Re: [mod-security-users] Basic auth protection
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Basic auth protection
|
From: Christian F. <chr...@ne...> - 2018-10-26 18:38:02
|
Hello Adam,
I have not tried this example in a while. I wonder if it works for basic auth,
because basic auth is likely to shortcut some of the ModSec processing phases
in case of a 401.
I suggest you raise the ModSec debug log level and then follow the execution
of the request to see which rules are actually executed.
Also: You should not send Basic Auth Headers to mailing lists. You just
shared a password with the world.
Good luck,
Christian Folini
On Fri, Oct 26, 2018 at 04:01:06PM +0000, Scheblein, Adam wrote:
> I’m trying to implement basic auth protection based on the example given in the modsecurity handbook, however, the rules never seem to engage. Any help would be appreciated.
>
> Here is what I have for my rules and from my audit log:
>
> Rules:
>
> <Location />
> # Enforce an existing IP address block
> SecRule IP:bf_block "@eq 1" \
> "phase:2,id:40000000,deny,\
> msg:'IP address blocked because of suspected brute-force attack'"
> # Retrieve the per-username record
> SecAction phase:2,id:40000005,nolog,pass,initcol:USER=%{ARGS.username}
> # Enforce an existing username block
> SecRule USER:bf_block "@eq 1" \
> "phase:2,id:40000001,deny,\
> msg:'Username blocked because of suspected brute-force attack'"
> # Check for authentication failure and increment counters
> SecRule RESPONSE_HEADERS:Location ^/ \
> "phase:5,id:40000002,t:none,nolog,pass,\
> setvar:IP.bf_counter=+1,\
> setvar:USER.bf_counter=+1"
> # Check for too many failures from a single IP address
> SecRule IP:bf_counter "@gt 2" \
> "phase:5,id:40000003,pass,t:none,\
> setvar:IP.bf_block,\
> setvar:!IP.bf_counter,\
> expirevar:IP.block=1800"
> # Check for too many failures for a single username
> SecRule USER:bf_counter "@gt 2" \
> "phase:5,id:40000004,t:none,pass,\
> setvar:USER.bf_block,\
> setvar:!USER.bf_counter,\
> expirevar:USER.block=1800"
> </Location>
>
> Audit log entry:
>
> --6ba2c30c-B--
> GET / HTTP/1.1
> Host: something.example.com
> Connection: keep-alive
> Cache-Control: max-age=0
> Authorization: Basic MjhjM3NjaGVibGVpOmFzZGY=
> Upgrade-Insecure-Requests: 1
> User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> DNT: 1
> Accept-Encoding: gzip, deflate, sdch, br
> Accept-Language: en-US,en;q=0.8
>
> --6ba2c30c-F--
> HTTP/1.1 401 Unauthorized
> Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
> X-Frame-Options: DENY
> X-Content-Type-Options: nosniff
> WWW-Authenticate: Basic realm="Protected"
> Content-Length: 503
> Keep-Alive: timeout=5, max=98
> Connection: Keep-Alive
> Content-Type: text/html; charset=iso-8859-1
>
> --6ba2c30c-E--
>
> --6ba2c30c-H--
> Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/": Password Mismatch
> Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/tools/unauthorized.shtml": Password Mismatch
> Stopwatch: 1540568079334381 38724 (- - -)
> Stopwatch2: 1540568079334381 38724; combined=494, p1=280, p2=0, p3=61, p4=92, p5=61, sr=12, sw=0, l=0, gc=0
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.1.0.
> Server: Apache
> Engine-Mode: "ENABLED"
>
> --6ba2c30c-Z--
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
