1

Update: As Craig suggested I'm trying fail2ban now. Even though I have issues in that as well.

failregex is not finding any result though. I had enabled all apache* in jail.local and here is how my apache logs errors: 

    [Fri Jul 25 11:31:20.758218 2014] [auth_basic:error] [pid 4959] [client 8.8.8.8:12767] AH01617: user GOLD: authentication failure for "/Folder": Password Mismatch

    [Fri Jul 25 11:31:22.941978 2014] [auth_basic:error] [pid 4959] [client 8.8.8.8:12767] AH01618: user asd not found: /Folder

And here is how failegex apache-auth.conf is configured to:

    failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$

I also tried adding this code as well but still does not work

    failregex = [[]client <HOST>[]] (Digest: )?user .* (authentication failure|not found|password mismatch)

http://example.com/FOLDER/ is password protected through htaccess and htpasswd. But I think it can be brute forced as there is not failure attempt limit. Any tips to secure that? Mod security isn't help for my situation as there is no login page or redirection page (I don't know how to use mod security in this case by pulling the error message from logs). Any other suggestions to block IP for n number failed attempts?

Thanks!

Matt
  • 11
  • 1
  • 2
  • 5
  • Instead of adding fail2ban which is yet another thing that can break or be exploited, consider simply using a strong password. – gparent Jul 25 '14 at 15:28
  • @gparent - brute-force password attempts can actually be a form of DoS, so a strong password doesn’t mitigate this, and fail2ban is still applicable and extremely valuable. There's little/no attack vector as it's not accessible externally. – Craig Watson Jul 25 '14 at 15:33
  • And fail2ban enables another form of DoS where anyone on the same network as you can prevent you from accessing the administrative interfaces of your server by sending 3 bogus queries. What if the right password is guessed within the first 3 attempts because you *didn't* use a strong password? The strong password will also help prevent attacks once you do have a user on the box, such as bruteforcing su/sudo (where fail2ban will be completely irrelevant). fail2ban is really a crutch that people ought to get rid of. – gparent Jul 26 '14 at 14:29
  • @CraigWatson Receiving the IP packet / parsing the Ethernet/TCP/HTTP header is much harder than taking a hash of the password and checking it against the saved hash. Hence why the severity of DoS attacks are measured in GB/s, and not the # of requests or what the requests are doing (Moreso because proper server setups will refuse to respond to IPs that are actively DoSing. All the computation is on parsing the packet, seeing the bad IP, and dropping it). Of course, as gparent notes, adding fail2ban causes requests to have consequence worse than your average HTTP request that gets tossed out. – Nicholas Pipitone Dec 20 '18 at 18:41

1 Answers1

4

If you have control over the OS of the server, you can use fail2ban to block brute-force attempts after a certain number of tries via iptables. You can additionally optionally enable notifications when an IP is blocked.

Check this ServerFault question for more information, the Fail2ban site appears down at the moment.

Community
  • 1
Craig Watson
  • 9,370
  • 3
  • 30
  • 46
  • thanks will try that. Can that automatically remove the IP from iptables after certain number of days? If so that would be awesome. – Matt Jul 25 '14 at 10:56
  • From memory (am unable to check as the documentation is unavailable), yes - fail2ban does expire blocks after a configurable amount of time. – Craig Watson Jul 25 '14 at 10:57
  • can you check the updated post and tip me with some info? – Matt Jul 25 '14 at 13:02
  • Apologies, the blog post was actually for a very slightly different question. The default configuration should be enough for basic htpasswd authentication. Fail2ban works on the number of tries within a set timeframe, you can set the `maxretry` and `bantime` for each jail, e.g. to ban for one hour after two failed attemts, set `bantime` to 120 (2*60 seconds) and `maxretry` to 2. – Craig Watson Jul 25 '14 at 15:30