[mod-security-users] Protecting a site from brute-force attacks
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Protecting a site from brute-force attacks
|
From: Francois B. <fra...@gm...> - 2006-01-30 20:34:45
|
Hi all! I'd like your input on this... I was asked to protect one of our websites against brute-force attempts; We need to know if an IP adress is making repetitive login requests to our site. I'm using Apache 1.3.33 and mod_security 1.7. on Solaris 9 - And no, we do not have time to upgrade to a more recent Apache or mod_security version :-( Apache is used as a proxy in front of our multiple app servers= . Because of this, and for different reasons which I won't discuss here, I need to rely solely on Apache to implement my solution. Here's what i'm thinking of doing : 1 - use mod_security to inspect POST contents of requests 2 - create a rule to launch a script every time the POST contains a specifi= c login field (Ex : UserID or password). This will allow me to obtain all the IP adresses of people who attempt to log-in. 3 - The script launched would be a modified version of Ivan's "httpd-guardian" perl script (modified to parse environment variables instead of a log file entry.) 4 - Upon detecting that a user has exceeded X number of login attempts in a= n amount of time, httpd-guardian would call a script to block the offending I= P address. 5 - The blocking script would likely be a modified version of Ivan's "blacklist" perl script (modified to manage a list of disallowed IP adresse= s in an .htaccess file for Apache to use.) 6 - A crontab entry would call the "blacklist" script every X minutes to remove stale IP adresses from the .htaccess file. What do you think? Probably not the ideal solution, but it should work - considering we're short on time and need a solution fast, without relying o= n firewall or IDS systems. Got a better idea? Any input is welcome! Thanks. Francois |
