Answer the question
In order to leave comments, you need to log in
How to effectively protect against brute force on a VPS server?
Let's say there is a web page my-server.com/login that accepts login & password parameters.
Attacker
1) Creates an automated script where it executes requests to my-server.com/login in a loop, substituting values.
2) To bypass fail2ban uses a proxy.
Questions: 1) To protect against DDoS, is it enough to reduce the frequency of requests
at the nginx web server level ?
2) Is there any generally accepted practice of protecting scripts from brute force on a VPS server? There is too much ambiguous information on the Internet regarding common practice.
Answer the question
In order to leave comments, you need to log in
In my opinion, you need to make the web client do some work, for example, set a cookie and see that it has presented it, using client-side javascript, perform simple calculations, but not predictable calculations that it should present.
Brute-force probably goes in relation to a specific account, you can increase the response time for each unsuccessful attempt in order to drastically reduce the rate of enumeration.
It is possible to start showing CAPTCHA in case such problems are detected.
It is possible to block an account in case of N unsuccessful attempts in a period of time.
Take as an example the logic of PIN codes of bank cards - 3 unsuccessful attempts - blocking the card. Therefore, even a very simple 4-digit PIN code becomes an unselectable brute force.
There are various practices for the approximate deanonymization of the web client, which will allow you to establish that the same web client is coming from different addresses.
You can limit the flow of requests using nginx.
https://www.geekytuts.net/shell-tricks/wordpress-b...
https://medium.com/@bhagyak.ksr/traffic-shaping-wi...
https://www.nginx.com /blog/rate-limiting-nginx/
It may even be possible to take into account the frequency of the 403 error code in a period of time per given path from one client.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question