BruteForce Mitigation using only One field in login page

Question

Hello,&nbsp;If we have login page with only field for example "SSN Number" and we need to protect this login page from brute force , Is it possible?we need to verify if the user typed SSN number for example 3 times , after that F5 should block the user but I said using only one Field in the login page such as SSN number , No password will be inserted in this login page.&nbsp;We tried to use "None" for Authentication method but didn't achieve the goal.

nathe · Answer

MR.Freddy,&nbsp;I'm not sure you can with the Login Page configuration by default, and I haven't got up to date versions available to check if things have changed. However, I have seen this work in older versions using Data Guard. I wish I had the details to share more fully but here's an overview, which may be enough, or something which other DCers can help with and chip in on.&nbsp;Firstly, create a Data Guard configuration with a custom pattern of whatever is returned after a failed login i.e. when a user enters in an incorrect SSN Number. Enforce this on a URL, i.e. the logon page, again in the DG config. Enable the block for Data Guard in the violations list (or Alarm to test). This should block on each failed attempt.&nbsp;To allow for 3 attempts we would need to do session tracking, set the Associated Violation to Data Guard, set a blocking period and then add an IP Address Threshold for 3. Also enable block (or alarm) for the violation around disallowed IP address. &nbsp;See if this helps with your requirement, and please feedback. I must admit this was v10 or v11 about 5 years ago so forgive me for faded memory and out of date configuration advice on this one.&nbsp;HTH,&nbsp;N&nbsp;&nbsp;

mr_freddy · Answer

Hello Nathe,&nbsp;Thank you for your feedback.I am agree with you for that and we was thinking for the same but actually we want to protect the login page from brute force attack as more attackers always trying to login with fake SSN number which will lead to service outage on the application.

ivan_chernenkii · Answer

I think the best way will be to use some hidden parameter for password, and then use standard HTML Form login page for Brute Force protection

You can add such parameter via iRule (when HTTP_REQUEST) or add it into application as hidden.

Thanks, Ivan

Forum Discussion

BruteForce Mitigation using only One field in login page

Recent Discussions

SNI Sites not taking correct certificate.

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

Can i apply ddos profile on virtual server using port range

ASM Export JSON - size Limit ?

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

Related Content

Mitigating OWASP API Security Top 10 risks using F5 NGINX App Protect

Mitigating OWASP Web Application Risk: Security Misconfiguration using F5 XC Platform

Mitigating OWASP API Security Risk: Injection flaws using F5 XC Platform

Mitigating OWASP API Security Risk: Security Misconfiguration using F5 XC Platform

Mitigating OWASP Web Application Risk: Injection exploits using F5 Distributed Cloud Platform

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS