Basic Auth iRule - Including Max Guessing Attempts and A Lockout Timer
Hello,
I have created a Basic Auth iRule which has a 5-attempts-max mechanism appended to it. I'm missing a Lockout Timer feature.
Goal/purpose: For this client, I need a temporary authentication mechanism which will be used for X number of months. The Basic Auth solution is a pre-live access restriction on a publicly available environment. Client would prefer not to go for the APM module.
Question(s): How to implement a Lockout Timer (to HTTP Username or Client IP) of 5 minutes when 5 failed guesses have been made? My current ideas are either to go for a sub-table solution, or a global-variable solution. Which one would be better for this given scenario (from the perspective of performance and efficient appliance memory usage)? Any other ideas are welcome
The current iRule can be found below:
when CLIENT_ACCEPTED {
set authAttempt 1
set byPass 0
if { [class match [IP::client_addr] equals "private_net"] } {
set byPass 1
}
}
when HTTP_REQUEST {
if { $byPass == 0 }{
binary scan [ md5 [HTTP::password]] H* password
if { $authAttempt > 5 }{
log user.notice "User <[HTTP::username]>. Access Denied"
HTTP::respond 403 content "Access RestrictedAuthentication failed. You have tried too many times, try again later." Connection Close
} elseif { [class lookup [HTTP::username] data_approved_remote_users] ne $password } {
log user.notice "User <[HTTP::username]>. Authentication attempts <$authAttempt/5>"
HTTP::respond 401 WWW-Authenticate "Basic realm=\"Restricted area. Attempt $authAttempt/5. Note: IE browser will only allow 3 attempts\""
incr authAttempt
return
} else {
log user.notice "User <[HTTP::username]>. Access Granted"
set byPass 1
}
}
}