Automatically Blacklist Failed Auth Attempts Via htaccess?

Question

Ubuntu 9.10 Apache 2.2.12

Hi Guys,

I'm using a very basic htaccess setup to "protect" a portion of my site (non-critical portion but something I'd like to require basic auth to).

Is there a way to blacklist IPs that fail to provide the appropriate credentials too many times? I'd like to prevent users from having opportunities to guess username/passwords combinations over and over again...

score 2 · Answer 1 · answered Nov 23 '09 at 00:29

I don't think Apache has any built-in feature that will allow you to do this. Here is something that should work, but is kind of hacky:

Write a cron job that parses the Apache error log, looking for entries that contain "authentication failure"
When a certain IP address has X number of authentication failures, then deny it.
Denying the IP can be accomplished via an Apache access control, or you might be able to use the /etc/hosts.deny file.

You should be able to automate all that via a single cron job.

score 2 · Accepted Answer · answered Nov 23 '09 at 00:44

Do you have root access to the server? There are a few programs that monitor log files for changes, checking for failed auth attempts. After X many failed attempts (user configurable) they then block the originating IP address (temporarily, if desired).

The two that I can remember are:

Fail2ban: install with sudo apt-get install fail2ban in Ubuntu then change the /etc/fail2ban/jail.local file (if it doesn't exist, just sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local ). The options in 'jail.local' are pretty self-explatatory but if you want more info you can check out the documentation at http://www.fail2ban.org/wiki/index.php/Main_Page
BlockHosts: (it's a little older, i'm not sure if it's still up to date) To install, follow the instructions at http://aczoom.com/cms/blockhosts
there are probably a whole heap more...

With fail2ban, it is recommended to overwrite only the settings we need instead of copying the entire jail.conf to jail.local: "In order for these two files to operate together successfully, it is best to only include the settings you wish to override in the jail.local file" https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 — baptx, Dec 04 '17 at 19:00

score 2 · Answer 3 · answered Nov 23 '09 at 00:51

2

You may think about a function that add entries to your .htaccess, in php you can do that:


if(is_writable('.htaccess'))
{
       $h = fopen('.htaccess','a+');
       fwrite($h,"\nDeny from: ".$_SERVER['REMOTE_ADDR']);
       fclose($h);
}

answered Nov 23 '09 at 00:51

Ali Mezgani

3,810
2
23
36

Automatically Blacklist Failed Auth Attempts Via htaccess?

3 Answers3

Linked