Hi all! I'd like your input on this...
I was asked to protect one of our websites against brute-force attempts; We need to know if an IP adress is making repetitive login requests to our site. I'm using Apache 1.3.33
and mod_security 1.7. on Solaris 9 - And no, we do not have time to upgrade to a more recent Apache or mod_security version :-( Apache is used as a proxy in front of our multiple app servers. Because of this, and for different reasons which I won't discuss here, I need to rely solely on Apache to implement my solution.
Here's what i'm thinking of doing :
1 - use mod_security to inspect POST contents of requests
2 - create a rule to launch a script every time the POST contains a specific login field (Ex : UserID or password). This will allow me to obtain all the IP adresses of people who attempt to log-in.
3 - The script launched would be a modified version of Ivan's "httpd-guardian" perl script (modified to parse environment variables instead of a log file entry.)
4 - Upon detecting that a user has exceeded X number of login attempts in an amount of time, httpd-guardian would call a script to block the offending IP address.
5 - The blocking script would likely be a modified version of Ivan's "blacklist" perl script (modified to manage a list of disallowed IP adresses in an .htaccess file for Apache to use.)
6 - A crontab entry would call the "blacklist" script every X minutes to remove stale IP adresses from the .htaccess file.
What do you think? Probably not the ideal solution, but it should work - considering we're short on time and need a solution fast, without relying on firewall or IDS systems.
Got a better idea? Any input is welcome! Thanks.