For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

writemike's avatar
writemike
Icon for Nimbostratus rankNimbostratus
Aug 05, 2014

APM 11.5 Built-in Captcha Setup

Hello, I'm trying to find some documentation for the built-in "Captcha Configuration" Option under Access Profiles without much luck (APM 11.5.1 HF3). What I would like to do is have the captcha appear after the 2 failed login attempts when a user tries to login in order to mitigate against a scripted brute force authentication attack. I have tried changing the "Display CAPTCHA After Number of Logon Attempts Equals" option in the "Captcha Configuration" option, but it doesn't seem to effect anything. I can get the Captcha to appear for every login attempt or never, but I have been unsuccessful with anything in between. I even tried to loop a macro with a UserDB to see if that help with no luck. Has anyone had any success with this? Any suggestions?

 

Also, anyway to send the traffic to Google via HTTPS instead of the default HTTP? I was thinking of running it through a VS, but I would imagine that www.google.com would have pretty big pool of IP addresses.

 

BIG-IP Access Policy Manager (APM)
deployment
design
security

4 Replies

  • Cody_Green's avatar
    Cody_Green
    Icon for Employee rankEmployee
    Aug 04, 2015

    Hi Mike,

     

    I have not seen that behavior and would recommend upgrading to 11.5.3 with HF1 and seeing if the issue still happens - if you need a trial VE license to test this let me know.

     

    As for the sideband API calls what is your concern about these being unencrypted between the F5 and Google?

     

    Thanks,

     

    Cody

     

  • writemike's avatar
    writemike
    Icon for Nimbostratus rankNimbostratus
    Aug 05, 2015
    No, never found any. It was a PoC for a customer and since we couldn't get the feature working as they wanted, they decided to skip the CAPTCHA and just use the brute force lockout protection. Haven't looked back since. We also looked at the Google CAPTCHA iRule (https://devcentral.f5.com/s/articles/google-recaptcha-verification-with-sideband-connections) which we had better luck with, as I recall.
  • ben_wyatt_12961's avatar
    ben_wyatt_12961
    Historic F5 Account
    Sep 27, 2015

    So in the APM Captcha settings the "Display CAPTCHA After Number of Logon Attempts Equals" actually means that the login attempt must be rejected by the auth server. I think "logon attempt" in this instance means "until failure" - so the entire attempt to logon - not just the first username and password entry.

     

    So if the "Display CAPTCHA After Number of Logon Attempts Equals" setting is set to 1 then the user will need to see the "Your session could not be established" page once - i.e. their Logon Attempt fails/is rejected, and then when the user clicks on "To open a new session, please click here" in order to start a second Logon Attempt they will then see the captcha displayed.

     

    If the APM Captcha "Display CAPTCHA After Number of Logon Attempts Equals" setting is set to 2, then the user will need to see the "Your session could not be established" page twice before the captcha appears - ie be rejected twice by the auth server.