The content of this page has been automatically translated by AI. If you encounter any problems while reading, you can view the corresponding content in Chinese.

Password Cracking

Last updated: 2025-08-07 18:06:11

This document will introduce how to configure and use the Anti-Password Cracking feature to enhance system security.

Overview

CWPP's Anti-Password Cracking feature provides real-time monitoring of password cracking activities for servers, enabling automatic blocking based on Tencent Cloud's network security defense and host intrusion detection capabilities. It also supports alarm query, filter, delete, and batch export operations.

Restrictions

Monitoring Range: Monitors login activities via SSH protocol/RDP protocol on hosts (Linux and Windows systems) with Basic/Professional/Flagship protection editions.
Detection Rules and Blocking Modes: Different protection editions have different judgment rules and blocking ranges for password cracking activities. See the table below.
Host Security Protection Version
Detection Rules
Blocking Mode
Basic or Platinum Edition
Intelligence Rules: Based on the Tencent security threat intelligence database, Black IPs are recommended. When a corresponding Black IP is hit, it will be determined as a password cracking activity.
Detection Rules: When any of the following login rules are hit, it will be determined as a password cracking activity. The default rules are shown in the figure below, supporting add and modification.

Basic Blocking: Only blocks password cracking activities from blocklisted IPs based on threat intelligence.
Professional Version/flagship edition
Blocking Mode supports alternative options
Basic Blocking: Only blocks password cracking activities from Black IPs based on threat intelligence.
Advanced Blocking: Blocks password cracking activities from Black IPs and hits detection rules in combination with the Tencent security library.
Note:
If the paid edition expires and reverts to the basic version, the blocking mode will automatically switch to basic blocking.
iptable Rules: After enabling blocking, when password cracking activities are detected on the host, the source IP will be automatically added to the iptables rules.

Password Cracking Settings

1. Log in to the CWPP Console, and select Intrusion Detection > Anti-Password Cracking from the left sidebar.

2. Click Settings to set the determining rules and blocking rules for password cracking behavior.

3. After confirming everything is correct, click Save.

Configuring the Allowlist

After configuring the allowlist, password cracking behavior from allowlist source IPs will not be blocked or alarmed. The steps are as follows:
1. Log in to the CWPP Console, and select Intrusion Detection > Anti-Password Cracking from the left sidebar.
2. On the Anti-Password Cracking page, click Allowlist Management to enter the Allowlist Management page.
3. On the Allowlist Management page, click Adding to the allowlist to enter the create allowlist page.

4. On the Add Allowlist page, fill in the source IP and effective scope.
Note
After adding to the allowlist, the password cracking behavior from that source IP will not be blocked or alarmed. Please proceed with caution. If a non-allowlist source IP attempts to log in and triggers the brute force cracking rule, the system will automatically issue an abnormal alarm or block the attempt.

Parameter description:
Source IP: You can enter a single IP, an IP range (such as 1.1.1.1-1.1.1.10), or an IP range (such as 1.1.1.0/24).
Effective scope:
All servers (Select with caution): Adds the allowlist condition to all servers under the user's AppID.
Custom server range: Custom select the server range to add the trusted allowlist condition.
Remarks: It is recommended to enter relevant rule remarks.

Viewing Password Cracking Events

Log in to the CWPP Console, choose Intrusion Detection > Anti-Password Cracking on the left sidebar to enter the Anti-Password Cracking page. All brute force cracking events will be displayed in the brute force cracking list.

Field Descriptions:
Server IP/Name: The server currently under brute force cracking.
Source IP: Source IP address of the attack.
Origin: The region where the source IP of the attack is located.
Protocol: The protocol used by the attacker, including SSH/RDP.
Login username: The username used by the attacker to log in.
Port: The port used by the attacker to log in.
First attack time: The time when the host security first monitored the password cracking behavior.
Most recent attack time: The time when the event last occurred.
Attack time: The time when the attacker initiated the brute force cracking.
Number of attempts: The number of brute force cracking attempts by the attack IP.
Cracking Status: Indicates whether the current server has been successfully brute force cracked or not.
Blocking Status: Whether the auto blocking of the attack is successful.
Operations:
Upgrading Version: The current server can be upgraded to CWPP Pro. You can click Upgrade Version to upgrade to the professional version of Host Security.
Adding to the allowlist: In case of an erroneous block, you can click Add to Allowlist to immediately unblock.
Delete Record: You can delete the event. Once deleted, the record will no longer be displayed.

Enabling Alarm Notification

Log in to the CWPP Console, choose Settings Center > Alarm Settings on the left sidebar. In Alarm Settings, enable the alarm notification switch. When a password cracking event occurs, notifications will be sent via Message Center, SMS, mail, WeChat, and WeCom.


Alarm Handling

1. When users receive a password cracking alert, log in to the CWPP Console, and select Intrusion Detection > Anti-Password Cracking from the left sidebar.
2. View the corresponding attack source IP in the alert event list.
If confirmed as a Trusted Source IP, the user needs to click Process > Add to Allowlist in the operation column on the right side of the event, set the allowlist condition and effective scope (please add to the allowlist with caution). Once configured, it will take effect within 5 minutes, and subsequent password cracking attempts from this source IP will no longer trigger alarms or blocks.

If confirmed as an untrusted source IP and the server has been successfully password cracked by the attacker.
2.1.1 First, confirm whether the current server's host security has been upgraded to the Professional Version or Flagship Edition. If not, it is recommended that users click Upgrade Version in the action column on the right side of the event to upgrade to the Professional Version or Flagship Edition of host security.

2.1.2 At the top of the Anti-Password Cracking page, turn on the automatic blocking switch , and it is recommended to choose the standard blocking mode. Subsequent attacks from the source IP will be automatically blocked. The default blocking duration is 15 minutes, and users can customize the duration as needed.
2.1.3 For servers that have been intruded by password cracking, it is recommended that users immediately reset a complex password (12-16 characters consisting of uppercase, lowercase, special characters, and numbers), and check the account list for unfamiliar accounts. If unfamiliar accounts are found, they should be deleted or disabled, and system exceptions should be investigated.