Skip to main content
Version: 3.14.x.x LTS

Brute force attacks

Brute force attacks are repetitive attempts to either find a flaw within a web application or to find out a user's password by guess. It's recommended to limit the number of invalid requests on a per IP basis to prohibit such kind of attacks.

Limit HTTP request failures

You may specify rules defining invalid requests within a separate file and load these rules using the "include" attribute within the Server node of the navajo.xml ). This helps to detect and block script kiddies crawling your page for potential vulnerabilities.

LoadModule qos_module /opt/nevisproxy/lib/libmodqos_ap_${HTTPD_LIB_VERSION}.so.1
# limit the number of events with unusual return codes
# to 20 per 10 minutes:
QS_ClientEventLimitCount 20 600
QS_ErrorPage /errorpages/forbidden.html
QS_SetEnvIfStatus 400 QS_Limit

QS_SetEnvIfStatus 401 QS_Limit
QS_SetEnvIfStatus 403 QS_Limit
QS_SetEnvIfStatus 404 QS_Limit
QS_SetEnvIfStatus 405 QS_Limit
QS_SetEnvIfStatus 406 QS_Limit
QS_SetEnvIfStatus 408 QS_Limit
QS_SetEnvIfStatus 411 QS_Limit
QS_SetEnvIfStatus 413 QS_Limit
QS_SetEnvIfStatus 414 QS_Limit
QS_SetEnvIfStatus 417 QS_Limit
QS_SetEnvIfStatus 500 QS_Limit
QS_SetEnvIfStatus 503 QS_Limit
QS_SetEnvIfStatus 505 QS_Limit

Limit login attempts

Unsuccessful login attempts may be limited using the following configuration settings:

  1. Enable the PropagateInterceptionState parameter for the used IdentityCreationFilter:
<init-param>
<param-name>PropagateInterceptionState</param-name>
<param-value>true</param-value>
</init-param>
  1. Limit the number of login states „authenticate", „init" and „restart". You may define these rules within a separate file and load them using the „include" attribute within the Server node of the navajo.xml ):
LoadModule qos_module  /opt/nevisproxy/lib/libmodqos_ap_${HTTPD_LIB_VERSION}.so.1
QS_ErrorPage /errorpages/forbidden.html
QS_ClientEventLimitCount 20 600
QS_SetEnvResHeaderMatch isiwebauthstate authenticate
QS_SetEnvResHeaderMatch isiwebauthstate init
QS_SetEnvResHeaderMatch isiwebauthstate restart
QS_SetEnvIf isiwebauthstate !QSNOT QS_Limit=yes"
QS_UnsetResHeader isiwebauthstate
  1. Alternatively, a filter counting AU04 proxy events ) could be used to limit the number of failed login attempts. This does not require the PropagateInterceptionState parameter.
LoadModule qos_module   /opt/nevisproxy/lib/libmodqos_ap_${HTTPD_LIB_VERSION}.so.1
QS_ErrorPage /errorpages/forbidden.html
QS_ClientEventLimitCount 20 60 AU04_Limit
QS_SetEnvRes Event AU04 AU04_Limit