Home / How-to Guides
Edit
Report

Protect against brute force attacks with basic authentication

Uses: Kong Gateway deck
Deployment Platform
Related Documentation
Gateway Documentation decK Documentation
Tags
#authentication
Related Resources
Authentication
Minimum Version
Kong Gateway - 3.13
TL;DR

Enable the Basic Authentication plugin globally with brute_force_protection, and attempt to authenticate with the wrong base64-encoded Consumer credentials four times. This will return an 429 Too Many Requests error after the fourth failed login attempt.

Prerequisites

Kong Konnect

This is a Konnect tutorial and requires a Konnect personal access token.

  1. Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Export your token to an environment variable:

     export KONNECT_TOKEN='YOUR_KONNECT_PAT'

  3. Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output

    This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:

     export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
 export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='http://localhost:8000'

    Copy and paste these into your terminal to configure your session.

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

  1. Export your license to an environment variable:

     export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script:

    curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA

    Once Kong Gateway is ready, you will see the following message:

     Kong Gateway Ready

decK   v1.43+

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial, install decK version 1.43 or later.

This guide uses deck gateway apply, which directly applies entity configuration to your Gateway instance. We recommend upgrading your decK installation to take advantage of this tool.

You can check your current decK version with deck version.

Required entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

  1. Run the following command:

    echo '
_format_version: "3.0"
services:
  - name: example-service
    url: http://httpbin.konghq.com/anything
routes:
  - name: example-route
    paths:
    - "/anything"
    service:
      name: example-service
' | deck gateway apply -

To learn more about entities, you can read our entities documentation.

Create a Consumer

Consumers let you identify the client that’s interacting with Kong Gateway. We’re going to use basic authentication in this tutorial, so the Consumer needs a username and password to access any Kong Gateway Services.

Create a Consumer:

echo '
_format_version: "3.0"
consumers:
  - username: jsmith
    basicauth_credentials:
    - username: jsmith
      password: my-password
' | deck gateway apply -

Enable authentication

Use the Basic Authentication plugin to identify Consumers with username-and-password credentials, including optional brute-force protection.

Enable the plugin globally, across all Kong Gateway Services and Routes:

echo '
_format_version: "3.0"
plugins:
  - name: basic-auth
    config:
      brute_force_protection:
        strategy: memory
' | deck gateway apply -

Validate

When a Consumer authenticates with basic auth, the authorization header must be base64-encoded. For example, since we are using jsmith as the username and my-password as the password, then the field’s value is the base64 encoding of jsmith:my-password, or anNtaXRoOm15LXBhc3N3b3Jk.

Run the following four times to verify that unauthorized requests return a 429 error after the third attempt:

curl -i $KONNECT_PROXY_URL/anything \
     -H "authorization: Basic dGVzdDp3cm9uZ3Bhc3N3b3Jk"

curl -i http://localhost:8000/anything \
     -H "authorization: Basic dGVzdDp3cm9uZ3Bhc3N3b3Jk"

This request returns a 401 error with the message Unauthorized.

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support