Forum Discussion

smiley_dba's avatar
smiley_dba
Icon for Nimbostratus rankNimbostratus
Nov 11, 2019

F5 ASM Start Page + Brute Force Protection - SoftLockout

Ver. 14.1

ASM Policy framework: ASM OWA Policy

 

Trying to provide a soft lockout to user logins to OWA when they failed to auth 2 times and they have to wait 15 minutes and when we create the Brute Force Protection for the start page, we are seeing that UserID only has Alarm, Alarm and Client Side Integrity, and Alarm and CAPTCHA.

 

 

Preferably, we would want the option to Alarm and Block when users keep hitting the VIP. NOW, we can provide some softlockout features if we also change the IP address action with Alarm and Blockm but the userID is the option we were hoping to provide the block at.

 

 

With UserID set to Alarm and IP address to Alarm and Block, dont feel like we are getting the full soft out function as we want to monitor user login activity. Thoughts?

 

 

2 Replies

  • From OLH - A brute force attack can be automated but a hacker can outsource CAPTCHA challenges to turks (a.k.a. CAPTCHA farm) to pass the CAPTCHA challenges. CAPTCHA Bypass is detected only after a source-based brute-force attack has been detected and mitigation has been applied. The system counts occurrences of a combination of two simultaneous events: successful CAPTCHA challenge solution by a client and a failed login attempt. There are separate counters for Device ID and Source IP. When a counter is higher than the threshold enforcement action is applied. CAPTCHA Bypass detection is not applicable to username. CAPTCHA is the strictest mitigation available for username, which guarantees login availability for legitimate users even if their account is under a brute force attack.

     

    Alarm+Block will affect a legitimate user logging in.

  • yuova's avatar
    yuova
    Icon for Nimbostratus rankNimbostratus

    hello ,

    i tried to setup brute force protection for our owa but it didn't work ,can you please give an advise .

    i put the url login as : "[HTTPS] POST /owa/auth.owa"