For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Feb 11, 2016

Basic Auth iRule - Including Max Guessing Attempts and A Lockout Timer

Hello, I have created a Basic Auth iRule which has a 5-attempts-max mechanism appended to it. I'm missing a Lockout Timer feature. Goal/purpose: For this client, I need a temporary authentication...
application delivery
iRules
LTM
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Feb 11, 2016

Hi Hannes,

 

I've added some code snippets to your iRule, which I've used in the past to create sliding window based account lockouts...

 

when RULE_INIT {
    set static::failed_auth_limit_count 5           ; Max trys
    set static::failed_auth_limit_duration 300      ; Sliding Window in seconds
    set static::failed_auth_lockout_duration 600    ; Fixed duration in seconds
}
when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals "private_net"] } {
        set byPass 1
    } else {
        set byPass 0
    }
}
when HTTP_REQUEST {
    if { $byPass == 0 }{
        if { [catch {
            set username [HTTP::username]
            set password [HTTP::password]
        }]} then {
            HTTP::respond 500 content "Invalid Credentials"
            return
        }
        if { ( $username ne "" ) and ( $password ne "" ) } then {
            if { [table lookup -notouch "lck_$username"] ne "" } then {
                HTTP::respond 403 content "Access RestrictedAuthentication failed. You have tried too many times, try again later." Connection Close
                return
            } else {
                binary scan [md5 $password] H* password
                if { [set class_result [class lookup "$username" data_approved_remote_users]] eq $password } then {
                    log user.notice "User <$username>: Access Granted"
                    return

                    Warning: You shouldn't use "set byPass 1" for authenticated users. 
                            Certain forward proxys MAY share TCP sessions across different users. 
                            So you should Basic authenticate every single request.

                } elseif { $class_result ne "" } then {
                    log user.notice "User <$username>: Access Denied"
                    if { [set authAttempt [expr { [table keys -subtable -count "lcks_$username"] + 1 }]] >= $static::failed_auth_limit_count } then {
                        log user.notice "User <$username>: Locked out!"
                        table set -notouch "lck_$username" X indef $static::failed_auth_lockout_duration
                        table delete -subtable "lcks_$username" -all
                    } else {
                        log user.notice "User <$username>: $authAttempt failed attempts!"
                        table set -subtable "lcks_$username" [clock clicks] "" indef $static::failed_auth_limit_duration
                    }
                    HTTP::respond 401 WWW-Authenticate "Basic realm=\"Restricted area. Attempt $authAttempt/5. Note: IE browser will only allow 3 attempts\""
                    return
                }
            }
        }
        HTTP::respond 401 WWW-Authenticate "Basic realm=\"Restricted area\""
    }
}

Note: Didn't saved the iRule. Feel free to find the missing brackets... 😉

 

Cheers, Kai