For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SAP's avatar
SAP
Icon for Nimbostratus rankNimbostratus
Jul 13, 2018

Block Brute Force Attack

Hi All,

 

Need some suggestion.

 

Can anyway we can allow only x amount of connections from the same IP address at a time for a VIP.

 

VIP config: ltm virtual XXXXX-22 { destination X.X.X.X:22 mask 255.255.255.255 pool XXXXX profiles { fastL4 { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 13487

 

Note : APM and ASM not licensed

 

Any Suggestions highly appreciated.

 

Thanks Soumen

 

application delivery
LTM
TMSH

1 Reply

  • Andy_McGrath's avatar
    Andy_McGrath
    Icon for Cumulonimbus rankCumulonimbus
    Jul 13, 2018

    You would need to use an iRule and session/tables to store client IP addresses, then every time a new connection takes place look up the IPs in the table, if it exists then close the new connection down. When a connection closes you would need to make sure you removed it from the table.

     

    This would only slow a brute force attack down if someone is always using the same source address not if someone has a way of connecting using multiple IP addresses. And this also could block valid traffic as multiple users connecting from behind the same NATed private network and so would share a common IP address seen by the F5 as the source address.

     

    Assuming this is for a SSH connection it would be better to get the backend system to lock accounts after a set number of failed login attempts and even look if a user can be limited to a single authenticated session.