My client has a server that is being subjected to brute-force login attempts from a botnet. Due to the vagaries of the server and the client's client, we can't easily block the attempts through a firewall, port change, or login account name change.
The decision has been made to leave it open to attack, but find a method of keeping the password secure. Management and some of the other consultants have determined that the best thing to do is to install password rotation software to rotate the password every ten minutes and provide the new password to users that need to log in.
The brute force attempts are occurring twice every second.
I need to demonstrate that implementing a strong password with 12-15 characters is an easier and free solution. I know how to prove this with math, but I'd just be writing something like "there are x many possible permutations of our password, and the attacker can only try n attempts per day, thus we'd expect them to go x/2n days on average before they guess our password." Is there a more standard "proof" of this?
Best Answer
Using fail2ban with the iptables is a great way.
Here is the math for you:
As you can see you shouldn't have any issues if you do a 15 character password like: