Brute force attack protection¶
Overview¶
Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, systematic, username/password combinations to discover legitimate authentication credentials. To prevent brute force attacks, WAF tracks the number of failed attempts to reach login pages with enforced brute force protection. When brute force patterns are detected, the WAF policy considers it to be an attack if the failed logon rate increased significantly or if failed logins reached a maximum threshold.
Prerequisites¶
Verify any attached application services to ensure proper security after changes are deployed.
You need to have a user role of Security Manager or Administrator to manage a WAF policy.
How to protect login pages from brute force attacks¶
Add brute force protection to login pages - Add brute force attack protection to login pages.
Modify brute force protection for login pages - Update settings for a login page that currently has brute force attack protection.
Manage brute force protection violations - Manage how the WAF policy handles a brute force attack when it is detected.
Add brute force protection to login pages¶
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Brute Force Protection.
The login pages configured for brute force protection are listed.
Click Create.
Click Create under the Login Page field.
Click the dropdown for the Login URL field:
Select a URL from your WAF policy.
Note: The list provides URLs configured to the policy that do not have brute force protection.
Create a new allowed URL:
Click Create under the Login URL field to open a panel for Allowed URL Properties.
Add the allowed URL properties.
Click Save.
The URL is added to the allowed URLs in the policy and is added as the Login URL. You can now complete the Login Page Properties using the new URL.
From the Authentication Type list, select the method the web server uses to authenticate the login URL’s credentials with a web user.
Enter the expected login conditions for the URL
For Condition select a validation criteria for the login page response.
For Value define the criteria for the selected condition.
To add multiple login conditions, click + Add Condition.
Note: If you define more than one login condition, the response must meet all the criteria before the policy allows the user to access the application login URL.
Click Save.
Configure the source-based brute force protection for the login page:
For IP Address enable to set a threshold and action to take when the threshold is reached.
If disabled, the policy does not monitor IP addresses for brute force attacks.
Enter the Maximum Failed Login Attempts for a single IP address. The default is 20.
For Mitigation select one of the following protection settings:
Alarm - Sends an alert to the event log that a threshold was passed for an IP address.
Alarm & Block - Sends an alert to the event log and blocks traffic from an IP address that passed the threshold.
For Username enable to set a threshold and action to take when the threshold is reached.
If disabled, the policy does not monitor usernames for brute force attacks.
Enter the Maximum Failed Login Attempts for a single username. The default is 5.
For Mitigation, Alarm is enabled. This sends an alert to the event log that a threshold was passed for a username.
Configure the amount of time the policy mitigates brute force attacks to the login page:
For Detection Period enter the period of time in minutes a policy tracks a potential brute force attack. The default is 60 minutes.
For Maximum Attack Prevention Time enter the period of time the policy enforces a detected brute force attack. The default is 60 minutes.
Click Save.
The login page is immediately added to brute force protection, but policy changes are not yet deployed. You can click Deploy to deploy changes to the BIG-IP Next instances.
Modify brute force protection for login pages¶
You can change the login page and brute force protection properties for a login page current protected from brute force attacks.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Brute Force Protection.
The login pages configured for brute force protection are listed.
Click the login page name.
The Brute Force Protection Properties panel opens.
To change the login page settings:
Click Edit.
The Login Page Properties panel opens.
Edit the Authentication Type and Login Conditions.
Click Save.
Edit the brute force protection properties for the login page.
CLick Save.
The login page brute force protection is updated, but policy changes are not yet deployed. You can click Deploy to deploy changes to the BIG-IP Next instances.
Manage brute force protection violations¶
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Brute Force Protection.
Click Violations.
The Brute Force Protection Violations panel opens.
Select the policy action when the number of times a user or IP address tried to log on to a URL is more than what is allowed by the security policy:
Select one of the following protection settings:
Alarm - Sends an alert to the event log that a threshold was passed for a login page.
Alarm & Block - Sends an alert to the event log and blocks traffic when a threshold was passed for a login page.
Disabled - The policy does not detect or enforce brute force attacks.
Click Save.
The brute force protection is updated, but policy changes are not yet deployed. You can click Deploy to deploy changes to the BIG-IP Next instances.