Basic Access Authentication: Protection Against Automation
I wrote an article recently talking to the use of Basic Access Authentication to help harden your administrator panel.
I have been monitoring my logs to see how it protects and this is what I found:
Access Logs
Disclaimer: this is obviously a very very small snippet of the total logs I get daily, but very representative of what I am discussing in this post
Received From: (my server) ->/var/log/httpd/access_log
Rule: 31122 fired (level 5) -> “Web server 500 error code (Internal Error).”
Portion of the log(s):
46.118.122.205 – – [06/Sep/2012:01:46:28 +0000] “POST /wp-login.php HTTP/1.0” 500 3310 “http://tonyonsecurity.com/wp-login.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
Received From: (my server) ->/var/log/httpd/access_log
Rule: 31122 fired (level 5) -> “Web server 500 error code (Internal Error).”
Portion of the log(s):
46.118.122.205 – – [05/Sep/2012:20:58:37 +0000] “POST /wp-login.php HTTP/1.0” 500 3310 “http://tonyonsecurity.com/wp-login.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
Received From: (my server) ->/var/log/httpd/access_log
Rule: 31122 fired (level 5) -> “Web server 500 error code (Internal Error).”
Portion of the log(s):
46.118.122.205 – – [05/Sep/2012:20:58:37 +0000] “POST /wp-login.php HTTP/1.0” 500 3310 “http://tonyonsecurity.com/wp-login.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
Received From: (my server) ->/var/log/httpd/access_log
Rule: 31162 fired (level 10) -> “Multiple web server 500 error code (Internal Error).”
Portion of the log(s):
39.41.227.189 – – [05/Sep/2012:11:02:20 +0000] “POST /wp-login.php HTTP/1.0” 500 3309 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3”
39.41.227.189 – – [05/Sep/2012:11:02:14 +0000] “POST /wp-login.php HTTP/1.0” 500 3309 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3”
39.41.227.189 – – [05/Sep/2012:11:01:57 +0000] “POST /wp-login.php HTTP/1.0” 500 3309 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3”
39.41.227.189 – – [05/Sep/2012:11:01:50 +0000] “POST /wp-login.php HTTP/1.0” 500 3309 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3”
39.41.227.189 – – [05/Sep/2012:11:01:45 +0000] “POST /wp-login.php HTTP/1.0” 500 3309 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3”
39.41.227.189 – – [05/Sep/2012:11:01:38 +0000] “POST /wp-login.php HTTP/1.0” 500 3309 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3”
39.41.227.189 – – [05/Sep/2012:11:01:21 +0000] “POST /wp-login.php HTTP/1.0” 500 3311 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3”
Notice anything of interest? You should…
First thing I see is continuous attempts to hit my wp-login:
POST /wp-login.php
But was it successful? No, they weren’t. In fact, they never eating hit it to confirm the file, you see that here:
"Multiple web server 500 error code (Internal Error)."
If you’re wondering why, it’s because when you try to hit my wp-login.php file you are prompted for a different username and password. In essence, every time the scanner tries to hit it they can never reach the file to even confirm it is there.
The 500 errors are being generated because the initial authentication is not happening.
Easy as pie, just like that I have reduced the threats that come from brute force and dictionary attacks against my applications administrator page. The other good take away is that this is something that can be easily applied to any application — Joomla, Drupal, etc..
Cheers!