[mod-security-users] Basic authentication fail track on rproxy
Brought to you by:
victorhora,
zimmerletw
From: Jean-Christophe A. <jea...@c-...> - 2009-02-09 14:34:08
|
Hi folks, I'm writing rules for reverse proxy in order to protect basic authentication on an svn server from brute force authentication attacks. The main scenario on svn authentication implies the following actors : svn client (c) reverse proxy (rp) svn apache DAV server (s) Here are the exchanges (timeline): First anonymous request c -> rp -> s Then reply to anonymous : Status 401 s-> rp -> c Then client authenticate with basic auth : c-> rp -> s Then two cases : case 1 : authentication successful, reports a Status 200 message s -> rp -> c Then auth is ok Case 2: authentication denied, reports whether a 401 or a 403 status reply s -> rp -> c until auth is ok. I want to track down in a single "request id -rid#-" both authentication and reply. I've already written the following rules : SecRule REQUEST_HEADERS:Authorization "^Basic ([a-zA-Z0-9]+=*)$" \ "phase:1,logdata:'basic auth de %{TX.1}@%{REMOTE_ADDR} ',capture,chain,phase:1,setvar:tx.auth_score=0" SecRule TX:1 ^(.*)$ \ "t:base64Decode,capture,chain" SecRule TX:1 ^(.*)$ \ "auditlog" To track auth requests from client to server thru reverse proxy Then SecRule RESPONSE_STATUS "^(401|403)$" \ "phase:3,capture,setvar:TX.auth_score+=5,logdata:'%{TX.1} with score %{TX.auth_score}'" SecRule TX:AUTH_SCORE \ "@gt 0" "phase:3,msg:'login failure from %{REMOTE_ADDR}',setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=20/120" SecRule IP:AUTH_ATTEMPT \ "@gt 25" "log,drop,phase:1,msg:'Possible Brute force attack on svn %{REMOTE_ADDR}'" # SecRule RESPONSE_STATUS "^(401|403)$" "auditlog" My tx.auth_score is stuck to 0 anytime. I could not manage to get it higher :( What's wrong in my rule/actions? I wondered if there was a way to group "request_id" rid# values to variables or if there was a way to evaluate a whole transaction in a single (even chained) rule. In this cas, which is the better way to do this ? Do you know a "best practice" with mod_security2 document? Thanks by advance. -- Jean-Christophe Arnu |