How to protect server against brute-forcing of http authentication?

security apache-2.2

This is exactly the kind of thing that fail2ban is good at.

Take a look at your error_log and notice the messages that are generated when a login failure occurs.

Now take a look at the filters provided by fail2ban (fail2ban/filter.d). One of them may already be configured to react to the kind of error messages you saw earlier if so then all you need to do is enable it in fail2ban/jail.conf.

If none of the pre supplied filters will do what you want it's generally fairly straightforward to construct your own.


You could also try mod_security. This is a open source rule based webapplication firewall. There are some free default rules provided by SpiderLabs - if they are not enough, you might be able to construct your own.

Related

"kernel: Cannot read proc file system: 1 - Operation not permitted" -- millions of such messages each minute in kern.log on OpenVZ VPS? [closed]
Is there a legitimate reason to use an encoded word in any header other than the subject?
Issues With Printer GPO
DNS on Windows Server 2012 R2
checking for missing values in WQL or (WQL/WMI filter to return `true` for desktops/servers, but `false` on laptops)
Openssl hangs after client hello
How to write rules for persistent net names?
Limit on X509v3 Subject Alternative Name DNSname length
Why does dig +trace sometimes fail against Windows Server DNS?
How to keep script from swallowing all of stdin?
Hive: Add partitions for existing folder structure
Java regex to match start/end tags causes stack overflow