4

Is there a way to configure Apache to slow down login after failed attempts?

It looks like it is not the default setting as already discussed here.

On the other side it seems to be possible also without adding it to own application logic, on plain Apache, see here, but I found nothing in documentation and discussion???

Community
  • 1
Achim
  • 283
  • 3
  • 13

2 Answers2

3

I think you could do it with a rule in the mod_security module:

SecFilterSelective VAR VALUE log,pass,pause:5000

But in the end you are better off using fail2ban or something like that to block the offending users.

Jure1873
  • 3,702
  • 1
  • 22
  • 28
  • I have the fear that installing any firewall module noticeable slows down the performance too much. Also the configuration of mod_security don't look like it's simple - anyhow, I will try it, thanks! – Achim Mar 17 '12 at 15:05
  • Its a pity, that there is nothing build in Apache for this simple login failure... – Achim Mar 17 '12 at 15:07
  • What firewall module? If you mean iptables doesn't have any noticeable overhead and fail2ban will protect you also against other kind of attacks (ssh). – Jure1873 Mar 18 '12 at 18:12
  • I can't seem to be able to get this working. I have `mod_security2`, and it seems the syntax (and probably also the semantics) has changed. Surprisingly difficult to Google it up, too: only long screeds with lots of noise everywhere. Does a simple one-liner still exist for Apache (2.4 here) for this basic problem? Thx. – Sz. Jun 10 '19 at 21:40
1

Fail2Ban can look for authentication error in error logs and block bf attempts with iptables

B14D3
  • 5,188
  • 15
  • 64
  • 83