Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

Protecting Login Pages against Brute Force Attack v1

Problem this snippet solves:

This is the first version of an iRule that can help protect a login site from brute force attacks.

When a request is made against the application the iRule looks for an error text in the server response which increment a counter. That counter has a threshold value and when that has been reached the client IP address is inserted into a blacklist table and completely blocked.

This is a simple solution that can be easily expanded to suit your needs.

Note: ">" should be changed to ">" in the iRule.

How to use this snippet:

Update: iRule using data groups

I just made an updated version of the iRule where the failure text is pulled from a data group instead. This way the iRule becomes more dynamic and "correct" maintenance wise.

Data group "failtext"

ltm data-group internal /Common/failtext {
    records {
        "not allowed" { }
        "unable to login with provided credentials" { }
        "you do not have permission to perform this action" { }
        non_field_errors { }
    type string
Comments on this Snippet
Comment made 12-Apr-2016 by Sonne 3
Greetings, could you advise how the blocked IP can be removed later from the blacklist? Thank you.
Comment made 07-Jun-2016 by Songseajoon 157
I looked to try this method, it was fine. However, too slow, regardless of the login failure / success or not. Login also slow, slow even fail to log in. I saw reduces the size of content-length, but works quickly and well Login successful when there was still experiencing a slow phenomenon. how can i do?
Comment made 3 months ago by Interhost 18

There is no time threshold window per IP, rather simple counter which counts tries without expiration. Please add time between tries or total time window for tries, for example 5 tries in 60 secs.

Comment made 3 weeks ago by kamols


There's a default time window which is set in the line 42

    set count [table incr $key]

As per the documentation if you don't specify the timeout in the 'table' command it will take default 180s https://devcentral.f5.com/wiki/irules.table.ashx

If you want to specify your own time window you can set the timeout to 'indefinite' and set a 'lifetime' instead in such way

    table add $key indefinite <value> 
    set count [table incr -notouch $key]

When the lifetime is reached the counter get's deleted so it starts over...