Brute Force Attack
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
A brute force attack systematically tries every possible password, PIN, or key combination against an authentication endpoint until the correct one is found. Attackers automate this with tools like Hydra, Medusa, or Hashcat, often targeting SSH, RDP, FTP, and web login forms. Even with rate-limiting, distributed brute force campaigns spread attempts across thousands of IPs, making detection and blocking significantly harder.
High Severity
This threat is classified as high severity. Prioritize mitigation.
🔍Indicators
- Repeated failed authentication attempts from the same IP (dozens to thousands per minute)
- Failed logins followed by an eventual successful login from the same IP
- Sequential username enumeration attempts (
admin,administrator,root,user) - Connections to authentication ports (22, 3389, 21) with no prior port-scan pattern
- Auth logs flooded with
Failed password for invalid userorInvalid loginentries
🛡Detection Methods
SSH brute force in auth logs
# Count failed SSH attempts per IP
grep "Failed password" /var/log/auth.log | \
awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -20
Fail2ban (SSH — most common deployment)
[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 5
findtime = 300
bantime = 3600
Web login brute force (Nginx rate-limit)
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
location /login {
limit_req zone=login burst=10 nodelay;
proxy_pass http://backend;
}
Suricata rule
alert tcp any any -> $HOME_NET 22 \
(msg:"BRUTE SSH login attempt"; flow:to_server,established; \
content:"SSH-"; threshold:type threshold, track by_src, count 5, seconds 60; \
sid:3000001;)
Real-time monitoring
# Watch failed SSH attempts live
tail -f /var/log/auth.log | grep --line-buffered "Failed password"
✅Mitigation
- Enforce account lockout policies — Lock accounts for 15–30 minutes after 5–10 failed attempts; apply to both OS and application-level auth.
- Require multi-factor authentication (MFA) — Even a compromised password cannot grant access without the second factor (TOTP, FIDO2, SMS OTP).
- Disable password authentication for SSH — Use public-key authentication only; set
PasswordAuthentication noin/etc/ssh/sshd_config. - Change default service ports — Move SSH off port 22 to a high, non-standard port (e.g., 2222) to eliminate automated script-kiddie scans.
- Deploy Fail2ban or CrowdSec — Automatically ban IPs after repeated failures across SSH, HTTP, and other services.
- Use CAPTCHA on web login forms — Google reCAPTCHA v3 or hCaptcha adds a bot-detection layer with minimal user friction.
- Implement IP allowlisting for admin access — Restrict RDP (3389) and admin panels to specific IP ranges via firewall rules.
- Monitor and alert on failed logins — Configure SIEM alerts for >10 failed logins from any single IP within 5 minutes.
📋Real-World Examples
2016 — GitHub brute force attack: In 2016, GitHub suffered a credential brute force attack where attackers tested 40,000 unique IP addresses against accounts using passwords from previous breach dumps. The distributed nature evaded per-IP rate limiting. GitHub responded with global rate limiting and breach-password blocklists.
2020 — Citrix CVE-2019-19781 exploitation via brute force: After exploiting the Citrix path traversal, attackers brute-forced internal Active Directory credentials using Citrix ADC as a pivot. The attack affected hundreds of organisations including UK NHS trusts, demonstrating how brute force compounds other vulnerabilities.