Re: [mod-security-users] Basic auth protection
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Basic auth protection
|
From: Scheblein, A. <ada...@ma...> - 2018-10-26 21:20:59
|
Good thing it was a throw away password __. Is there any way to have mod_security grab the authorization string? I see that there is a base64 transform, so I was hoping to grab the string, decode it, parse/block based on that info.
On 10/26/18, 1:38 PM, "Christian Folini" <chr...@ne...> wrote:
Hello Adam,
I have not tried this example in a while. I wonder if it works for basic auth,
because basic auth is likely to shortcut some of the ModSec processing phases
in case of a 401.
I suggest you raise the ModSec debug log level and then follow the execution
of the request to see which rules are actually executed.
Also: You should not send Basic Auth Headers to mailing lists. You just
shared a password with the world.
Good luck,
Christian Folini
On Fri, Oct 26, 2018 at 04:01:06PM +0000, Scheblein, Adam wrote:
> I’m trying to implement basic auth protection based on the example given in the modsecurity handbook, however, the rules never seem to engage. Any help would be appreciated.
>
> Here is what I have for my rules and from my audit log:
>
> Rules:
>
> <Location />
> # Enforce an existing IP address block
> SecRule IP:bf_block "@eq 1" \
> "phase:2,id:40000000,deny,\
> msg:'IP address blocked because of suspected brute-force attack'"
> # Retrieve the per-username record
> SecAction phase:2,id:40000005,nolog,pass,initcol:USER=%{ARGS.username}
> # Enforce an existing username block
> SecRule USER:bf_block "@eq 1" \
> "phase:2,id:40000001,deny,\
> msg:'Username blocked because of suspected brute-force attack'"
> # Check for authentication failure and increment counters
> SecRule RESPONSE_HEADERS:Location ^/ \
> "phase:5,id:40000002,t:none,nolog,pass,\
> setvar:IP.bf_counter=+1,\
> setvar:USER.bf_counter=+1"
> # Check for too many failures from a single IP address
> SecRule IP:bf_counter "@gt 2" \
> "phase:5,id:40000003,pass,t:none,\
> setvar:IP.bf_block,\
> setvar:!IP.bf_counter,\
> expirevar:IP.block=1800"
> # Check for too many failures for a single username
> SecRule USER:bf_counter "@gt 2" \
> "phase:5,id:40000004,t:none,pass,\
> setvar:USER.bf_block,\
> setvar:!USER.bf_counter,\
> expirevar:USER.block=1800"
> </Location>
>
> Audit log entry:
>
> --6ba2c30c-B--
> GET / HTTP/1.1
> Host: something.example.com
> Connection: keep-alive
> Cache-Control: max-age=0
> Authorization: Basic MjhjM3NjaGVibGVpOmFzZGY=
> Upgrade-Insecure-Requests: 1
> User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> DNT: 1
> Accept-Encoding: gzip, deflate, sdch, br
> Accept-Language: en-US,en;q=0.8
>
> --6ba2c30c-F--
> HTTP/1.1 401 Unauthorized
> Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
> X-Frame-Options: DENY
> X-Content-Type-Options: nosniff
> WWW-Authenticate: Basic realm="Protected"
> Content-Length: 503
> Keep-Alive: timeout=5, max=98
> Connection: Keep-Alive
> Content-Type: text/html; charset=iso-8859-1
>
> --6ba2c30c-E--
>
> --6ba2c30c-H--
> Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/": Password Mismatch
> Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/tools/unauthorized.shtml": Password Mismatch
> Stopwatch: 1540568079334381 38724 (- - -)
> Stopwatch2: 1540568079334381 38724; combined=494, p1=280, p2=0, p3=61, p4=92, p5=61, sr=12, sw=0, l=0, gc=0
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity for Apache/2.9.2 (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=qhl30HpH8LJWoF9f_fT90bk7SdkYVhzO3u8IO6snE-c&e=); OWASP_CRS/3.1.0.
> Server: Apache
> Engine-Mode: "ENABLED"
>
> --6ba2c30c-Z--
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
_______________________________________________
mod-security-users mailing list
mod...@li...
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
|
