As a website owner, in fact I'm hosting several sites, I'm constantly getting these types of attacks on my servers. In this post, I look at a few ways to reduce the chance that someone gains unlawful access to your Joomla websites by way of brute-force attacks.
So, what is a brute-force attack?
Let’s see what Wikipedia says:
In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data (except for data encrypted in an information-theoretically secure manner). Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It consists of systematically checking all possible keys or passwords until the correct one is found. In the worst case, this would involve traversing the entire search space. When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because of the time a brute-force search takes.
In short, a brute-force attack is trying to force itself into your website administrator by trying every combination of username and password it can come up with.
There are two main problems with this for you as a website owner. Obviously, it’s not good having people snoop around in your Joomla admin with super administrator rights. That’s a given. The other thing to be concerned a about is the fact that such attacks take away a lot of capacity from your server.
How to protect yourself from brute-force attacks
There are several things you can do to make things harder for those trying brute-force attacks. Longer and more complex usernames passwords is one, blocking access to the site is another.
Strong usernames and passwords
You’ve heard it time and time again: Make sure you have strong passwords! Usernames are important, too.
I have made it a habit to never use ’admin’ or ’administrator’ or anything like it as usernames on my websites. I choose a unique username for each site.
When it comes to passwords, I always use 20 random alphanumeric characters or more, in a combination of lower and upper case, and with some symbols thrown in. And I never use a password for more than one website.
20 characters, you say? How on earth do you remember that?
Three words: Password Management Software.
Manage your passwords with ease
Using these tools, there is no problem managing hundreds, or thousands of passwords with ease. Just make sure you have a solid master password, and you might consider investing in a Yubikeyfor a two-factor authentication with Joomla.
Blocking access to the site
Another method of avoiding the perils of brute-force attacks is to restrict access to the website or server based on the attackers IP or IP range. There are several ways to do this:
- Using a Joomla extension
- Using .htaccess blocking
- Blocking the IPs in your firewall
I recommend AdminExcile as an excellent plugin for Joomla 2.5 or later. It lets you block IPs after a certain amount of failed password attempts, and you can set how long the block will be in effect for. This has proven very effective for me, as I’ve avoided some very nasty attacks.
I recently had an attack on a website where over 4000 machines tried to brute-force their way into a Joomla site. It didn’t succeed, and we managed to block the IPs permanently rather quickly. Another day, I had 25000 brute-force attempts on another website. That’s when I adjusted the AdminExcile plugin to block the perpetrators after fewer attempts and for a longer period of time. That definitely helped.
The main reason the attack didn’t succeed was strong passwords. AdminExcile, however, can prevent your site from going down by blocking the IPs after X failed attempts.
Using .htaccess blocking
On Apache servers, you can add IP addresses to your .htaccess file. This will prevent those IP addresses from even reaching your Joomla administrator page or any other page on your website.
Here’s a tool that makes it easy to create the snippets you need for your .htaccess file:
Deny from 199.442.33.32
Read more about using .htaccess to block visitors with various methods.
Blocking the IPs in your firewall
If you’re on a dedicated server or your own network, blocking IP ranges on the firewall might be a good option. Be advised, though, that this may block some valid traffic to your site. For some sites, this won’t be a problem. If I have a local site that has no clients from outside my country, I can block IP addresses from a whole country if I so wish. It won’t affect my business. If you’re business is international, you need to consider this more carefully and pinpoint specific IP addresses or limited ranges.
To conclude, brute-force attacks is probably something we need to live with. There are, however, quite a few things you can do to limit the chance of someone succeeding with such an attack. The first thing you should do is increase the complexity of your admin passwords.