|
From: baptx <bap...@gm...> - 2020-04-28 17:06:04
|
Hello, I would like to block a user IP address after several failed login attempts on an Apache web server using HTTP authentication (Basic or Digest). The configuration I am using should block an IP address after 3 errors (HTTP 401 Unauthorized response) but I can still try as many passwords as I want. If I try the correct password, I can see the HTTP 403 Forbidden error page. And if I press Ctrl+Shift+Del in Firefox to clear "Active Logins", I can continue the bruteforce again. It looks like ModSecurity is only blocking the page behind the login but not an actual bruteforce. Is it a ModSecurity bug or a problem with my configuration? I have added the following configuration in /etc/modsecurity/modsecurity_custom_rules.conf, based on the "IP-Based Blocking" example of https://snippets.aktagon.com/snippets/563-brute-force-authentication-protection-with-modsecurity (replace /testpage with a path using HTTP authentication): <LocationMatch /testpage> # Uncomment to troubleshoot #SecDebugLogLevel 9 #SecDebugLog /tmp/troubleshooting.log # Enforce an existing IP address block SecRule IP:bf_block "@eq 1" \ "id:1,phase:2,deny,\ msg:'IP address blocked because of suspected brute-force attack'" # Check that this is a GET SecRule REQUEST_METHOD "@streq GET" "id:2,phase:5,chain,t:none,nolog,pass" # AND Check for authentication failure and increment counters SecRule RESPONSE_STATUS "^401" \ "setvar:IP.bf_counter=+1" # Check for too many failures from a single IP address. Block for 10 minutes. SecRule IP:bf_counter "@ge 3" \ "id:3,phase:5,pass,t:none, \ setvar:IP.bf_block,\ setvar:!IP.bf_counter,\ expirevar:IP.bf_block=600" </LocationMatch> Thanks. |
