I want to provide basic defense against brute-force attacks against a simple HTTPS web service. The web service provides a login
method (let's say at http://example.org/login) which gets passed a username and password as HTTP GET parameters or as fields of a JSON object given by HTTP POST. The service returns HTTP status code 403 on failed login attempts. I can think of two kinds of attacks to secure against:
- Too many failed login attempts from the same IP in a given span of time
- Too many failed login attempts for the same username in a given span of time
As far as I understand, mod-security
is suitable to detect these attacks an block requests, but the tutorials I found are far to complex and the syntax mod-security
puzzles me. Could you provide a sample set of rules to secure against the attacks specified above? In pseudo code I'd say something like the following, with appropriate numbers of n
, m
, and x
:
<LocationMatch /login>
IF response_status == 403 THEN
user = fetch_user_from_request
IF ++fail_count_per_IP[IP] > n
OR ++fail_count_per_USER[USER] > m THEN
block IP FOR x minutes
</LocationMatch>