Implementing account lockouts is one of the most effective ways to stop brute-force tools like Hydra. Since Hydra relies on making thousands of guesses per minute, a lockout policy that triggers after 3 or 5 tries makes the attack practically impossible.
Here are the common ways to implement it depending on the environment:
1. Web Application Level (e.g., Python/Flask or Node.js)
If you are building a website, you track failed attempts in your database for each user account.
- Database Fields: Add
failed_attempts(integer) andlockout_until(timestamp). - Logic:
- Every time a login fails, increment
failed_attempts. - If
failed_attempts >= 5, setlockout_untilto 15 minutes in the future. - On every login attempt, first check if
currentTime < lockout_until. If it is, reject the login immediately without even checking the password.
- Every time a login fails, increment
2. Linux System Level (SSH/Terminal)
If you want to protect your Linux server from Hydra attacking via SSH, you use a tool called Fail2Ban.
- How it works: Fail2Ban monitors system logs (like
/var/log/auth.log). - Action: If it sees a specific number of "Login failed" messages from the same IP address within a short time, it automatically updates the system firewall (iptables) to block that IP address entirely for a set duration.
3. Using CAPTCHAs
While not a "lockout," many sites implement a CAPTCHA (like Google's reCAPTCHA) after 2 or 3 failed attempts.
- Why it works: Tools like Hydra are automated scripts. They cannot easily solve the "click all the buses" puzzles, effectively stopping the automated attack without completely locking out a real human user who just forgot their password.
4. Rate Limiting (The "Soft" Lockout)
Instead of a hard lock, you can implement throlling.
- Example: After 3 failures, make the server wait 5 seconds before responding. After 10 failures, wait 30 seconds. This "slows down" the attacker so much that cracking a password would take decades instead of minutes.
In this lab, since the target "Invalid" message never changed and the server never stopped responding, Hydra was able to run at full speed!
