Attack blocking for HTTP authorization

Wed, 17 Nov 2010 (tags:linux, lighttpd, security)

I have scripts reading messages from syslog to block IP addresses when somebody is trying to attack my services. I wanted to extend this for HTTP authorization so I changed the lighttpd default behavior to store error messages into syslog. But it only gave me error message with IP addresses in them when the username was correct, just the password was wrong. For all other instances like username guessing and others I had to add the IPs into error loging system. I use lighttpd 1.4.19 (default Debian stable) and all I needed to do was to alter http_auth.c file. Firstly the changes were big, because I altered the number of functions arguments and calls to them to support it on all error logs, but then it was hard to recognize that they were generated from 1 request. Part were I was parsing it from syslog, it gave me duplicated positives and 1 wrong request could be recognized as 2 different. So I simplified it to just 3 different kinds of error messages and and now it's just small patch. The diff file is here:

854d853
<
859,860c858,859
<
<               log_error_write(srv, __FILE__, __LINE__, "ss", "get_password failed, IP:", inet_ntop_cache_get_ip(srv, &(con->dst_addr)));
---
>
>               log_error_write(srv, __FILE__, __LINE__, "s", "get_password failed");
876c875
<       if (http_auth_match_rules(srv, p, url->ptr, username->ptr, NULL, NULL,con)) {
---
>       if (http_auth_match_rules(srv, p, url->ptr, username->ptr, NULL, NULL)) {
880c879
<               log_error_write(srv, __FILE__, __LINE__, "ss", "rules didn't match, IP:", inet_ntop_cache_get_ip(srv, &(con->dst_addr)));
---
>               log_error_write(srv, __FILE__, __LINE__, "s", "rules didn't match");
1142c1141
<       if (http_auth_match_rules(srv, p, url->ptr, username, NULL, NULL,con)) {
---
>       if (http_auth_match_rules(srv, p, url->ptr, username, NULL, NULL)) {