hhblaze/modSecurity apache basic auth brute force attack prevent deny

## modSecurity apache basic auth brute force attack prevent deny
modSecurity apache basic auth authentication authorisation brute force attack prevent deny

############################################
httpd.conf
###########################################

#enabling 2 modules
LoadModule unique_id_module modules/mod_unique_id.so

<IfModule security2_module>
	Include conf/extra/modsecurity-minimal.conf
</IfModule>

<IfModule mod_security2.c>
	SecRuleEngine On
		#SecRequestBodyAccess On
	SecResponseBodyAccess On
		#Create/Find any dir where modSecurity will persist data e.g
	SecDataDir "SecDataDir /usr/local/apache/logs/data"
</IfModule>

##################################
Content of modsecurity configuration to prevent brute-force attack when basic auth is enabled in apache
conf/extra/modsecurity-minimal.conf
##################################


#timer is set for 5 min(3000sec), for blocking one IP-address after 10 unsuccessfull tries,
#user will be blocked for 30 seconds after 3 bad tries.
#USER and IP false-counters live within 5 minutes, then are being reset to 0 (so 3 bad tries per username per 5 minutes are allowed)
# (and 10 total bad tries from one IP per 5 minutes are allowed)

  # Enforce an existing IP address block
  SecRule IP:bf_block "@eq 1" \
        "id:'2000004',phase:4,deny,\
         logdata:'Access denied [by IP] IP: @%{REMOTE_ADDR}, user: %{USER.name}'


	SecRule USER:bf_block "@eq 1" \
                "id:'2000005',phase:4,deny,\
                logdata:'Access denied [by USER] IP: @%{REMOTE_ADDR}, user: %{USER.name}'


	SecRule REQUEST_HEADERS:authorization "Basic ([a-zA-Z0-9]+=*)$" "phase:3,nolog,pass,id:2000012,chain,capture"
		SecRule TX:1 "^([-a-zA-Z0-9_]+):" "t:base64Decode,chain,capture"
		SecAction initcol:USER=%{TX.1},setvar:USER.name=%{TX.1},initcol:IP=%{REMOTE_ADDR}


	SecRule RESPONSE_STATUS "401" \
		"phase:5,pass,id:2000015,chain,logdata:'basic auth de @%{IP}, var: %{IP.begin}, user: %{USER.name}, ufc: %{USER.user_false_counter}, block: %{USER.bf_block}, IPblock: %{IP.bf_block}, ifc: %{IP.ip_false_counter}'"
		SecAction setvar:USER.user_false_counter=+1,setvar:IP.ip_false_counter=+1,expirevar:USER.user_false_counter=300,expirevar:IP.ip_false_counter=300

	# Check for too many failures for a single username, blocking 30 seconds after 3 tries
    SecRule USER:user_false_counter "@ge 3" \
                "id:'2000020',phase:3,t:none,pass,\
                setvar:USER.bf_block,\
                setvar:!USER.user_false_counter,\
                expirevar:USER.bf_block=30"

	# Check for too many failures from a single IP address. Block for 5 minutes after 10 tries.
        SecRule IP:ip_false_counter "@ge 10" \
                "id:'2000021',phase:3,pass,t:none, \
                setvar:IP.bf_block,\
                setvar:!IP.ip_false_counter,\
                expirevar:IP.bf_block=300"
	modSecurity apache basic auth authentication authorisation brute force attack prevent deny

	############################################
	httpd.conf
	###########################################

	#enabling 2 modules
	LoadModule unique_id_module modules/mod_unique_id.so

	<IfModule security2_module>
	Include conf/extra/modsecurity-minimal.conf
	</IfModule>

	<IfModule mod_security2.c>
	SecRuleEngine On
	#SecRequestBodyAccess On
	SecResponseBodyAccess On
	#Create/Find any dir where modSecurity will persist data e.g
	SecDataDir "SecDataDir /usr/local/apache/logs/data"
	</IfModule>

	##################################
	Content of modsecurity configuration to prevent brute-force attack when basic auth is enabled in apache
	conf/extra/modsecurity-minimal.conf
	##################################


	#timer is set for 5 min(3000sec), for blocking one IP-address after 10 unsuccessfull tries,
	#user will be blocked for 30 seconds after 3 bad tries.
	#USER and IP false-counters live within 5 minutes, then are being reset to 0 (so 3 bad tries per username per 5 minutes are allowed)
	# (and 10 total bad tries from one IP per 5 minutes are allowed)

	# Enforce an existing IP address block
	SecRule IP:bf_block "@eq 1" \
	"id:'2000004',phase:4,deny,\
	logdata:'Access denied [by IP] IP: @%{REMOTE_ADDR}, user: %{USER.name}'



	SecRule USER:bf_block "@eq 1" \
	"id:'2000005',phase:4,deny,\
	logdata:'Access denied [by USER] IP: @%{REMOTE_ADDR}, user: %{USER.name}'


	SecRule REQUEST_HEADERS:authorization "Basic ([a-zA-Z0-9]+=*)$" "phase:3,nolog,pass,id:2000012,chain,capture"
	SecRule TX:1 "^([-a-zA-Z0-9_]+):" "t:base64Decode,chain,capture"
	SecAction initcol:USER=%{TX.1},setvar:USER.name=%{TX.1},initcol:IP=%{REMOTE_ADDR}


	SecRule RESPONSE_STATUS "401" \
	"phase:5,pass,id:2000015,chain,logdata:'basic auth de @%{IP}, var: %{IP.begin}, user: %{USER.name}, ufc: %{USER.user_false_counter}, block: %{USER.bf_block}, IPblock: %{IP.bf_block}, ifc: %{IP.ip_false_counter}'"
	SecAction setvar:USER.user_false_counter=+1,setvar:IP.ip_false_counter=+1,expirevar:USER.user_false_counter=300,expirevar:IP.ip_false_counter=300

	# Check for too many failures for a single username, blocking 30 seconds after 3 tries
	SecRule USER:user_false_counter "@ge 3" \
	"id:'2000020',phase:3,t:none,pass,\
	setvar:USER.bf_block,\
	setvar:!USER.user_false_counter,\
	expirevar:USER.bf_block=30"

	# Check for too many failures from a single IP address. Block for 5 minutes after 10 tries.
	SecRule IP:ip_false_counter "@ge 10" \
	"id:'2000021',phase:3,pass,t:none, \
	setvar:IP.bf_block,\
	setvar:!IP.ip_false_counter,\
	expirevar:IP.bf_block=300"