Detect and block repetitive POSTsby Read Write Tools
|This plugin detects repetitive attempts to POST to a given website resource. This is a sign of trouble for your website, as it may be an attempt to gain unauthorized access via weak user credentials. Further attempts are temporarily blocked until a specified blackout period has expired.|
Attempts to circumvent your website's authorization process are a fact of life. Detecting and dealing with them are necessary. One common hacking method is simple brute force trial and error. When a series of unsuccessful requests to login occurs in a short period of time, this plugin will add the user-agent's remote address to a blacklist: subsequent requests to login will be blocked with status code
Sometimes a legitimate user may trigger this detector and accidentally lock themselves out. For this reason, the blackout is automatically removed after a given period of time.
Often these cracking attempts will be routed through a botnet, where each request comes from a large collection of different IP addresses. For those types of attacks, you can set the
max-visits variable to a low value, to detect and block attempts aggressively.
In order to monitor the usefulness of this plugin you can enable the
log-failures configuration switch. When
true the IP address of each blocked request will be printed to the website's log.
This plugin is open source and can be modified or enhanced to perform tasks such as these:
- Permanently block IP addresses that request a honeypot resource.
- Redirect a blacklisted user via
303 See Otherto a customer service help page.
- Detect botnet thunderstorms and automatically increase threshold sensitivity.
The plugin module is available from NPM. Before proceeding, you should already have
RWSERVE configured and tested.
This module should be installed on your web server in a well-defined place, so that it can be discovered by
RWSERVE. The standard place for public domain plugins is
npm install rwserve-brute-force
Configuration is Everything
Make the software available by declaring it in the
plugins section of your configuration file. For detailed instructions on how to do this, refer to the plugins documentation on the
Read Write Tools HTTP/2 Server website.
`/rbac/credentials/*` *methods=POST *plugin=rwserve-brute-force
config settings can be adjusted using this guidance.
max-visits is a positive integer. This is the number of requests to the target resource allowed during the grace period before being blocked. A typical setting might be 3 to 6, while an aggressive setting would be 1.
grace-period is an integer number of seconds specifying a window of time during which requests are counted. The counter for each IP address is reset to zero when this much time has elapsed since the first request. If the counter exceeds the max-visits threshold, a blackout is begun.
blackout-period is an integer number of seconds specifying the window of time during which all requests to the target resource, by the blacklisted IP, are blocked. When this time period has elapsed, the IP address is removed from the blacklist and subsequent requests are honored, starting with a new grace period.
log-failures is a switch that may be either true or false. If true, each request by an IP address during a blackout period is recorded in the web log. If false, blackouts are silently enforced without recording to the web log.
router section lists one or more target resources that will participate in the brute force scheme. In the above example, all HTTP
POST requests for resource paths beginning with
/rbac/credentials will participate.
A full configuration file with typical settings for a server running on localhost port 7443, is included in this NPM module at
etc/brute-force-config. To use this configuration file, adjust these variables if they don't match your server setup:
Start the server using the configuration file just prepared. Use Bash to start the server in the background, like this:
[user@host ~]# rwserve /srv/rwserve-plugins/node_modules/rwserve-brute-force/etc/brute-force-config &
Forcing a blackout
Use CURL to submit a sequence of POST requests to your sever. The first five requests will return with
403 Forbidden with a response header
rw-rbac-forbidden indicating that invalid credentials were provided. The sixth and subsequent requests will return
403 Forbidden without any supplemental header. Close examination of the server's logged messages will reveal something like
error RwserveBruteForce RA=127.0.0.1; CT=6 indicating the remote address (RA) and count (CT) for the blocked request.
curl -X POST -d "action=login&user=root&password=toor" https://localhost:7443/rbac/credentials/login -H content-type:application/x-www-form-urlencoded -H content-length:36 -v
curl -X POST -d "action=login&user=admin&password=adm" https://localhost:7443/rbac/credentials/login -H content-type:application/x-www-form-urlencoded -H content-length:36 -v
curl -X POST -d "action=login&user=debug&password=dbg" https://localhost:7443/rbac/credentials/login -H content-type:application/x-www-form-urlencoded -H content-length:36 -v
curl -X POST -d "action=login&user=setup&password=123" https://localhost:7443/rbac/credentials/login -H content-type:application/x-www-form-urlencoded -H content-length:36 -v
curl -X POST -d "action=login&user=devops&password=me" https://localhost:7443/rbac/credentials/login -H content-type:application/x-www-form-urlencoded -H content-length:36 -v
Once you've tested the plugin and are ready to go live, adjust your production web server's configuration in
/etc/rwserve/rwserve.conf and restart it using
systemd. . .
[user@host ~]# systemctl restart rwserve
. . . then monitor its request/response activity with
[user@host ~]# journalctl -u rwserve -ef
This is a plugin for the Read Write Tools HTTP/2 Server, which works on Linux platforms.
|Software||Minimum Version||Most Recent Version|
|Ubuntu||16 Xenial Xerus||16 Xenial Xerus|
|Debian||9 Stretch||10 Buster|
|openSUSE||openSUSE 15.1||openSUSE 15.1|
|Fedora||Fedora 27||Fedora 32|
|CentOS||CentOS 7.4||CentOS 8.1|
|RHEL||RHEL 7.8||RHEL 8.2|
|RWSERVE||RWSERVE 1.0.1||RWSERVE 1.0.47|
|Node.js||Node.js 10.3||Node.js 12.17|
|This plugin demonstrates these concepts: |
The rwserve-brute-force plugin is licensed under the MIT License.
Copyright © 2020 Read Write Tools.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|Documentation||Read Write Hub|