APM 11.5 Built-in Captcha Setup

Question

Hello,
     I'm trying to find some documentation for the built-in "Captcha Configuration" Option under Access Profiles without much luck (APM 11.5.1 HF3). What I would like to do is have the captcha appear after the 2 failed login attempts when a user tries to login in order to mitigate against a scripted brute force authentication attack. I have tried changing the "Display CAPTCHA After Number of Logon Attempts Equals" option in the "Captcha Configuration" option, but it doesn't seem to effect anything. I can get the Captcha to appear for every login attempt or never, but I have been unsuccessful with anything in between. I even tried to loop a macro with a UserDB to see if that help with no luck. Has anyone had any success with this? Any suggestions? &nbsp;
Also, anyway to send the traffic to Google via HTTPS instead of the default HTTP? I was thinking of running it through a VS, but I would imagine that www.google.com would have pretty big pool of IP addresses.&nbsp;

michael_ebbels · Answer

Hi Mike,
Did you end up finding any doco? I'm having a similar issue

cody_green · Answer

Hi Mike,&nbsp;
I have not seen that behavior and would recommend upgrading to 11.5.3 with HF1 and seeing if the issue still happens - if you need a trial VE license to test this let me know.&nbsp;
As for the sideband API calls what is your concern about these being unencrypted between the F5 and Google?&nbsp;
Thanks,&nbsp;
Cody&nbsp;

writemike · Answer

No, never found any. It was a PoC for a customer and since we couldn't get the feature working as they wanted, they decided to skip the CAPTCHA and just use the brute force lockout protection. Haven't looked back since. We also looked at the Google CAPTCHA iRule (https://devcentral.f5.com/s/articles/google-recaptcha-verification-with-sideband-connections) which we had better luck with, as I recall.

ben_wyatt_12961 · Answer

So in the APM Captcha settings the "Display CAPTCHA After Number of Logon Attempts Equals" actually means that the login attempt must be rejected by the auth server. I think "logon attempt" in this instance means "until failure" - so the entire attempt to logon - not just the first username and password entry.&nbsp;
So if the "Display CAPTCHA After Number of Logon Attempts Equals" setting is set to 1 then the user will need to see the "Your session could not be established" page once - i.e. their Logon Attempt fails/is rejected, and then when the user clicks on "To open a new session, please click here" in order to start a second Logon Attempt they will then see the captcha displayed.&nbsp;
If the APM Captcha "Display CAPTCHA After Number of Logon Attempts Equals" setting is set to 2, then the user will need to see the "Your session could not be established" page twice before the captcha appears - ie be rejected twice by the auth server.&nbsp;

Forum Discussion

APM 11.5 Built-in Captcha Setup

4 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

Related Content

OWASP Automated Threats - CAPTCHA Defeat (OAT-009)

F5 Unveils New Built-In TCP Profiles

captcha not show after enable header security

Force BotDefense Captcha on Specified URL

Looking for Setup Advice