Chaining basicauth to trick brute-forcing

The problem I’m having:

So I recently wanted to set up basicauth, but I wasn’t able to combine it with any rate-limiting plugin currently available, since none of them actually did what they were supposed to do.
I then had a thought: If I cannot rate-limit the login, who sais that I cannot just chain multiple basicauths, and if they do make it through by brute-forcing one login, they won’t use the same password again and would unknowingly continue brute-forcing on the next basicauth. I wanted to set that up, but I cannot really get it to work:
If I just chain two basicauths then entering the password on one also disables the other. Another problem would be that it doesn’t return 401 unauthorized when getting past the first basicauth.

Any idea how you could make this work?

handle_path secret/ {
  basicauth {
    something something
  }
  respond 401 # does not seem to work (properly?)
  basicauth {
    something something
  }
  file_server
}

That idea makes no sense. You’d just be making your server do double the amount of work. And it just can’t work that way, basicauth uses the Authorization header, it can’t prompt twice on the same request.

Brute forcing is not a real problem. Your password is bcrypt hashed, so it’s very slow to calculate. Each request would take about half a second, and the amount of guesses they’d have to make would well over billions (I’m oversimplifying here). It would literally take years of attempts to try to brute force that way.

You definitely can use a tool like fail2ban or whatever to ban repeated failed auth attempts. You can configure Caddy to emit common log format using GitHub - caddyserver/transform-encoder: Log encoder module for custom log formats.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.