December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 7-3: Detecting Failed Authentication Attempts
This recipe shows you how to identify when a client generates multiple failed authentication attempts in a short period of time.
Ingredients
- ModSecurity
- SecRule directive
- @within operator
- initcol action
- setvar action
- expirevar action
Authentication Failure Monitoring
When a client submits incorrect credentials during authentication, what happens? Does he get redirected to another web page? Does HTML text within the body of the response page identify the authentication failure? Conversely, what does it look like when a client successfully authenticates to the application? We must learn what these two scenarios look like so that we can create applicable ModSecurity rules to generate alerts when successive failures occur.
When a client submits an incorrect password on the WordPress login page, this is the raw response:
HTTP/1.1 200 OK
Date: Fri, 11 May 2012 03:24:53 GMT
Server: Microsoft-IIS/7.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 11 May 2012 03:24:54 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1697
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>WordPress › Login</title> <meta http-equiv="Content-Type" content="text/html; c harset=UTF-8" ...