3

So I'm running a few popular web applications on my server. I want these to be reachable from any computer without creating too many vulnerabilities.

I am using Apache 2.4.29 as my HTTP server. My current idea for hiding potential security vulnerabilities in my applications from attackers is to enable HTTP basic authentication (AuthType Basic) for the relevant virtual hosts as an additional security layer. Of course, I'm only allowing SSL connections.

Now this is all quite easy to accomplish. But my question is this: how can I best avoid brute force style attacks with HTTP basic authentication? I.e., how can I enable rate limiting?

My current plan is something like this:

Since I'm using ufw (Uncomplicated Firewall) to limit SSH connections, I thought I could do the same on a specific port I use for HTTPS. However, I see two problems with this:

  1. Can't an attacker just use Connection: Keep-Alive and keep trying different passwords without even reconnecting? So limiting incoming connections wouldn't be of any use here.
  2. If I disabled Connection: Keep-Alive somehow, I guess I would run into trouble with the underlying web applications, since they would require a lot of individual connections so the browser can retrieve additional files.

It would be perfect if I could instruct Apache to only keep the connection going for authenticated users and drop it for failed attempts. Is there a way to do this? I am actually not sure what is the default behavior and don't understand enough about HTTP to easily test this.

The KeepAlive and MaxKeepAliveRequests settings in Apache can apparently be configured on a per virtual host basis, but I'm not sure how I could change these settings based on a successful authentication.

CodeFlo
  • 33
  • 5
  • 3
    Typically a firewall can’t distinguish between regular site visitors and people brute forcing a login page. You need either an web application firewall that is protocol aware (such as Apache’s mod_security) or use the decoupled approach of for instance fail2ban that scans your log files for malicious events and creates firewall rules to block the offenders – Bob Nov 28 '20 at 21:47

1 Answers1

3

HTTP basic authentication is done by sending an additional header in the each and every request the client makes, i.e. for each and every resource.

Authorization: Basic <credentials>

If you do not provide this header in a request, you will be prompted to provide credentials.

There is thus no single login page which you can protect by any kind of rate limiting or firewall rules. Rate limiting all pages also is not an option. Should you rate limit each IP address to only one request per second, valid users can only fetch one resource per second. Loading a web page, two style sheets, and four images, would thus take at least seven seconds.

Tommiie
  • 5,627
  • 2
  • 12
  • 46