put different name also inside .htaccess file.
8. Now simply visit the administrator directory to check it is all working. You will be asked about login and password before those from Joomla! itself.

If you or your company have static IP you can use open-access for a single IP, password-protect for everyone else. First check Your public IP address for example using : whatismyip.com service. Then do all steps described above and add Your IP address in place of example 111.222.333.444:

# password protect excluding specific IP address
<IfModule mod_auth.c>
 AuthName "Extra username and password required"
 AuthUserFile /path/to/.htpasswd
 AuthType Basic
 Require valid-user
 Order Deny,Allow
 Deny from all
 Allow from 111.222.333.444
 Satisfy Any
</IfModule>

Summary

Although the threat posed by cyber criminals is real, through the use of a few basic security techniques outlined in this article should reduce risk of successful brute force attack.