Re: [mod-security-users] Basic auth protection
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Basic auth protection
|
From: Scheblein, A. <ada...@ma...> - 2018-10-26 22:30:07
|
Figured it out. Had to use a period instead of a colon.
Below is the code that I've come up with to block brute force attacks from IP and for Username. Suggestions and comments are welcome:
# Retrieve the IP address
SecAction id:'2000000',phase:1,nolog,pass,initcol:IP=%{REMOTE_ADDR}
# Enforce an existing IP address block
SecRule IP:bf_block "@eq 1" \
"id:'2000001',phase:1,deny,\
msg:'IP address blocked because of suspected brute-force attack'"
# Retrieve the username
SecRule REQUEST_HEADERS:Authorization "Basic (.*)" "chain,capture,phase:1,pass,id:'2000002'"
SecRule TX:1 "^([-a-zA-Z0-9_]+):" "t:base64Decode,chain,capture"
SecAction initcol:USER=%{TX.1}
# Enforce an existing username block
SecRule USER:bf_block "@eq 1" \
"id:'2000003',phase:1,deny,\
msg:'Username \"%{REMOTE_USER}\" blocked because of suspected brute-force attack'"
# Check that this is a POST
SecRule REQUEST_METHOD "@streq GET" "id:'2000004',phase:5,chain,t:none,nolog,pass"
# AND Check for authentication failure and increment counters
# NOTE this is for a Rails application, you probably need to customize this
SecRule RESPONSE_STATUS "!200" \
"setvar:IP.bf_counter=+1,setvar:USER.bf_counter=+1"
# Check for too many failures for a single username
SecRule USER:bf_counter "@ge 3" \
"id:'2000005',phase:5,t:none,pass,\
setvar:USER.bf_block,\
setvar:!USER.bf_counter,\
expirevar:USER.bf_block=600"
# Check for too many failures from a single IP address. Block for 10 minutes.
SecRule IP:bf_counter "@ge 3" \
"id:'2000006',phase:5,pass,t:none, \
setvar:IP.bf_block,\
setvar:!IP.bf_counter,\
expirevar:IP.bf_block=600"
On 10/26/18, 5:07 PM, "Scheblein, Adam" <ada...@ma...> wrote:
I was able to narrow down using decode and TX, however, the issue I'm having now is that:
Rule 559a7f24c920: SecAction "initcol:USER=%{TX:1}"
Failed to resolve macro %{tx:1}: Unknown variable: tx:1
How do I take what I captured previously and put it in as a key in a collection?
thanks
On 10/26/18, 4:34 PM, "Christian Folini" <chr...@ne...> wrote:
Hey Adam,
Yes, that is possible. It's a nice exercise actually. You need to strip the
"Basic " prefix, fill the rest into a variable and then t:base64 that variable
and then extract the 2nd part after the colon. I've built sort of a
dumb authentication cache based on this. It's been in production for close
to ten years now, running like a charm.
Cheers,
Christian
On Fri, Oct 26, 2018 at 09:20:41PM +0000, Scheblein, Adam wrote:
> Good thing it was a throw away password __. Is there any way to have mod_security grab the authorization string? I see that there is a base64 transform, so I was hoping to grab the string, decode it, parse/block based on that info.
>
> On 10/26/18, 1:38 PM, "Christian Folini" <chr...@ne...> wrote:
>
> Hello Adam,
>
> I have not tried this example in a while. I wonder if it works for basic auth,
> because basic auth is likely to shortcut some of the ModSec processing phases
> in case of a 401.
>
> I suggest you raise the ModSec debug log level and then follow the execution
> of the request to see which rules are actually executed.
>
> Also: You should not send Basic Auth Headers to mailing lists. You just
> shared a password with the world.
>
> Good luck,
>
> Christian Folini
>
> On Fri, Oct 26, 2018 at 04:01:06PM +0000, Scheblein, Adam wrote:
> > I’m trying to implement basic auth protection based on the example given in the modsecurity handbook, however, the rules never seem to engage. Any help would be appreciated.
