1

So I recently configured an application that uses WebSockets and I am using Apache proxy pass to pass on the application via domain.com/application

The problem is the application is very bare metal. It does come with a login screen, but I have gone a step further and implemented an htpasswd login via Apache that is located in the proxypass config.

(I feel like I am answering my question as i type, but I will re-word/re-ask)

<Location /application>
    AllowOverride AuthConfig
    AuthUserFile /home/[USERNAME]/.htpasswd
    AuthName "Authorization Required"
    AuthType Basic
    require user [USERNAME]
    ProxyPass wss://192.168.1.50:443/application
    ProxyPassReverse wss://192.168.1.50:443/application
</Location>

Can I configure Fail2Ban to monitor the actual application login screen from the ProxyPass server [The Application can not install Fail2Ban]

--Workaround?? By implementing the htpasswd authorization page @ the proxyserver will fail2ban block based upon failed attempts to log in via the initial Apache Authentication prompt?

FreeSoftwareServers
  • 2,482
  • 10
  • 37
  • 57
  • It seems fail2ban did not block the htpasswd logins, how can I configure this? Perhaps a separate question though.. I will research myself first – FreeSoftwareServers Jan 17 '16 at 09:04

1 Answers1

2

You are absolutely sure in the a pure config as proxypass fail2ban won't work here because of several reasons.

fail2ban actually works looking at logs, and blocking failed authenticated tries ; you have none as the one doing the authentication as the authentications logs are on the backend.

fail2ban as a serie of definitions for known protocols; it maybe not the case in some particular cases, and you would have to develop your plug-in when that happens.

fail2ban needs to be running on the same machine as where the authentications are done.

First and foremost, when you do select tools, I do recommend you to investigate a little whether they apply to your particular situation. More important than using the tools is understanding whether they apply to your situation.

It is indeed possible to put fail2ban to work to blocked abused web basic auths as this link shows. I just think your proxypass take precedence and the auth is never done. You may need a landing page for the authentication and do the proxypass not at the root at that vhost.

https://ileriseviye.wordpress.com/2010/08/21/fail2ban-defending-apache-against-brute-force-attacks-to-digest-authentication-protected-pages/

I usually use mod_evasive at least as an additional layer of security in Apache for controlling DoS/abusive requests. Have a look at my reply on the thread (it is not the one marked as correct) Editing my /etc/hosts.deny Take not that in Apache you can rate limit the requests, and that does help a lot with people abusing your service, and not only when asking for passwords.

Please do consider using Captchas as a layer 7 measure to rate limit answers. Botnet coordinated networks will render your fail2ban rules ineffective using several different IPs to bypass your measures.

Have a look at this:

"Google reCAPTCHA - Protect your website from spam and abuse while letting real people pass through with ease"

https://www.google.com/recaptcha/intro/index.html

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
  • I understand that, and thought that might be the case, but since it acts as a middle man, i thought perhaps it could work. But in any case, the htpasswd authentication is done on the proxypass server with fail2ban, i started a seperate thread [here](http://unix.stackexchange.com/questions/255847/fail2ban-monitor-htpasswd) on that issue though.. – FreeSoftwareServers Jan 17 '16 at 09:24
  • My answer actually applies better on this thread as the other is fail2ban specific. – Rui F Ribeiro Jan 17 '16 at 09:32
  • I agree with this answer and can confirm you can block auth requests on apache with fail2ban because I've done it myself – the_velour_fog Jan 17 '16 at 09:47
  • so to confirm though, I am SOL when it comes to monitoring ProxyPassed authentication, there are no logs stored locally. But Apache Auth solves this problem in a way using fail2ban – FreeSoftwareServers Jan 17 '16 at 10:01
  • The answer is more complex than that Free...obviously ProxyPassed actions are done remotely; fail2ban is not the only tool as we have seen. Frontends are well, frontends, you can always resort to layer 7 (application solutions). I also do not concentrate logs locally and have a central (sys)logging service, however I am dealing with hundreds of servers. What is essential is having security measures as you can be sure your servers will be abused. reCaptcha is a must. – Rui F Ribeiro Jan 17 '16 at 10:04
  • I am expanding Captchas. – Rui F Ribeiro Jan 17 '16 at 10:05
  • I am a sysadmin *and* always ask the developers to place captchas in web authentication forms facing the Internet. They will be surely brute-forced. – Rui F Ribeiro Jan 17 '16 at 10:11
  • I just noticed my best answer is your best question fog... howdy partner? – Rui F Ribeiro Jan 17 '16 at 10:14