Apache::LoggedAuthDBI
# Configuration in httpd.conf or startup.pl: PerlModule Apache::LoggedAuthDBI # Authentication and Authorization in .htaccess: AuthName DBI AuthType Basic PerlAuthenHandler Apache::AuthDBI::authen PerlAuthzHandler Apache::AuthDBI::authz PerlSetVar Auth_DBI_data_source dbi:driver:dsn PerlSetVar Auth_DBI_username db_username PerlSetVar Auth_DBI_password db_password #DBI->connect($data_source, $username, $password) PerlSetVar Log_ADBI_table login_log PerlSetVar Log_ADBI_ip_field IPaddress PerlSetVar Log_ADBI_un_field username PerlSetVar Log_ADBI_status_field status PerlSetVar Log_ADBI_time_field timestamped # data required to access the log table PerlSetVar Auth_DBI_pwd_table users PerlSetVar Auth_DBI_uid_field username PerlSetVar Auth_DBI_pwd_field password # authentication: SELECT pwd_field FROM pwd_table WHERE uid_field=$user require valid-user
This is an extension of Apache::AuthDBI by Edmund Mergl. Its purpose is to add a degree of protection against brute force attacks and password sharing. To accomplish this LoggedAuthDBI makes use of a log table that records IP, username, status and time of any given login attempt handled by this module. Whenever it is called it will perform four checks:
Did IPaddress 123 make X failed attempts in Y seconds?
(autoreject IP addresses that have too many failed attempts on record)
Did IPaddress 123 make X attempts in Y seconds?
(if X gets very large while Y is small, the possibility of a brute force attack taking place is very real indeed)
Has username foo been rejected X times in Y seconds?
(this check as a means to help against proxy rotation in combination with brute force attempts)
Does username foo have logins from X different IPaddresses in Y seconds?
(this would surely indicate password sharing)
Should none of the four checks yield a violation AuthDBI is called and its return value used without modification. Otherwise it will redirect to a different filename while returning OK. This will cause a bruteforce tool to think it was successful in its attempt to guess a valid login/pass combination and either stop or collect this combination into its list of valid options. Consider this module beta ware as it has only seen action in the original context it was created for and at.
While it is possible that a log table is already in place it might need some adjustment. See this MySQL CREATE TABLE command to see the required structure/ how to create. Table name and field names are, of course, arbitrary as they are determined in the .htaccess file. <mysql> CREATE TABLE `member_log` ( `id` int(10) unsigned NOT NULL auto_increment, `username` varchar(64) default NULL, `IPaddress` varchar(15) default NULL, `status` varchar(15) default NULL, `timestamped` timestamp(14) NOT NULL, PRIMARY KEY (`id`) ) TYPE=MyISAM </mysql>
Only the tokens specific to this module are discussed here. For reference on the remaining tokens consult the documentation on Apache::AuthDBI.
Log_ADBI_table
Name of the table where login records will be kept. Has to at least contain fields holding IPaddress, username, status and timestamp.
Log_ADBI_ip_field
Field name of the Log_ADBI_table containing the IPaddress of the login attempt.
Log_ADBI_un_field
Field name of the Log_ADBI_table containing the username of the login attempt.
Log_ADBI_status_field
Field name of the Log_ADBI_table containing the status of the login attempt that was made.
Log_ADBI_time_field
Field name of the Log_ADBI_table containing the timestamp of the login attempt.
The module should be loaded upon startup of the Apache daemon. Add the following line to your httpd.conf: PerlModule Apache::LoggedAuthDBI Also, copy the following HTML files to the document root of Apache. These are needed as this module will redirect to these resources in case of detected perpetration. Using your own is perfectly okay as long as you either keep the naming or edit the filenames in the module.
blocked.html
brute_force.html
pass_sharing.html
Apache::AuthDBI is required. This implies that minimum requirements for that module must be met.
Apache::LoggedAuthDBI by Sung-Hun Kim
Apache::AuthDBI by Edmund Mergl; now maintained and supported by the modperl mailinglist, subscribe by sending mail to modperl-subscribe@perl.apache.org.
AuthDBI
Copyright (c) 2005 Sung-Hun Kim. All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
To install Apache::LoggedAuthDBI, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Apache::LoggedAuthDBI
CPAN shell
perl -MCPAN -e shell install Apache::LoggedAuthDBI
For more information on module installation, please visit the detailed CPAN module installation guide.