Recipe 6.15 Preventing Brute-Force Password Attacks

Problem

You want to disable a username when there are repeated failed attempts to authenticate using it, as if it is being attacked by a password-cracker.

Solution

There is no way to do this with standard Apache authentication modules. The usual approach is to watch your logfile carefully. Or you can use something like Apache::BruteWatch to tell you when a user is being attacked:

 PerlLogHandler Apache::BruteWatch  PerlSetVar BruteDatabase     DBI:mysql:brutelog  PerlSetVar BruteDataUser     username  PerlSetVar BruteDataPassword password  PerlSetVar BruteMaxTries     5  PerlSetVar BruteMaxTime      120  PerlSetVar BruteNotify       rbowen@example.com

Discussion

Due to the stateless nature of HTTP and the fact that users are not, technically, "logged in" at all (see HTTP, Browsers, and Credentials), there is no connection between one authentication attempt and another. This makes it possible to repeatedly attempt to log in with a particular username.

Apache::BruteWatch is one way to watch the logfile and send notification when a particular account is being targeted for a brute-force password attack. With the configuration shown previously, if a given account fails authentication 5 times in 2 minutes, the server administrator will be notified of the situation, so that she can take appropriate measures, such as blocking the offending address from the site.

See Also

  • HTTP, Browsers, and Credentials



Apache Cookbook
Apache Cookbook: Solutions and Examples for Apache Administrators
ISBN: 0596529945
EAN: 2147483647
Year: 2006
Pages: 215

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net