Ninja Power Manifesto

    rwserve-brute-force

    1.0.14 • Public • Published

    Open Source RWSERVE plugin

    Brute Force

    Detect and block repetitive POSTs

    by Read Write Tools Oct 22, 2018
    Abstract
    This plugin detects repetitive attempts to POST to a given website resource. This is a sign of trouble for your website, as it may be an attempt to gain unauthorized access via weak user credentials. Further attempts are temporarily blocked until a specified blackout period has expired.

    Motivation

    Attempts to circumvent your website's authorization process are a fact of life. Detecting and dealing with them are necessary. One common hacking method is simple brute force trial and error. When a series of unsuccessful requests to login occurs in a short period of time, this plugin will add the user-agent's remote address to a blacklist: subsequent requests to login will be blocked with status code 403 Forbidden.

    Sometimes a legitimate user may trigger this detector and accidentally lock themselves out. For this reason, the blackout is automatically removed after a given period of time.

    Often these cracking attempts will be routed through a botnet, where each request comes from a large collection of different IP addresses. For those types of attacks, you can set the max-visits variable to a low value, to detect and block attempts aggressively.

    In order to monitor the usefulness of this plugin you can enable the log-failures configuration switch. When true the IP address of each blocked request will be printed to the website's log.

    Customization

    This plugin is open source and can be modified or enhanced to perform tasks such as these:

    • Permanently block IP addresses that request a honeypot resource.
    • Redirect a blacklisted user via 303 See Other to a customer service help page.
    • Detect botnet thunderstorms and automatically increase threshold sensitivity.

    Download

    The plugin module is available from NPM . Before proceeding, you should already have Node.js and RWSERVE configured and tested.

    This module should be installed on your web server in a well-defined place, so that it can be discovered by RWSERVE. The standard place for public domain plugins is /srv/rwserve-plugins.

    cd /srv/rwserve-plugins
    npm install rwserve-brute-force
    

    Configuration is Everything

    Make the software available by declaring it in the plugins section of your configuration file. For detailed instructions on how to do this, refer to the plugins documentation on the Read Write Tools HTTP/2 Server website.

    TL;DR

    plugins {
        rwserve-brute-force {
            location `/srv/rwserve-plugins/node_modules/rwserve-brute-force/dist/index.js`
            config {
                max-visits      5
                grace-period    300
                blackout-period 900
                log-failures    true
            }
        }
        router {
            `/rbac/credentials/*`   *methods=POST      *plugin=rwserve-brute-force
        }    
    }
    

    The config settings can be adjusted using this guidance.

    max-visits is a positive integer. This is the number of requests to the target resource allowed during the grace period before being blocked. A typical setting might be 3 to 6, while an aggressive setting would be 1.

    grace-period is an integer number of seconds specifying a window of time during which requests are counted. The counter for each IP address is reset to zero when this much time has elapsed since the first request. If the counter exceeds the max-visits threshold, a blackout is begun.

    blackout-period is an integer number of seconds specifying the window of time during which all requests to the target resource, by the blacklisted IP, are blocked. When this time period has elapsed, the IP address is removed from the blacklist and subsequent requests are honored, starting with a new grace period.

    log-failures is a switch that may be either true or false . If true, each request by an IP address during a blackout period is recorded in the web log. If false, blackouts are silently enforced without recording to the web log.

    The router section lists one or more target resources that will participate in the brute force scheme. In the above example, all HTTP POST requests for resource paths beginning with /rbac/credentials will participate.

    Cookbook

    A full configuration file with typical settings for a server running on localhost port 7443, is included in this NPM module at etc/brute-force-config. To use this configuration file, adjust these variables if they don't match your server setup:

    $PLUGIN-PATH='/srv/rwserve-plugins/node_modules/rwserve-brute-force/dist/index.js'
    $PRIVATE-KEY='/etc/pki/tls/private/localhost.key'
    $CERTIFICATE='/etc/pki/tls/certs/localhost.crt'
    $DOCUMENTS-PATH='/srv/rwserve/configuration-docs'
    

    Usage

    Server

    Start the server using the configuration file just prepared. Use Bash to start the server in the background, like this:

    [user@host ~]# rwserve /srv/rwserve-plugins/node_modules/rwserve-brute-force/etc/brute-force-config &
    

    Forcing a blackout

    Use CURL to submit a sequence of POST requests to your sever. The first five requests will return with 403 Forbidden with a response header rw-rbac-forbidden indicating that invalid credentials were provided. The sixth and subsequent requests will return 403 Forbidden without any supplemental header. Close examination of the server's logged messages will reveal something like error RwserveBruteForce RA=127.0.0.1; CT=6 indicating the remote address (RA) and count (CT) for the blocked request.

    curl -X POST -d "action=login&user=root&password=toor" https://localhost:7443/rbac/credentials/login -H content-type:application/x-www-form-urlencoded -H content-length:36 -v
    curl -X POST -d "action=login&user=admin&password=adm" https://localhost:7443/rbac/credentials/login -H content-type:application/x-www-form-urlencoded -H content-length:36 -v
    curl -X POST -d "action=login&user=debug&password=dbg" https://localhost:7443/rbac/credentials/login -H content-type:application/x-www-form-urlencoded -H content-length:36 -v
    curl -X POST -d "action=login&user=setup&password=123" https://localhost:7443/rbac/credentials/login -H content-type:application/x-www-form-urlencoded -H content-length:36 -v
    curl -X POST -d "action=login&user=devops&password=me" https://localhost:7443/rbac/credentials/login -H content-type:application/x-www-form-urlencoded -H content-length:36 -v
    

    Deployment

    Once you've tested the plugin and are ready to go live, adjust your production web server's configuration in /etc/rwserve/rwserve.conf and restart it using systemd . . .

    [user@host ~]# systemctl restart rwserve
    

    . . . then monitor its request/response activity with journald.

    [user@host ~]# journalctl -u rwserve -ef
    

    Prerequisites

    This is a plugin for the Read Write Tools HTTP/2 Server, which works on Linux platforms.

    Software Minimum Version Most Recent Version
    Ubuntu 16 Xenial Xerus 16 Xenial Xerus
    Debian 9 Stretch 10 Buster
    openSUSE openSUSE 15.1 openSUSE 15.1
    Fedora Fedora 27 Fedora 32
    CentOS CentOS 7.4 CentOS 8.1
    RHEL RHEL 7.8 RHEL 8.2
    RWSERVE RWSERVE 1.0.1 RWSERVE 1.0.47
    Node.js Node.js 10.3 Node.js 12.17

    Review

    Lessons
    This plugin demonstrates these concepts:
    • Passing configuration variables into the plugin.
    • Using the startup() method for initialization.
    • Accessing each request's IP address.
    • Periodically triggering a cleanup operation.
    Find other plugins for the Read Write Tools HTTP/2 Server using npm with these keywords: rwserve, http2, plugins.

    License

    The rwserve-brute-force plugin is licensed under the MIT License.

    MIT License

    Copyright © 2020 Read Write Tools.

    Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

    The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

    Availability

    Source code github
    Package installation NPM
    Documentation Read Write Hub

    Install

    npm i rwserve-brute-force

    DownloadsWeekly Downloads

    9

    Version

    1.0.14

    License

    MIT

    Unpacked Size

    297 kB

    Total Files

    10

    Last publish

    Collaborators

    • joehonton