izenn · October 27, 2018 00:02
diff --git a/brute_prevention.conf b/brute_prevention.conf
        # Retrieve the IP address
        SecAction id:'2000000',phase:1,nolog,pass,initcol:IP=%{REMOTE_ADDR}

         # Enforce an existing IP address block
        SecRule IP:bf_block "@eq 1" \
                "id:'2000001',phase:1,deny,\
                msg:'IP address blocked because of suspected brute-force attack'"

        # Retrieve the username
        SecRule REQUEST_HEADERS:Authorization "Basic (.*)" "chain,capture,phase:1,pass,id:'2000002'"
                SecRule TX:1 "^([-a-zA-Z0-9_]+):" "t:base64Decode,chain,capture"
                SecAction initcol:USER=%{TX.1}

        # Enforce an existing username block
        SecRule USER:bf_block "@eq 1" \
                "id:'2000003',phase:1,deny,\
                msg:'Username \"%{REMOTE_USER}\" blocked because of suspected brute-force attack'"

        # Check that this is a POST
        SecRule REQUEST_METHOD "@streq GET" "id:'2000004',phase:5,chain,t:none,nolog,pass"
                # AND Check for authentication failure and increment counters
                # NOTE this is for a Rails application, you probably need to customize this
                SecRule RESPONSE_STATUS "!200" \
                        "setvar:IP.bf_counter=+1,setvar:USER.bf_counter=+1"


        # Check for too many failures for a single username
        SecRule USER:bf_counter "@ge 3" \
                "id:'2000005',phase:5,t:none,pass,\
                setvar:USER.bf_block,\
                setvar:!USER.bf_counter,\
                expirevar:USER.bf_block=600"

        # Check for too many failures from a single IP address. Block for 10 minutes.
        SecRule IP:bf_counter "@ge 3" \
                "id:'2000006',phase:5,pass,t:none, \
                setvar:IP.bf_block,\
                setvar:!IP.bf_counter,\
                expirevar:IP.bf_block=600"
	# Retrieve the IP address
	SecAction id:'2000000',phase:1,nolog,pass,initcol:IP=%{REMOTE_ADDR}

	# Enforce an existing IP address block
	SecRule IP:bf_block "@eq 1" \
	"id:'2000001',phase:1,deny,\
	msg:'IP address blocked because of suspected brute-force attack'"

	# Retrieve the username
	SecRule REQUEST_HEADERS:Authorization "Basic (.*)" "chain,capture,phase:1,pass,id:'2000002'"
	SecRule TX:1 "^([-a-zA-Z0-9_]+):" "t:base64Decode,chain,capture"
	SecAction initcol:USER=%{TX.1}

	# Enforce an existing username block
	SecRule USER:bf_block "@eq 1" \
	"id:'2000003',phase:1,deny,\
	msg:'Username \"%{REMOTE_USER}\" blocked because of suspected brute-force attack'"

	# Check that this is a POST
	SecRule REQUEST_METHOD "@streq GET" "id:'2000004',phase:5,chain,t:none,nolog,pass"
	# AND Check for authentication failure and increment counters
	# NOTE this is for a Rails application, you probably need to customize this
	SecRule RESPONSE_STATUS "!200" \
	"setvar:IP.bf_counter=+1,setvar:USER.bf_counter=+1"


	# Check for too many failures for a single username
	SecRule USER:bf_counter "@ge 3" \
	"id:'2000005',phase:5,t:none,pass,\
	setvar:USER.bf_block,\
	setvar:!USER.bf_counter,\
	expirevar:USER.bf_block=600"

	# Check for too many failures from a single IP address. Block for 10 minutes.
	SecRule IP:bf_counter "@ge 3" \
	"id:'2000006',phase:5,pass,t:none, \
	setvar:IP.bf_block,\
	setvar:!IP.bf_counter,\
	expirevar:IP.bf_block=600"