New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
protect brute force attack mod security
The login service of my application is attacked by being brute login and password enumerating. I want to use Apache mod_security to stop these attempts but the rule I put in place is not successful:
Initalize IP collection with user's IP address
SecAction "initcol:ip=%{REMOTE_ADDR},pass,nolog"
Detect failed login attempts
SecRule RESPONSE_BODY "password is invalid|username is invalid" "phase:4,pass,setvar:ip.failed_logins=+1,expirevar:ip.failed_logins=60"
Block subsequent login attempts
SecRule IP:FAILED_LOGINS "@gt 3" deny
When testing with POSTrequests I still get the response "password & username is invalid".
How can the rules above be changed to stop repeated attempts to login?
Comments
Why? It makes very little sense to address abuse at the service level. If a network is attacking you via HTTP, there's no reason to expect it won't also come after you via SMTP or SSH or anything else. Just drop them into the firewall. If you want to automate it based on some rules, use something like fail2ban.
can use also csf/lfd
@vpsrus:
No , I just want to limit the login link to avoid scanning pass. With CSF / LFD it is only effective against DDoS attacks.
@impossiblystupid:
I'm trying to rely on password or username hallmark wrong more than 3 times will lock in 15 min. Even IP
Why don't you give
mod_qos
a go? What version of Apache are you using?you wan to protect your people login to your website , and fail too many attempt ? If yes then you have to configure in your software level, not Mod_Security .
Mod_Security is more on functions as "Web Application Firewall", to protect your website from being malicious attack. You need to have certain knowledge to mange the rules, leaving the default rules may cause to over sensitive (some genuine user not able to access to your website) or too less sensitive . However there is also some commercial rules avail for you to subscribe.
For System layer brute force, normally is via Firewall, or Linux IPTables , like CSF, APF etc .
For WebApplication, you need some programming in your application to trigger blocking to firewall or iptables If there is no trigger from your software, nobody know is fail login
I want login to fail 3 times , will block IP 15 min , I just want to prevent only by external login already have a firewall
So why not Fail2Ban?
As others have said, fail2ban is what you want. It monitors the application but blocks at the firewall. It's very configurable and just works. Plus since it blocks at the firewall, you're saving resources as the blocked attacker never hits your web server application, PHP interpreter, etc.
why not just code in your application? ie with PHP you can allow N login attempts for specific IP
EDIT: googled and found this
just customize bf.counter in last 2 lines to your desired variables
I can not interfere in php so I want to use this mod to work security
EDIT: googled and found this
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
just customize bf.counter in last 2 lines to your desired variables
I understand this, I will research to find other solutions to more efficient, very grateful to everyone for me the boy replied
>
I understand this, I will research to find other solutions to more efficient, very grateful to everyone for me the boy replied