Limiting the number of attempts to enter a password in the authorization web form using Nginx or HAProxy using the example of WordPress
Consider, using the example of WordPress, a way to enhance security by limiting the number of HTTP requests to the password entry form. This will protect the published blog from brute-force (searching and hacking the password by searching all theoretically possible options from a certain set of characters or selecting the dictionary of common passwords). This method, in principle, can be used to protect other web applications.
The task can be implemented in Nginx using the ngx_http_limit_req_module [ 1 ] module, acting as a front end to Apache or the FastCGI web server, or using HAProxy [ 2 , 3 ], acting as a load balancer in front of web servers.
In both cases, the algorithm works as follows. During authentication, the browser accesses the address containing the substring "/wp-login.php". It is necessary to track it and limit the number of requests from one IP without affecting calls to all other addresses. The blocking parameters must be selected in such a way as not to cause inconvenience to ordinary users. You should be especially careful in setting up locks when a large number of users from the same IP address use the authorization form.
Method number 1: Nginx
')
The configuration file is corrected by advice from the comments. Thanks VBart and J_o_k_e_R !
Lock options:
limit_req_zone $ binary_remote_addr zone = login: 10m rate = 15r / m; Sets the parameters of a shared memory zone that stores state for different IP addresses. In our case, the states are stored in the “login” zone of 10 megabytes, and the average request processing speed for this zone cannot exceed 15 requests per minute. Processing speed can be set in requests per second (r / s) or requests per minute (r / m).
limit_req zone = login burst = 4; sets the login zone and the maximum size of the burst of requests (burst). If the rate of receipt of requests exceeds the one described in the zone, then their processing is delayed so that requests are processed at a given speed. Excessive requests are delayed until their number exceeds the maximum burst size. When exceeded, the request ends with error 503.
Method â„–2: HAProxy
In the backend section serving our blog, add the following lines [ 2 ]:
When a POST request to the /wp-login.php page is detected, a hash of three elements is stored: HTTP Host header, URL path, and source IP. A hash-based user can make five requests in 20 seconds; The sixth request will be blocked.
Literature
The task can be implemented in Nginx using the ngx_http_limit_req_module [ 1 ] module, acting as a front end to Apache or the FastCGI web server, or using HAProxy [ 2 , 3 ], acting as a load balancer in front of web servers.
In both cases, the algorithm works as follows. During authentication, the browser accesses the address containing the substring "/wp-login.php". It is necessary to track it and limit the number of requests from one IP without affecting calls to all other addresses. The blocking parameters must be selected in such a way as not to cause inconvenience to ordinary users. You should be especially careful in setting up locks when a large number of users from the same IP address use the authorization form.
Method number 1: Nginx
')
The configuration file is corrected by advice from the comments. Thanks VBart and J_o_k_e_R !
http { <...> limit_req_zone $binary_remote_addr zone=login:10m rate=15r/m; server { listen 80; server_name frontend.example.org; location ~* /wp-login.php { limit_req zone=login burst=4; proxy_pass http://backend:8080; <...> } location / { proxy_pass http://backend:8080; <...> } } Lock options:
limit_req_zone $ binary_remote_addr zone = login: 10m rate = 15r / m; Sets the parameters of a shared memory zone that stores state for different IP addresses. In our case, the states are stored in the “login” zone of 10 megabytes, and the average request processing speed for this zone cannot exceed 15 requests per minute. Processing speed can be set in requests per second (r / s) or requests per minute (r / m).
limit_req zone = login burst = 4; sets the login zone and the maximum size of the burst of requests (burst). If the rate of receipt of requests exceeds the one described in the zone, then their processing is delayed so that requests are processed at a given speed. Excessive requests are delayed until their number exceeds the maximum burst size. When exceeded, the request ends with error 503.
Method â„–2: HAProxy
In the backend section serving our blog, add the following lines [ 2 ]:
tcp-request inspect-delay 10s tcp-request content accept if HTTP # brute force protection acl wp_login path_beg -i /wp-login.php stick-table type binary len 20 size 500 store http_req_rate(20s) peers local tcp-request content track-sc2 base32+src if METH_POST wp_login stick store-request base32+src if METH_POST wp_login acl bruteforce_detection sc2_http_req_rate gt 5 acl flag_bruteforce sc1_inc_gpc0 gt 0 http-request deny if bruteforce_detection flag_bruteforce When a POST request to the /wp-login.php page is detected, a hash of three elements is stored: HTTP Host header, URL path, and source IP. A hash-based user can make five requests in 20 seconds; The sixth request will be blocked.
Literature
- Module ngx_http_limit_req_module - nginx.org
- wordpress CMS brute force protection with HAProxy - blog.haproxy.com
- Better Rate Limiting For All with HAProxy - blog.serverfault.com
Source: https://habr.com/ru/post/250023/
All Articles