保护暴力攻击mod安全

Question

我的应用程序的登录服务受到强力登录和密码枚举的攻击。我想使用Apache mod_security来阻止这些尝试，但我实施的规则并不成功：

<LocationMatch ^/api/login>
# Initalize IP collection with user's IP address
SecAction "initcol:ip=%{REMOTE_ADDR},pass,nolog"
# Detect failed login attempts
SecRule RESPONSE_BODY "password is invalid|username is invalid" "phase:4,pass,setvar:ip.failed_logins=+1,expirevar:ip.failed_logins=60"
# Block subsequent login attempts
SecRule IP:FAILED_LOGINS "@gt 3" deny
</LocationMatch>

在使用POST个请求进行测试时，我仍然可以获得响应＆＃34;密码＆amp;用户名无效＆＃34;。

如何更改上述规则以停止重复尝试登录？

Answer 1

Configuration的mod_security modsecurity（apache），可通过基本的auth身份验证授权来防止暴力攻击

############################################
httpd.conf
###########################################

#enabling 2 modules
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so

<IfModule security2_module>
    Include conf/extra/modsecurity-minimal.conf    
</IfModule>

<IfModule mod_security2.c>
    SecRuleEngine On
        #SecRequestBodyAccess On
    SecResponseBodyAccess On 
        #Create/Find any dir where modSecurity will persist data e.g
    SecDataDir "/usr/local/apache/logs/data"
</IfModule>

##################################
Content of modsecurity configuration to prevent brute-force attack when basic auth is enabled in apache
conf/extra/modsecurity-minimal.conf    
##################################


#timer is set for 5 min(3000sec), for blocking one IP-address after 10 unsuccessfull tries, 
#user will be blocked for 30 seconds after 3 bad tries.
#USER and IP false-counters live within 5 minutes, then are being reset to 0 (so 3 bad tries per username per 5 minutes are allowed)
# (and 10 total bad tries from one IP per 5 minutes are allowed)

  # Enforce an existing IP address block
  SecRule IP:bf_block "@eq 1" \
        "id:'2000004',phase:4,deny,\
         logdata:'Access denied [by IP] IP: @%{REMOTE_ADDR}, user: %{USER.name}'
         
    

    SecRule USER:bf_block "@eq 1" \
                "id:'2000005',phase:4,deny,\
                logdata:'Access denied [by USER] IP: @%{REMOTE_ADDR}, user: %{USER.name}'

    
    SecRule REQUEST_HEADERS:authorization "Basic ([a-zA-Z0-9]+=*)$" "phase:3,nolog,pass,id:2000012,chain,capture"
        SecRule TX:1 "^([-a-zA-Z0-9_]+):" "t:base64Decode,chain,capture"                
        SecAction initcol:USER=%{TX.1},setvar:USER.name=%{TX.1},initcol:IP=%{REMOTE_ADDR}
        
        
    SecRule RESPONSE_STATUS "401" \
        "phase:5,pass,id:2000015,chain,logdata:'basic auth de @%{IP}, var: %{IP.begin}, user: %{USER.name}, ufc: %{USER.user_false_counter}, block: %{USER.bf_block}, IPblock: %{IP.bf_block}, ifc: %{IP.ip_false_counter}'"        
        SecAction setvar:USER.user_false_counter=+1,setvar:IP.ip_false_counter=+1,expirevar:USER.user_false_counter=300,expirevar:IP.ip_false_counter=300

    # Check for too many failures for a single username, blocking 30 seconds after 3 tries
    SecRule USER:user_false_counter "@ge 3" \
                "id:'2000020',phase:3,t:none,pass,\
                setvar:USER.bf_block,\
                setvar:!USER.user_false_counter,\
                expirevar:USER.bf_block=30"

    # Check for too many failures from a single IP address. Block for 5 minutes after 10 tries.
        SecRule IP:ip_false_counter "@ge 10" \
                "id:'2000021',phase:3,pass,t:none, \
                setvar:IP.bf_block,\
                setvar:!IP.ip_false_counter,\
                expirevar:IP.bf_block=300"