[mod-security-users] Basic auth protection

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I’m trying to implement basic auth protection based on the example given in the modsecurity handbook, however, the rules never seem to engage.  Any help would be appreciated.

Here is what I have for my rules and from my audit log:

Rules:

 <Location />
      # Enforce an existing IP address block
      SecRule IP:bf_block "@eq 1" \
          "phase:2,id:40000000,deny,\
          msg:'IP address blocked because of suspected brute-force attack'"
      # Retrieve the per-username record
      SecAction phase:2,id:40000005,nolog,pass,initcol:USER=%{ARGS.username}
      # Enforce an existing username block
      SecRule USER:bf_block "@eq 1" \
          "phase:2,id:40000001,deny,\
          msg:'Username blocked because of suspected brute-force attack'"
      # Check for authentication failure and increment counters
      SecRule RESPONSE_HEADERS:Location ^/ \
          "phase:5,id:40000002,t:none,nolog,pass,\
          setvar:IP.bf_counter=+1,\
          setvar:USER.bf_counter=+1"
      # Check for too many failures from a single IP address
      SecRule IP:bf_counter "@gt 2" \
          "phase:5,id:40000003,pass,t:none,\
           setvar:IP.bf_block,\
          setvar:!IP.bf_counter,\
          expirevar:IP.block=1800"
      # Check for too many failures for a single username
      SecRule USER:bf_counter "@gt 2" \
          "phase:5,id:40000004,t:none,pass,\
          setvar:USER.bf_block,\
          setvar:!USER.bf_counter,\
          expirevar:USER.block=1800"
</Location>

Audit log entry:

--6ba2c30c-B--
GET / HTTP/1.1
Host: something.example.com
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Basic MjhjM3NjaGVibGVpOmFzZGY=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
DNT: 1
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8

--6ba2c30c-F--
HTTP/1.1 401 Unauthorized
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
WWW-Authenticate: Basic realm="Protected"
Content-Length: 503
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--6ba2c30c-E--

--6ba2c30c-H--
Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/": Password Mismatch
Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/tools/unauthorized.shtml": Password Mismatch
Stopwatch: 1540568079334381 38724 (- - -)
Stopwatch2: 1540568079334381 38724; combined=494, p1=280, p2=0, p3=61, p4=92, p5=61, sr=12, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.1.0.
Server: Apache
Engine-Mode: "ENABLED"

--6ba2c30c-Z--