How to prevent brute force / dictionary attacks?

1
votes

For a couple of months, we've noticed brute force attack attempts at our website.

The attacker launches several login attempts from a wide range of IPs (maybe from a botnet) and multiple usernames and passwords. Some of the usernames does not exist in our database, some other yes. So my guess is that they are trying with known pwned email accounts.

We need to prevent those attacks, due to our database server rises the CPU usage. So, our options (after reading other answers) are:

  • Blocking accounts after X number of failed login attempts
  • Adding a captcha after X number of failed login attempts
  • Blocking IPs

However, I think that these options won't fix the issue, due to they try with multiple usernames and IPs.

Our stack is a Debian server with Apache and PHP.

Is there any effective way to avoid this?

1
phpsecuritybrute-force
Playing whack-a-mole with IP addresses on the firewall is always fun :| - CD001
I guess it can be classed as unethical because you're technically supporting the leak database business, but many of them offer an API (premium cost). You could check your login details against what they are trying to determine how malicious a login attempt is. - IsThisJavascript
Your question might be better suited for security.se. - Script47

1 Answers

-1
votes

Try this article about login security, i think you should use more secured login algorithm.

This article explains secure login algorithms and possible security threats including Brute Force attack.