Password Guessing Attack Protection

Protect against password guessing attacks by temporarily blocking the IP addresses after multiple authentication failures.

Password guessing attack protection

Overview

The password guessing attack protection feature is a countermeasure against attackers who attempt to discover users' login/authentication credentials for VisualSVN Server by systematically trying out a large number of different username and password combinations. Such attacks make lots of repeated login attempts to the server over the network and are usually automated. Depending on the exact technique, such attacks are also known as brute-force or dictionary attacks.

When password guessing attack protection is enabled in the settings of VisualSVN Server, the server detects if any particular IP addresses send too many authentication requests with invalid login credentials within a short period of time, and temporarily blocks further requests from these offending IP addresses.

A must-have security feature for publicly accessible servers

If your server is made publicly accessible on the Internet, then protection against password guessing attacks is a must-have security feature. Without this protection, brute-force or dictionary attacks can compromise the account passwords that are used for authenticating to the server.

Support for multiple authentication modes

The password guessing attack protection functionality is available in both the Subversion authentication mode and the Windows authentication mode. In the Windows authentication mode this protection is relevant only if Basic authentication is enabled.

IPv6 support

The password guessing attack protection feature works for both IPv4 and IPv6 connections. If the offending source IP address is an IPv6 address, then VisualSVN Server temporarily blocks requests from the entire /64 subnet that the offending IPv6 address belongs to.

Logging

The protection feature is integrated with the logging system of VisualSVN Server, which allows the administrator to monitor and audit the blocking of IP addresses.

Licensing and evaluation

Password guessing attack protection is available with all paid VisualSVN Server licenses, starting from the Essential license.

Licensing is thoroughly described in the KB220: VisualSVN Server 5.2 Licensing Overview article. You can also find the information about all available VisualSVN Server licensing options on the Pricing page.

Getting started with password guessing attack protection

To get started with password guessing attack protection, enable it on the Authentication tab in the server properties dialog in VisualSVN Server Manager.

For more detailed instructions, see the article KB217: Understanding password guessing attack protection in VisualSVN Server.