4

I want to provide basic defense against brute-force attacks against a simple HTTPS web service. The web service provides a login method (let's say at http://example.org/login) which gets passed a username and password as HTTP GET parameters or as fields of a JSON object given by HTTP POST. The service returns HTTP status code 403 on failed login attempts. I can think of two kinds of attacks to secure against:

  • Too many failed login attempts from the same IP in a given span of time
  • Too many failed login attempts for the same username in a given span of time

As far as I understand, mod-security is suitable to detect these attacks an block requests, but the tutorials I found are far to complex and the syntax mod-security puzzles me. Could you provide a sample set of rules to secure against the attacks specified above? In pseudo code I'd say something like the following, with appropriate numbers of n, m, and x:

<LocationMatch /login>
  IF response_status == 403 THEN
    user = fetch_user_from_request
    IF  ++fail_count_per_IP[IP] > n  
    OR  ++fail_count_per_USER[USER] > m THEN
       block IP FOR x minutes
</LocationMatch>
Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61
Jakob
  • 193
  • 1
  • 5

1 Answers1

1

There are rate-limiting rule set in ModSecurity CRS that does not directly correlate whether the authentication attempt was successful or not. Following is one of the Rule 

SecRule IP:BRUTE_FORCE_COUNTER "@gt %{tx.brute_force_counter_threshold}" 
"phase:5,id:'981042',t:none,nolog,pass,t:none,
setvar:ip.brute_force_burst_counter=+1, 
expirevar:ip.brute_force_burst_counter=%{tx.brute_force_burst_time_slice},  
setvar:!ip.brute_force_counter"

In the above rule we are maintaining a BRUTE_FORCE_COUNTER against some IP which is maintained every IP you can also maintained it against Session. Then we are maintaining a threshold that is number of legal attempts maintained in brute_force_counter_threshold. For every transaction we are increasing counter that is ip.brute_force_burst_counter=+1. After tx.brute_force_burst_time_slice that is time interval after which we refresh the counter

Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61
  • Thanks for the translation to ModSecurity syntax. Without correlation to failed logins, however, rate-limiting is possible more easily with mod_evasive. How can one connect the rule to the response status? – Jakob Feb 27 '13 at 07:51
  • 1
    Use Response status variable like SecRule RESPONSE_STATUS "^[45]" and set rule phase as 4 to run the rule in response phase use chain keyword to combine multiple rule. I recommend to read ModSecurity handbook – Ali Ahmad Feb 27 '13 at 08:39