Re: [mod-security-users] Basic auth protection

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hey Adam,

Yes, that is possible. It's a nice exercise actually. You need to strip the
"Basic " prefix, fill the rest into a variable and then t:base64 that variable
and then extract the 2nd part after the colon. I've built sort of a
dumb authentication cache based on this. It's been in production for close
to ten years now, running like a charm.

Cheers,

Christian

On Fri, Oct 26, 2018 at 09:20:41PM +0000, Scheblein, Adam wrote:
> Good thing it was a throw away password __. Is there any way to have mod_security grab the authorization string?  I see that there is a base64 transform, so I was hoping to grab the string, decode it, parse/block based on that info.
> 
> On 10/26/18, 1:38 PM, "Christian Folini" <chr...@ne...> wrote:
> 
>     Hello Adam,
>     
>     I have not tried this example in a while. I wonder if it works for basic auth,
>     because basic auth is likely to shortcut some of the ModSec processing phases
>     in case of a 401.
>     
>     I suggest you raise the ModSec debug log level and then follow the execution
>     of the request to see which rules are actually executed.
>     
>     Also: You should not send Basic Auth Headers to mailing lists. You just
>     shared a password with the world.
>     
>     Good luck,
>     
>     Christian Folini
>     
>     On Fri, Oct 26, 2018 at 04:01:06PM +0000, Scheblein, Adam wrote:
>     > I’m trying to implement basic auth protection based on the example given in the modsecurity handbook, however, the rules never seem to engage.  Any help would be appreciated.
>     > 
>     > Here is what I have for my rules and from my audit log:
>     > 
>     > Rules:
>     > 
>     >  <Location />
>     >       # Enforce an existing IP address block
>     >       SecRule IP:bf_block "@eq 1" \
>     >           "phase:2,id:40000000,deny,\
>     >           msg:'IP address blocked because of suspected brute-force attack'"
>     >       # Retrieve the per-username record
>     >       SecAction phase:2,id:40000005,nolog,pass,initcol:USER=%{ARGS.username}
>     >       # Enforce an existing username block
>     >       SecRule USER:bf_block "@eq 1" \
>     >           "phase:2,id:40000001,deny,\
>     >           msg:'Username blocked because of suspected brute-force attack'"
>     >       # Check for authentication failure and increment counters
>     >       SecRule RESPONSE_HEADERS:Location ^/ \
>     >           "phase:5,id:40000002,t:none,nolog,pass,\
>     >           setvar:IP.bf_counter=+1,\
>     >           setvar:USER.bf_counter=+1"
>     >       # Check for too many failures from a single IP address
>     >       SecRule IP:bf_counter "@gt 2" \
>     >           "phase:5,id:40000003,pass,t:none,\
>     >            setvar:IP.bf_block,\
>     >           setvar:!IP.bf_counter,\
>     >           expirevar:IP.block=1800"
>     >       # Check for too many failures for a single username
>     >       SecRule USER:bf_counter "@gt 2" \
>     >           "phase:5,id:40000004,t:none,pass,\
>     >           setvar:USER.bf_block,\
>     >           setvar:!USER.bf_counter,\
>     >           expirevar:USER.block=1800"
>     > </Location>
>     > 
>     > Audit log entry:
>     > 
>     > --6ba2c30c-B--
>     > GET / HTTP/1.1
>     > Host: something.example.com
>     > Connection: keep-alive
>     > Cache-Control: max-age=0
>     > Authorization: Basic MjhjM3NjaGVibGVpOmFzZGY=
>     > Upgrade-Insecure-Requests: 1
>     > User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
>     > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
>     > DNT: 1
>     > Accept-Encoding: gzip, deflate, sdch, br
>     > Accept-Language: en-US,en;q=0.8
>     > 
>     > --6ba2c30c-F--
>     > HTTP/1.1 401 Unauthorized
>     > Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
>     > X-Frame-Options: DENY
>     > X-Content-Type-Options: nosniff
>     > WWW-Authenticate: Basic realm="Protected"
>     > Content-Length: 503
>     > Keep-Alive: timeout=5, max=98
>     > Connection: Keep-Alive
>     > Content-Type: text/html; charset=iso-8859-1
>     > 
>     > --6ba2c30c-E--
>     > 
>     > --6ba2c30c-H--
>     > Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/": Password Mismatch
>     > Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/tools/unauthorized.shtml": Password Mismatch
>     > Stopwatch: 1540568079334381 38724 (- - -)
>     > Stopwatch2: 1540568079334381 38724; combined=494, p1=280, p2=0, p3=61, p4=92, p5=61, sr=12, sw=0, l=0, gc=0
>     > Response-Body-Transformed: Dechunked
>     > Producer: ModSecurity for Apache/2.9.2 (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=qhl30HpH8LJWoF9f_fT90bk7SdkYVhzO3u8IO6snE-c&e=); OWASP_CRS/3.1.0.
>     > Server: Apache
>     > Engine-Mode: "ENABLED"
>     > 
>     > --6ba2c30c-Z--
>     
>     
>     > _______________________________________________
>     > mod-security-users mailing list
>     > mod...@li...
>     > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
>     > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>     > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
>     > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
>     
>     
>     
>     _______________________________________________
>     mod-security-users mailing list
>     mod...@li...
>     https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
>     Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>     https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
>     https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
>     
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/