CentOS - Jan 2010 - Securing http authentication from brute force attacks

We have several web applications deployed under Apache that require
a user id / password authentication.  Some of these use htdigest and
others use the application itself.

Recently we have experienced several brute force attacks against
some of these services which have been dealt with for the nonce by
changes to iptables.  However, I am not convinced that these changes
are the answer.

Therefore I have been looking at http protection and have run across
a few independently provided modules for Apache http security,
mod_security being one of them.

I would like the opinion of other CentOS sysadmins who already have
faced this same problem, with respect to the solutions available and
those that they choose for themselves.

Sincerely,



-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

From: James B. Byrne <byrnejb at harte-lyne.ca>
> We have several web applications deployed under Apache that require
> a user id / password authentication.  Some of these use htdigest and
> others use the application itself.
> 
> Recently we have experienced several brute force attacks against
> some of these services which have been dealt with for the nonce by
> changes to iptables.  However, I am not convinced that these changes
> are the answer.
> 
> Therefore I have been looking at http protection and have run across
> a few independently provided modules for Apache http security,
> mod_security being one of them.
> 
> I would like the opinion of other CentOS sysadmins who already have
> faced this same problem, with respect to the solutions available and
> those that they choose for themselves.
I did not test it but maybe check:
http://www.zdziarski.com/projects/mod_evasive/

JD

On Mon, Jan 11, 2010 at 10:59 AM, James B. Byrne <byrnejb at
harte-lyne.ca> wrote:
> We have several web applications deployed under Apache that require
> a user id / password authentication. ?Some of these use htdigest and
> others use the application itself.
>
> Recently we have experienced several brute force attacks against
> some of these services which have been dealt with for the nonce by
> changes to iptables. ?However, I am not convinced that these changes
> are the answer.
>
> Therefore I have been looking at http protection and have run across
> a few independently provided modules for Apache http security,
> mod_security being one of them.
>
> I would like the opinion of other CentOS sysadmins who already have
> faced this same problem, with respect to the solutions available and
> those that they choose for themselves.

You can configure fail2ban to help deal with this, along with ssh
protection. I'm also heavily in favor of mod_security when it comes to
apache protection.

-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell