tencent cloud

Feedback

Password Cracking

Last updated: 2024-08-13 16:29:49
    This document will introduce how to configure and use the password cracking monitoring feature to enhance system security.

    Overview

    CWPP password cracking, based on Tencent Cloud's network security defense and host intrusion detection capabilities, provides real-time monitoring of password cracking behavior for hosts, implements automatic blocking feature, and supports alarm querying, filtering, deletion, and batch export.

    Restrictions

    Monitoring scope: Monitors Basic/Pro/Ultimate Edition hosts (Linux systems and Windows systems) for log-in behavior via SSH protocol/RDP protocol.
    Detection rules and block mode: The judgment rules and blocking scope for password cracking behavior are different across protection versions. See the table below.
    CWPP Protection Versions
    Detection Rules
    Blocking Mode
    Basic Edition
    Intelligence rules: Based on Tencent's security threat intelligence database, comprehensive recommendations of blocklisted IPs are made. When hitting a matching blocklisted IP, the behavior will be identified as password cracking.
    Detection rules: When any of the following log-in rules are hit, the behavior will be identified as password cracking.
    
    Note:
    The default detection rules for the Basic Edition are only the three shown above. Addition and modification are not supported.
    If the paid Edition expires and reverts to the Basic Edition, the previously set detection rules will still be effective, but addition and modification are not supported.
    Basic blocking refers to the measure of blocking password cracking activities from IPs listed in threat intelligence blocklists only. The default duration of blocking is set to 5 minutes.
    Note:
    If the paid Edition expires and reverts to the Basic Edition, the blocking mode will automatically switch to basic blocking.
    Pro Edition/Ultimate Edition
    Includes the above intelligence and detection rules. (Detection rules support addition and modification.)
    Advanced blocking refers to the use of Tencent's security database to block both blocklisted IPs and password cracking activities that match detection rules.
    iptables rules: After blocking is enabled, when password cracking activities are detected on the host, the source IP will be automatically added to the iptables rules.

    Password Cracking Settings

    1. Log in to the CWPP console. In the left sidebar, choose Intrusion Detection > Password Cracking.
    
    2. Click Set to configure the judgment and blocking rules for password cracking activities.
    
    3. After everything is confirmed, click Save.

    Configuring Allowlists

    After the allowlist is configured, password cracking behavior from the source IP in the allowlist will not be blocked or alarmed. Follow these steps:
    1. Log in to the CWPP console. In the left sidebar, choose Intrusion Detection > Password Cracking.
    2. On the password cracking page, click Allowlist Policies > Add Allowlist.
    
    3. On the add to allowlist page, enter the source IP and effective range, and then click OK.
    Note
    After it is added to the allowlist, password cracking behavior from that source IP will not be blocked or alarmed. Proceed with caution. If a non-allowlist source IP attempts to log in and triggers brute-force cracking rules, the system will automatically issue an abnormal alarm or block.
    
    Parameter Description:
    Source IP: You can enter a single IP, an IP range (e.g., 1.1.1.1-1.1.1.10), or a IP segment (e.g., 1.1.1.0/24).
    Validity Range:
    All servers (choose with caution): This will add the allowlist trust condition to all servers under the user's AppID.
    Custom range: Allows for customizing servers to which the allowlist trust condition will be applied.
    Notes: It is recommended to enter relevant rule remarks.

    Viewing Password Cracking Events

    Log in to the CWPP console. In the left sidebar, choose Intrusion Detection > Password Cracking to enter the password cracking page. All brute-force cracking events will be displayed in the password cracking list.
    
    Field Description:
    Server IP/Name: The server currently being brute-force cracked.
    Source IP: Source IP address of the attack.
    Origin: The region where the source IP of the attack is located.
    Protocol: The protocol used by the attacker, including SSH/RDP.
    Log-in Username: The username used by the attacker to log in.
    Port: The port used by the attacker to log in.
    First Attack Time: The time CWPP first detected password cracking behavior.
    Latest Attack Time: The time when the event occurred again recently.
    Attack Time: The time the attacker initiated the brute-force crack.
    Number of Attempts: The number of times the attack IP attempted brute-force attacks.
    Cracking Status: Indicates whether the current server has been successfully or unsuccessfully brute-forced.
    Blocking Status: Whether the auto blocking of the attack is successful or unsuccessful.
    Operations:
    Upgrading Version: The current server is eligible for upgrading to CWPP Pro Edition. You can click Upgrading Version to upgrade.
    Add to Allowlist: When an error blocking occurs, you can click Add to Allowlist to immediately unblock.
    Delete the Record: You can delete the event record, and it will no longer be displayed.

    Enabling Alarm Notifications

    Log in to the CWPP console. In the left sidebar, choose Settings > Alarm Settings. In alarm settings, enable the Alarm Notification Switch. When a password cracking event occurs, notifications will be sent via message center, SMS, email, WeChat, and WeCom.
    

    Alert Handling

    1. When the user receives a password cracking event alarm, the user needs to log in to the CWPP console. In the left sidebar, choose Intrusion Detection > Password Cracking.
    2. In the alarm list page, view the attack source IP in the corresponding alarm event list.
    If it is confirmed to be a trusted source IP, the user needs to click Process > Add to allowlist in the operation column on the right side of the event, and set the add allowlist conditions and effective range **(proceed with caution when adding to the allowlist)**. Once it is configured successfully, the configuration will take effect within 5 minutes. Subsequent password cracking activities from this source IP will no longer trigger alarms or be blocked.
    
    If it is confirmed to be an untrusted source IP, and the server has been successfully password cracked by the attacker.
    2.1.1 First, confirm whether the current server's CWPP has been upgraded to Pro Edition or Ultimate Edition. If not, it is recommended that the user click Upgrading Version in the operation column on the right side of the event to upgrade to Pro Edition or Ultimate Edition CWPP.
    2.1.2 At the top of the alarm list, enable the automatic block switch. It is recommended to choose the Standard Blocking mode. Future attacks from the source IP will be automatically blocked for a default duration of 15 minutes. Users can define the duration as needed.
    2.1.3 For servers that have been intruded by password cracking, it is recommended that users immediately set a complex password (12-16 characters consisting of uppercase letters, lowercase letters, special characters, and numbers). Check if there are any unknown accounts in the account list, and delete or disable unknown accounts. At the same time, check for system anomalies.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support