Create brute-force rules for ModSecurity

Create brute-force rules for ModSecurity

To create brute-force rules for ModSecurity WAF, follow the steps:

  1. Create the configuration file in the /etc/modsecurity/ directory with .conf extension to detect the brute-force attack.

    Note

    ModSecurity enables all the /etc/modsecurity/* .conf files with rules after restarting Apache.

    The rules to block access from the specified IP for ten minutes after more than ten failed login attempts per controller:

    Note

    The limit for failed attempts is set per controller. Therefore, the overall limit is multiplied by the number of controllers. In this example, for three controllers the limit is 30.

    SecAction "phase:1,id:``10001``,pass,nolog,initcol:IP=%{REQUEST_HEADERS.x-forwarded-for}"
    
    # Check for horizon login ``/horizon/auth/login/``
    
    SecRule REQUEST_METHOD "@streq POST" "phase:5, chain,nolog,t:none,pass,id:``12341``"
    SecRule REQUEST_URI "(?i)(        )" "chain"
            SecRule RESPONSE_STATUS "^200" \
                    "setvar:IP.counter=+1"
    
    # Block for 10 minutes after 10 failed attempts per controller``
    
    SecRule IP:counter "@gt 10" \
          "phase:5,pass,t:none,id:'00012' \
          setvar:IP.block,\
          setvar:IP.counter=0,\
          expirevar:IP.block=600"
    
    #Reset counter after successful login (response is '302 FOUND')
    
    SecRule RESPONSE_STATUS "^302" \
    "phase:5,chain,t:none,nolog,pass,id:'00004',setvar:!IP.counter"
    SecRule REQUEST_URI "/horizon/auth/login/"
    
    
    # Block and log IP
    
          SecRule IP:block "@eq 1" \``
                "phase:2,deny,status:403,id:'00010',\``
                msg:'Brute-force attack detected - IP:
                %{REQUEST_HEADERS.x-forwarded-for}blocked for 10 min'"
    

    For debugging purposes, you may need to remove the block or reset the counter. To remove the block, uncomment the rules below and send the following request with the specified parameters from the blocked IP: GET /some_random_url/?=this_is_a_random_string:

    # Allow to disable the block / reset counter (uncomment following two rules to take effect)
    # In order to disable block send following request with parameters from blocked IP
    # GET /some_random_url/?=this_is_a_random_string
    
    # SecRule ARGS "@streq this_is_a_random_string" "id:``331331``,chain,log,msg:``Unblocking:
    %{REQUEST_HEADERS.x-forwarded-for}``, phase:1, setvar:!IP.block, setvar:!IP.counter"
    # SecRule REQUEST_URI "/some_random_url/"
    
  2. Restart Apache to load the new rules:

    service apache2 restart