CSF not blocking brute force attempts to password protected directories through HTTPS

Post Reply
selva
Junior Member
Posts: 2
Joined: 10 Mar 2010, 09:21

CSF not blocking brute force attempts to password protected directories through HTTPS

Post by selva »

Hi,
I have configured below settings in csf.conf
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "1"
HTACCESS_LOG = "/usr/local/apache/logs/error_log"
PORTS_htpasswd = "80,443"


This settings blocks the IPs which makes brute force attempts to password protected directories through http requests, apache logs :

[Mon Apr 10 17:32:21.938901 2023] [auth_basic:error] [pid 26083:tid 22643992397568] [client xxx.198.39.69:27166] AH01618: user not found: /manage/
[Mon Apr 10 17:32:24.310022 2023] [auth_basic:error] [pid 26083:tid 22643992397568] [client xxx.198.39.69:27166] AH01618: user not found: /manage/
[Mon Apr 10 17:32:26.124567 2023] [auth_basic:error] [pid 26083:tid 22643992397568] [client xxx.198.39.69:27166] AH01618: user not found: /manage/
[Mon Apr 10 17:32:27.777793 2023] [auth_basic:error] [pid 26083:tid 22643992397568] [client xxx.198.39.69:27166] AH01618: user not found: /manage/
[Mon Apr 10 17:32:29.276085 2023] [auth_basic:error] [pid 26083:tid 22643992397568] [client xxx.198.39.69:27166] AH01618: user not found: manage/
[Mon Apr 10 17:32:30.930078 2023] [auth_basic:error] [pid 26083:tid 22643992397568] [client xxx.198.39.69:27166] AH01618: user not found: /manage/

csf.deny :
xxx.198.39.69 # lfd: (htpasswd) Failed web page login from xxx.198.39.69 (xx/xxxx/-): 5 in the last 3600 secs - Mon Apr 10 17:32:31 2023


But the issue is with HTTPS requests, the brute force attempts to password protected directories through HTTPS requests are not being blocked, apache logs :
[Mon Apr 10 17:37:40.950214 2023] [auth_basic:error] [pid 26083:tid 22644130797312] [remote xxx.198.39.69:27181] AH01618: user not found: /manage/
[Mon Apr 10 17:37:43.789437 2023] [auth_basic:error] [pid 26083:tid 22644124493568] [remote xxx.198.39.69:27181] AH01618: user not found: /manage/
[Mon Apr 10 17:37:45.390492 2023] [auth_basic:error] [pid 26083:tid 22644141303552] [remote xxx.198.39.69:27181] AH01618: user not found: /manage/
[Mon Apr 10 17:37:46.990222 2023] [auth_basic:error] [pid 26083:tid 22644118189824] [remote xxx.198.39.69:27181] AH01618: user not found: /manage/
[Mon Apr 10 17:37:48.610814 2023] [auth_basic:error] [pid 26083:tid 22644147607296] [remote xxx.198.39.69:27181] AH01618: user not found: /manage/
[Mon Apr 10 17:37:50.368805 2023] [auth_basic:error] [pid 26083:tid 22644151809792] [remote xxx.198.39.69:27181] AH01618: user not found: /manage/
[Mon Apr 10 17:37:51.928976 2023] [auth_basic:error] [pid 26083:tid 22644107683584] [remote xxx.198.39.69:27181] AH01618: user not found: /manage/
[Mon Apr 10 17:37:53.388423 2023] [auth_basic:error] [pid 26083:tid 22644143404800] [remote xxx.198.39.69:27181] AH01618: user not found: /manage/
[Mon Apr 10 17:37:55.548645 2023] [auth_basic:error] [pid 26083:tid 22644149708544] [remote xxx.198.39.69:27181] AH01618: user not found: /manage/

The above log shows that there were many login failures happened to the password protected directory but still the IP not being blocked.

The difference in the log between HTTP VS HTTPS request found is [client xxx.198.39.69:27166] vs [remote xxx.198.39.69:27181]

Please updates on this bug
Post Reply