mod-security-users

[mod-security-users] Protecting a site from brute-force attacks

[Francois B. <fra...@gm...>]

Hi all! I'd like your input on this...

I was asked to protect one of our websites against brute-force attempts; We
need to know if an IP adress is making repetitive login requests to our
site. I'm using Apache 1.3.33 and mod_security 1.7. on Solaris 9 - And no,
we do not have time to upgrade to a more recent Apache or mod_security
version :-(  Apache is used as a proxy in front of our multiple app servers=
.
Because of this, and for different reasons which I won't discuss here, I
need to rely solely on Apache to implement my solution.

Here's what i'm thinking of doing :

1 - use mod_security to inspect POST contents of requests
2 - create a rule to launch a script every time the POST contains a specifi=
c
login field (Ex : UserID or password). This will allow me to obtain all the
IP adresses of people who attempt to log-in.
3 - The script launched would be a modified version of Ivan's
"httpd-guardian" perl script (modified to parse environment variables
instead of a log file entry.)
4 - Upon detecting that a user has exceeded X number of login attempts in a=
n
amount of time, httpd-guardian would call a script to block the offending I=
P
address.
5 - The blocking script would likely be a modified version of Ivan's
"blacklist" perl script (modified to manage a list of disallowed IP adresse=
s
in an .htaccess file for Apache to use.)
6 - A crontab entry would call the "blacklist" script every X minutes to
remove stale IP adresses from the .htaccess file.

What do you think? Probably not the ideal solution, but it should work -
considering we're short on time and need a solution fast, without relying o=
n
firewall or IDS systems.

Got a better idea? Any input is welcome! Thanks.

Francois

Re: [mod-security-users] Protecting a site from brute-force attacks

[Ivan R. <iv...@we...>]

Francois Boulanger wrote:
> Hi all! I'd like your input on this...
> 
> I was asked to protect one of our websites against brute-force attempts;
> We need to know if an IP adress is making repetitive login requests to
> our site. I'm using Apache 1.3.33 and mod_security 1.7. on Solaris 9 -
> And no, we do not have time to upgrade to a more recent Apache or
> mod_security version :-(

  FYI unless you have an existing mod_security configuration to upgrade
  (and even with that) upgrading mod_security is a 30-second operation.


> Here's what i'm thinking of doing :
> 
> 1 - use mod_security to inspect POST contents of requests
> 2 - create a rule to launch a script every time the POST contains a
> specific login field (Ex : UserID or password). This will allow me to
> obtain all the IP adresses of people who attempt to log-in.

  Avoid launching a script if possible. If you don't those attacking
  you will be able to create dozens of processes per second simply
  by sending many requests in parallel.

  A better idea is to pipe the error log to a single inspecting
  process (like httpd-guardian).


> What do you think? Probably not the ideal solution, but it should work -
> considering we're short on time and need a solution fast, without
> relying on firewall or IDS systems.

  You should even be able to create a nice page to show to the
  blacklisted users.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

Re: [mod-security-users] Protecting a site from brute-force attacks

[Francois B. <fra...@gm...>]

>
>   FYI unless you have an existing mod_security configuration to upgrade
>   (and even with that) upgrading mod_security is a 30-second operation.


Not really - We have mod_security compiled straight into Apache, so it's no=
t
just a question of compiling a new module and dropping in on the server, we
have to recompile our entire Apache setup which (I'm being told) is a fairl=
y
complicated process, and right now the SysAdmin is too busy to help me...

  Avoid launching a script if possible. If you don't those attacking
>   you will be able to create dozens of processes per second simply
>   by sending many requests in parallel.
>
>   A better idea is to pipe the error log to a single inspecting
>   process (like httpd-guardian).


Hmmm, that probably would be better; I'd have to parse the log to find only
the entries I'm interested in, (since I don't want to block valid users
behind proxies) but I'd be less susceptible to getting flooded with forking
processes.

  You should even be able to create a nice page to show to the
>   blacklisted users.


Already planned! As well as sending an alert to the syslog so that we know
what's happening.... which i believe your script already does.

Thanks Ivan!

--
> Ivan Ristic, Technical Director
> Thinking Stone, http://www.thinkingstone.com
> Tel: +44 20 8141 2161, Fax: +44 87 0762 3934
>