> >
> > Here is what I have for my rules and from my audit log:
> >
> > Rules:
> >
> > <Location />
> > # Enforce an existing IP address block
> > SecRule IP:bf_block "@eq 1" \
> > "phase:2,id:40000000,deny,\
> > msg:'IP address blocked because of suspected brute-force attack'"
> > # Retrieve the per-username record
> > SecAction phase:2,id:40000005,nolog,pass,initcol:USER=%{ARGS.username}
> > # Enforce an existing username block
> > SecRule USER:bf_block "@eq 1" \
> > "phase:2,id:40000001,deny,\
> > msg:'Username blocked because of suspected brute-force attack'"
> > # Check for authentication failure and increment counters
> > SecRule RESPONSE_HEADERS:Location ^/ \
> > "phase:5,id:40000002,t:none,nolog,pass,\
> > setvar:IP.bf_counter=+1,\
> > setvar:USER.bf_counter=+1"
> > # Check for too many failures from a single IP address
> > SecRule IP:bf_counter "@gt 2" \
> > "phase:5,id:40000003,pass,t:none,\
> > setvar:IP.bf_block,\
> > setvar:!IP.bf_counter,\
> > expirevar:IP.block=1800"
> > # Check for too many failures for a single username
> > SecRule USER:bf_counter "@gt 2" \
> > "phase:5,id:40000004,t:none,pass,\
> > setvar:USER.bf_block,\
> > setvar:!USER.bf_counter,\
> > expirevar:USER.block=1800"
> > </Location>
> >
> > Audit log entry:
> >
> > --6ba2c30c-B--
> > GET / HTTP/1.1
> > Host: something.example.com
> > Connection: keep-alive
> > Cache-Control: max-age=0
> > Authorization: Basic MjhjM3NjaGVibGVpOmFzZGY=
> > Upgrade-Insecure-Requests: 1
> > User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> > DNT: 1
> > Accept-Encoding: gzip, deflate, sdch, br
> > Accept-Language: en-US,en;q=0.8
> >
> > --6ba2c30c-F--
> > HTTP/1.1 401 Unauthorized
> > Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
> > X-Frame-Options: DENY
> > X-Content-Type-Options: nosniff
> > WWW-Authenticate: Basic realm="Protected"
> > Content-Length: 503
> > Keep-Alive: timeout=5, max=98
> > Connection: Keep-Alive
> > Content-Type: text/html; charset=iso-8859-1
> >
> > --6ba2c30c-E--
> >
> > --6ba2c30c-H--
> > Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/": Password Mismatch
> > Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/tools/unauthorized.shtml": Password Mismatch
> > Stopwatch: 1540568079334381 38724 (- - -)
> > Stopwatch2: 1540568079334381 38724; combined=494, p1=280, p2=0, p3=61, p4=92, p5=61, sr=12, sw=0, l=0, gc=0
> > Response-Body-Transformed: Dechunked
> > Producer: ModSecurity for Apache/2.9.2 (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=qhl30HpH8LJWoF9f_fT90bk7SdkYVhzO3u8IO6snE-c&e=); OWASP_CRS/3.1.0.
> > Server: Apache
> > Engine-Mode: "ENABLED"
> >
> > --6ba2c30c-Z--
>
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=dXjd2nye3iUVNEm093j19LY0GpfxCR95RPj3jE4vl3s&e=
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=gmSmsBQJ3FMfzkzK_EEk8M3OXYq1SjWIz2azKOF7abk&e=
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=WRhDqItV3_pjB8mCAldvdFIKwtWlXs_LpeHrelYeKnQ&e=
_______________________________________________
mod-security-users mailing list
mod...@li...
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=dXjd2nye3iUVNEm093j19LY0GpfxCR95RPj3jE4vl3s&e=
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=gmSmsBQJ3FMfzkzK_EEk8M3OXYq1SjWIz2azKOF7abk&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=WRhDqItV3_pjB8mCAldvdFIKwtWlXs_LpeHrelYeKnQ&e=
_______________________________________________
mod-security-users mailing list
mod...@li...
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=dq0RD2ZevA2MC-ce-EVcEtpDx9phI2cKyyyB3u2oSek&s=cb8BEByzikCxnqIkV9FDXQ1no7guc1yfru9xKFwiidk&e=
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=dq0RD2ZevA2MC-ce-EVcEtpDx9phI2cKyyyB3u2oSek&s=e8IKCzOTlGHiYGvAGv69Ompqmjh21sVyrRDTJAb72f0&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=dq0RD2ZevA2MC-ce-EVcEtpDx9phI2cKyyyB3u2oSek&s=u5kx7kDDZo2dvJGGzNUiqC7V8gAN3I52mz8xzzkKJnc&e=
|
