[opensuse] authnz_external limit login attempts
Is it possible to limit the number of login attempts allowed with authnz_external in apache2 i.e. after 3rd failed attempt to deny currently it just pops up forever, which of course leaves it easily accessible by brute force attacks. Current .htaccess file: <IfModule !authnz_external_module> Require all denied </IfModule> <IfModule authnz_external_module> <IfModule !authz_unixgroup_module> Require all denied </IfModule> </IfModule> <IfModule authnz_external_module> <IfModule authz_unixgroup_module> AuthType Basic AuthName "Login" AuthBasicProvider external AuthExternal pwauth GroupExternal unixgroup <RequireAll> Require valid-user Require unix-group users </RequireAll> </IfModule> </IfModule> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Paul Groves wrote:
Is it possible to limit the number of login attempts allowed with authnz_external in apache2
i.e. after 3rd failed attempt to deny
currently it just pops up forever, which of course leaves it easily accessible by brute force attacks.
To my knowledge, there is no way to do that in Apache. Maybe with fail2ban? -- Per Jessen, Zürich (22.8°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-08-30 10:20, Per Jessen wrote:
Paul Groves wrote:
Is it possible to limit the number of login attempts allowed with authnz_external in apache2
i.e. after 3rd failed attempt to deny
currently it just pops up forever, which of course leaves it easily accessible by brute force attacks.
Time delay?
To my knowledge, there is no way to do that in Apache. Maybe with fail2ban?
With SuSEfirewall, I believe. ## Type: string ## Default: # # Services to allow. This is a more generic form of FW_SERVICES_XXX_{IP,UDP,TCP} # and more specific than FW_TRUSTED_NETS # # Format: space separated list of net,protocol[,dport[,sport[,flags]]] # Example: "0/0,tcp,22" # # Supported flags are # hitcount=NUMBER : ipt_recent --hitcount parameter # blockseconds=NUMBER : ipt_recent --seconds parameter # recentname=NAME : ipt_recent --name parameter # Example: # Allow max three ssh connects per minute from the same IP address: # "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" Most people use this to limit ssh connection as per the example, but I understand you can use it for any port. The problem, for people like me, is that the SuSEfirewall does not face outside, that's the job of the ISP router. I'm not even sure that the machine inside logs the external IP (there is NAT). -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
Carlos E. R. wrote:
To my knowledge, there is no way to do that in Apache. Maybe with fail2ban?
With SuSEfirewall, I believe.
## Type: string ## Default: # # Services to allow. This is a more generic form of FW_SERVICES_XXX_{IP,UDP,TCP} # and more specific than FW_TRUSTED_NETS # # Format: space separated list of net,protocol[,dport[,sport[,flags]]] # Example: "0/0,tcp,22" # # Supported flags are # hitcount=NUMBER : ipt_recent --hitcount parameter # blockseconds=NUMBER : ipt_recent --seconds parameter # recentname=NAME : ipt_recent --name parameter # Example: # Allow max three ssh connects per minute from the same IP address: # "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
Most people use this to limit ssh connection as per the example, but I understand you can use it for any port.
Yes, but that will stop everything at that rate, not only the authentication attempts. -- Per Jessen, Zürich (28.7°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-08-30 15:15, Per Jessen wrote:
Carlos E. R. wrote:
# Example: # Allow max three ssh connects per minute from the same IP address: # "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
Most people use this to limit ssh connection as per the example, but I understand you can use it for any port.
Yes, but that will stop everything at that rate, not only the authentication attempts.
Ah. Didn't think of that. ssh keeps the same connection open. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
participants (3)
-
Carlos E. R. -
Paul Groves -
Per Jessen