Block Brute force attack is a threat faced by web developers and this attack involves in guessing the password. Passwords are guessed with the combinations of symbols, letters and numbers. The current combinations has to be found and the guessing continues till that. Website that is in need of authentication is the aim of the attack. The attacker uses brute force attack to know the password and the attack depends on the length of the password. The account is locked after tying for many password possibilities. Administrator has to unlock the account manually.

End users mostly use Joomla web application for creating fast website. Brute force attack affect the Joomla applications on the back end login page. At the application level on the login page, administrator has extensions for third persons for handling the attack. With the extensions, whenever attack is made on the Joomla app, it is loaded every time.

This application use ModSecurity rules to avoid the Block Brute Force attack. ModSecurity is a module for firewalls that is combined with Apache Web server and it contains rule engine for the versatility. The rules engines makes the developers and administrators of the system make rules for blocking the IP and others develop rules of generic for the hosted application problems.

Steps for blocking the Brute Force Attack on the Joomla Application with ModSecurity:

  • SSH root is created to the server.

  • /usr/local/apache/conf/modsec2/ folder has the custom.conf file. It is edited. WHM server uses this folder location. This may also vary. Vi is used to edit the file
Code:
vi /usr/local/apache/conf/modsec2/custom.conf
  • Given code is included in the custom.conf file
Code:
<Location /administrator>
SecDefaultAction phase:2,deny,status:403,log,auditlog
SecRule IP:bf_counter "@eq 5" "id:1000004,phase:2,log,block,expirevar:IP.bf_counter=3600,msg:'IP address getting blocked because of the brute force attack on Joomla website'"
SecRule ARGS:option "@streq com_login" "id:1000003,phase:2,chain,t:none,log,pass,msg:'Multiple Joomla authentication failures from this IP address', setvar:IP.bf_counter=+1"
</Location>
  • File is saved and service httpd restart command is used to restart the server Apache.

  • After this Joomla app is logged in for 5 times with wrong password and then the user is directed to 403 forbidden page.

  • Other users can’t attack the server now.
Code:
“SecDefaultAction phase:2,deny,status:403,log,auditlog”
In the above line, mention about the action that has to be taken the IP is blocked by the rule. With the error 403, ModSecurity deny the access of the page.

Code:
SecRule IP:bf_counter "@eq 5" "id:1000004,phase:2,log,block,expirevar:IP.bf_counter=3600,msg:'IP address getting blocked because of the brute force attack on Joomla website'"
This line checks if the value of variable bf_counter equal to 5 then the rule number gets triggered, the event is logged and IP gets blocked. In the line the bf_counter variable will be removed after 3600 seconds and then msg appears 'IP address blocked because of a suspected brute force attack on the Joomla website'.

Code:
SecRule ARGS:option "@streq com_login" "id:1000003,phase:2,chain,t:none,log,pass,msg:'Multiple Joomla authentication failures from this IP address', setvar:IP.bf_counter=+1
If the Joomla website is not logged, com_login will be a post value that is passed to login page. This value is not posted if the page is logged in. If the login is unsuccessful, login counter has to be incremented. In the above code AGRS act as the post variable or get variable. This AGRS has value of streq com_login. Then the rule 1000003 is defined and then bf_counter is incremented by 1. The request will be blocked if the bf_counter value goes more than 5. The value can also be changed. SecRule IP:bf_counter "@eq 10". Here the value is set to 10 so that the request is blocked if the bf_counter value goes more than 10.
Author
bhawanisingh
Views
2,731
First release
Last update
Rating
0.00 star(s) 0 ratings
Top