store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sun Oct 26, 2014 2:57 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 21 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Web Brute force rules
Unread postPosted: Wed Jan 18, 2012 6:51 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3657
Location: Chantilly, VA
A less well known feature of ASL is that it can detect attempts to brute force web application authentication. In concert with the HIDS, it will track these failures and much like the brute force rules after so many attempts it will shun the IP.

We write rules for web app brute force protection based on feedback, and we'd like feedback about what applications you'd like us to protect. So far we have rules for these web apps:

PhpBB
vBulletin
WordPress
Joomla
Wikimedia
SugarCRM

We know this isn't a complete list, so please let us know what apps you'd like us to protect.

So let us know!

To develop the rules we will need a working copy of the web application and the ability to download it and run it on our test servers, so please make sure you can provide that before you ask! :-)

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Web Brute force rules
Unread postPosted: Wed Jan 18, 2012 8:10 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
Just some ideas: Drupal, Typo3, MODx, Movable Type, Magento, osCommerce, ZenCart, Dokuwiki, PmWiki, Moodle, Gallery.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: Web Brute force rules
Unread postPosted: Thu Feb 16, 2012 2:52 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Apr 10, 2006 12:55 pm
Posts: 672
Thought I'd add a new one I was exposed to recently, XenForo (PHP/MySQL as far as I can tell)

_________________
"Its not a mac. I run linux... I'm actually cool." - scott


Top
 Profile  
 
 Post subject: Re: Web Brute force rules
Unread postPosted: Sat Feb 18, 2012 5:34 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 283
Location: Glasgow, UK
Can I add Prestashop to the hat too please? www.prestashop.com


Top
 Profile  
 
 Post subject: Re: Web Brute force rules
Unread postPosted: Sat Feb 18, 2012 3:56 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3657
Location: Chantilly, VA
Will do!

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Web Brute force rules
Unread postPosted: Sat Feb 18, 2012 11:53 pm 
Offline
Forum User
Forum User

Joined: Fri May 21, 2010 7:18 pm
Posts: 14
+1 for ZenCart, Drupal and Joomla


Top
 Profile  
 
 Post subject: Re: Web Brute force rules
Unread postPosted: Sun Feb 19, 2012 12:44 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3657
Location: Chantilly, VA
Joomla is already in the rules, and we'll add in the others as well.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Web Brute force rules
Unread postPosted: Thu Mar 01, 2012 12:48 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3657
Location: Chantilly, VA
New ones added:

Plesk GUI
Drupal
Typo3
MODx
Moodle
osCommerce
Magento
ZenCart
Dokuwiki
Prestashop

PmWiki: doesnt actually return anything if authentication fails, it returns the same page it uses when you first access a protected page. So I'm not sure brute force can be detected easily with pmwiki. If you have a setup you want us to look at, please provide a URL with an authentication page.

Should have these added tomorrow:
Gallery
Movable Type

Let us know if you have any other requests!

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Web Brute force rules
Unread postPosted: Tue Oct 09, 2012 6:39 am 
Offline
Forum User
Forum User

Joined: Wed Jan 05, 2011 3:09 pm
Posts: 43
Is there anyway to make these rules less trigger happy? ie allow them a couple of wrong ones before blocking - we are getting numerous complaints from people in regards to his blocking people when they accidentally type wrong password or username on mainly joomla.

also have had reports of the "forgotten password" on wordpress triggering the lockout(unconfirmed as yet though)


Top
 Profile  
 
 Post subject: Re: Web Brute force rules
Unread postPosted: Tue Oct 09, 2012 11:15 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3657
Location: Chantilly, VA
Quote:
Is there anyway to make these rules less trigger happy?


Do you mean the shuns, or the initial alerts (the initial alerts do not block by the way).

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Web Brute force rules
Unread postPosted: Wed Oct 10, 2012 4:40 am 
Offline
Forum User
Forum User

Joined: Wed Jan 05, 2011 3:09 pm
Posts: 43
THe shunning.


Top
 Profile  
 
 Post subject: Re: Web Brute force rules
Unread postPosted: Wed Oct 10, 2012 1:44 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3657
Location: Chantilly, VA
The current thresholds are:

8 failures in 10 seconds. ((fast) login failures)
10 failures in 60 seconds. (brute force (slow) login failures)
60 failures in 900 seconds. (Very Slow)

You can disable one or more of these by opening the rule manager, and search for the web applications name. For example, if you search for Joomla, you will see three rules that deals with login failures: 60156, 60157, 60908 that correspond to those thresholds above in that order.

You can not change the thresholds at this point in ASL. That will be supported in a future version of ASL.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Web Brute force rules
Unread postPosted: Sat Oct 20, 2012 3:28 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
like always your list contains any entries I would suggest as well :)
http://owncloud.org
would be an app I would like to see being protected.
Thanks a lot


Top
 Profile  
 
 Post subject: Re: Web Brute force rules
Unread postPosted: Tue Oct 23, 2012 4:36 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Jan 21, 2012 6:37 pm
Posts: 109
Location: Canada
I have a custom CMS system I wrote myself. Although the login system is actually an open source login auth module for the framework I use. Wondering if you would support that also or not? :)

It's actually a pretty secured login system and has it's own basic brute-force protection,but doesn't hurt to have more layers on the onion. :)


Top
 Profile  
 
 Post subject: Re: Web Brute force rules
Unread postPosted: Wed Oct 24, 2012 12:03 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3657
Location: Chantilly, VA
Quote:
like always your list contains any entries I would suggest as well :)
http://owncloud.org


Added to the list.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 21 posts ]  Go to page 1, 2  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Bing [Bot] and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group