Forum Discussion

JimT's avatar
JimT
Icon for Nimbostratus rankNimbostratus
Mar 11, 2015

Issues with irule to prevent password guessing (active sync)

Hi all,

I have an iRule (see below) that collects username when client connects using active sync, and after repeated retries locks the user out for a specified amount of time. The problem is that at first it seems to work great, but then I started to get loads of entries in ltm log:

Rule /Common/user_lockout : blacklist for 1 timeout remaining: 62

When I start to see this message, all requests are dropped, and all users get "username failed too many times".

As you can see in iRule I set user to 1 if the username is not empty and the uri is /Microsoft-Server-ActiveSync.

Hope you have some ideas 🙂 Thanks.

when RULE_INIT { set static::debug 9 set static::maxquery 3 set static::holdtime 60 set static::blacklist_time 90 }

when CLIENT_ACCEPTED { set srcip [IP::remote_addr] }

when HTTP_REQUEST { if { ([HTTP::username] != "") and ([string tolower [HTTP::uri]] starts_with "/Microsoft-Server-ActiveSync" ) } { set user [HTTP::username] } else { set user 1 } if { $static::debug > 1 } { log local0.alert "[virtual] [IP::remote_addr]:[TCP::remote_port] -> [IP::local_addr]:[TCP::local_port] [HTTP::host]/[HTTP::uri]" log local0.alert "Authorization header [HTTP::header Authorization] ([HTTP::username])" log local0.alert "blacklist for $user timeout remaining: [table timeout -subtable "blacklist" -remaining $user]" } if { [table lookup -notouch -subtable "blacklist" $user] != "" } { log local0.alert "blacklist for $user timeout remaining: [table timeout -subtable "blacklist" -remaining $user]" HTTP::respond 200 content "username failed to many times" TCP::close return } }

when HTTP_RESPONSE { log local0.alert "Status: [HTTP::status]" if { [HTTP::status] == 401 } { log local0.alert "Auth failed, User: $user" set count [table incr $user] table lifetime $user $static::holdtime if { $static::debug > 1 } { log local0.alert "count is: $count" log local0.alert "table timeout [table timeout -remaining $user]" log local0.alert "table lifetime [table lifetime -remaining $user]" } if { $count >= $static::maxquery } { log local0.alert "Adding $user to blacklist and dropping connection" table add -subtable "blacklist" $user "blocked" $static::blacklist_time $static::blacklist_time table delete $user drop return }

}
}

3 Replies

  • shouldn't uri (/Microsoft-Server-ActiveSync) in lower case because you use string tolower?

    if { ([HTTP::username] != "") and ([string tolower [HTTP::uri]] starts_with "/Microsoft-Server-ActiveSync" ) } {
    
  • JimT's avatar
    JimT
    Icon for Nimbostratus rankNimbostratus

    Hi nitass. I changed that to lowercase, but the same result is still there.

     

    The strange thing is when I activate this rule on the iApp (for exchange 2013) made VIP, users are not able to go the owa directory either...The script just blocks everything.

     

    If I comment out "if { [table lookup -notouch -subtable "blacklist" $user] != "" }" the owa page shows up again.

     

    I don't see the logic in that since it shouldn't activate on other uri's except for microsoft-server-activesync.