Skip to main content

How to protect against Brute-Force attacks

Updated over a month ago

Brute-force attacks are among the oldest methods in a hacker's playbook — and they remain surprisingly effective. The concept is straightforward: attempt enough password combinations, and eventually one may succeed.

Here is how to approach it the right way.

Prioritize a strong and unique password

Your first layer of protection is making passwords difficult to guess from the start.

Enforce long passwords — length is far more important than arbitrary complexity rules. Set a minimum of 12–16 characters for regular users and 20+ characters for administrative accounts.

Prevent the use of common or previously compromised passwords

When passwords are strong, the time and resources needed for a successful brute-force attack increase significantly — especially when paired with proper hashing (which we'll cover next).

Apply rate limiting and progressive friction

Brute-force attacks depend on speed — so the key is to slow attackers down.

Put rate limits in place at multiple levels, such as:

  • IP address

  • User account

A practical model might look like this:

Avoid permanent lockouts triggered solely by failed attempts. Otherwise, attackers could intentionally lock legitimate users out and create denial-of-service problems. Temporary, escalating restrictions are far more effective.

Monitor logs and alert

Make sure to log:

  • Failed login attempts

  • Successful logins that occur after multiple failures

  • Suspicious patterns, such as one IP targeting many accounts or one account being targeted from multiple IPs

Set up alerts for:

  • Sudden spikes in authentication failures

  • Repeated attempts against administrative accounts

  • Unusual geographic locations or unfamiliar device activity

When you have proper visibility, brute-force attempts stop being background noise and become actionable security events.

SSH and Server Access

  • Disable password authentication whenever possible and use SSH keys only.

  • Deploy tools like Fail2ban to block repeated failures.

  • Restrict SSH access to VPNs or trusted IP ranges.

  • Disable root login and use privilege escalation (sudo) instead.

Changing the default SSH port may reduce noise, but it is not real security.

Conclusion

Protecting against brute-force attacks isn't about a single control. It's about layering defenses:

  • Strong passwords

  • Rate limiting

  • Secure hashing

  • Monitoring and alerting

When properly combined, these measures make brute-force attacks slow, noisy, and economically unattractive — which is exactly the goal.

Related Articles
How to set up and use SSH keys
Installing Fail2ban for protection from brute-force attacks
Make cPanel/WHM VPS more Secure
[cPanel & WHM] Working with cPHulk
Five things to do after buying a VPS server
Did this answer your question?