RSS

fail2ban: Defending Apache against brute force attacks to digest authentication protected pages

21 Aug

I’ve just realized that the default filters installed with fail2ban in Ubuntu GNU/Linux does not help you when you use Digest Authentication with Apache. In order to have the most basic measure against brute force attacks to a digest authentication enabled web service you need to modify /etc/fail2ban/filter.d/apache-auth.conf. I have tried the suggestion given at fail2ban wiki and it seems to work http://www.fail2ban.org/wiki/index.php/Talk:Apache:

Once you add the line above to the apache-auth.conf file, try a to enter wrong username / password combinations when you are presented with the authentication window and then check if fail2ban detects it (I’m assuming your log files are at their usual locations):


$ fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf

If it returns success and you can see that the relevant IP addresses are matched then you can restart your fail2ban server and have one more level of protection.

 
2 Comments

Posted by on August 21, 2010 in security, sysadmin

 

2 responses to “fail2ban: Defending Apache against brute force attacks to digest authentication protected pages

  1. Can

    August 22, 2010 at 14:59

    there is also mod evasive, which will temporarily ban an IP address, if certain connectivity thresholds are met. Not the same thing, but will stop certain app level brute force attacks as well.

     
  2. Emre Sevinc

    August 22, 2010 at 15:11

    Thank you very much for the suggestion. I’ll examine mod_evasive, too. Another Apache module I should learn is mod_qos I suppose.

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: