Skip to main content
Version: 3.14.x.x LTS

Brute force attacks

Brute force attacks are repetitive attempts to either find a flaw within a web application or to find out a user's password by guess. It's recommended to limit the number of invalid requests on a per IP basis to prohibit such kind of attacks.

Limit HTTP request failures

You may specify rules defining invalid requests within a separate file and load these rules using the "include" attribute within the Server node of the navajo.xml ). This helps to detect and block script kiddies crawling your page for potential vulnerabilities.

LoadModule qos_module /opt/nevisproxy/lib/libmodqos_ap_${HTTPD_LIB_VERSION}.so.1
# limit the number of events with unusual return codes
# to 20 per 10 minutes:
QS_ClientEventLimitCount 20 600
QS_ErrorPage     /errorpages/forbidden.html
QS_SetEnvIfStatus 400   QS_Limit

QS_SetEnvIfStatus 401   QS_Limit
QS_SetEnvIfStatus 403   QS_Limit
QS_SetEnvIfStatus 404   QS_Limit
QS_SetEnvIfStatus 405   QS_Limit
QS_SetEnvIfStatus 406   QS_Limit
QS_SetEnvIfStatus 408   QS_Limit
QS_SetEnvIfStatus 411   QS_Limit
QS_SetEnvIfStatus 413   QS_Limit
QS_SetEnvIfStatus 414   QS_Limit
QS_SetEnvIfStatus 417   QS_Limit
QS_SetEnvIfStatus 500   QS_Limit
QS_SetEnvIfStatus 503   QS_Limit
QS_SetEnvIfStatus 505   QS_Limit

Limit login attempts

Unsuccessful login attempts may be limited using the following configuration settings:

  1. Enable the PropagateInterceptionState parameter for the used IdentityCreationFilter:
<init-param>
<param-name>PropagateInterceptionState</param-name>
<param-value>true</param-value>
</init-param>
  1. Limit the number of login states „authenticate", „init" and „restart". You may define these rules within a separate file and load them using the „include" attribute within the Server node of the navajo.xml ):
LoadModule qos_module  /opt/nevisproxy/lib/libmodqos_ap_${HTTPD_LIB_VERSION}.so.1
QS_ErrorPage    /errorpages/forbidden.html
QS_ClientEventLimitCount 20 600
QS_SetEnvResHeaderMatch isiwebauthstate authenticate
QS_SetEnvResHeaderMatch isiwebauthstate init
QS_SetEnvResHeaderMatch isiwebauthstate restart
QS_SetEnvIf    isiwebauthstate !QSNOT QS_Limit=yes"
QS_UnsetResHeader   isiwebauthstate
  1. Alternatively, a filter counting AU04 proxy events ) could be used to limit the number of failed login attempts. This does not require the PropagateInterceptionState parameter.
LoadModule qos_module   /opt/nevisproxy/lib/libmodqos_ap_${HTTPD_LIB_VERSION}.so.1
QS_ErrorPage      /errorpages/forbidden.html
QS_ClientEventLimitCount 20 60 AU04_Limit
QS_SetEnvRes     Event AU04 AU04_Limit