How to keep track of users login attemps

I have been asked to implement logging on an F5 pair. We need to log user login attempts and failures to a web application. For various reasons, the application itself will not be logging attempts/failures - the F5 needs to do that.

 

 

When the user tries to log in, a POST is made to a file called j_security_check. One variable posted is j_username and the other one is j_password

 

 

Logging this is simple enough with an iRule. I would just check for the string 'j_username' and keep information like the username used, the IP of origin and the time.

 

 

The problem is when the application replies. Here is a successful login response:

 

 

HTTP/1.1 302 Moved Temporarily

 

302 Moved Temporarily

This document you requested has moved temporarily.

 

It's now at .

 

 

 

In other words, if the username/password checks out, the reply is a re-direct to /dashboard/initialAgent.do

 

 

If the username/password pair is incorrect, we get

 

 

HTTP/1.1 403 Forbidden

 

 

Note that neither the 302 nor the 403 reply include j_username. What the architect wants to see is login attempt & result in pairs. They want to see this:

 

 

Tuesday January 9 2007 14:38:11 User 'joe_user' attempted to log in from IP 1.2.3.4

 

Tuesday January 9 2007 14:38:13 User 'joe_user' succesfully logged in

 

 

 

How do I keep track though? Suppose someone uses Brutus to mount an attack against the web portal. Brutus may send multiple login requests before the replies start coming back. We would see this in the log

 

 

Tuesday January 9 2007 14:38:11 User 'admin' attempted to log in from IP 1.2.3.4

 

Tuesday January 9 2007 14:38:11 User 'administrator' attempted to log in from IP 1.2.3.4

 

Tuesday January 9 2007 14:38:11 User 'root' attempted to log in from IP 1.2.3.4

 

Tuesday January 9 2007 14:38:11 User 'guest' attempted to log in from IP 1.2.3.4

 

 

Now assume that Brutus guessed the password for 'root' but we might get three 403 followed by one 302 (assume there is a slight lag to process the re-direct). I would see this coming back through the F5:

 

 

Tuesday January 9 2007 14:38:13 Denied

 

Tuesday January 9 2007 14:38:13 Denied

 

Tuesday January 9 2007 14:38:13 Denied

 

Tuesday January 9 2007 14:38:14 Accepted

 

 

How can I match the first 3 'DENIED' with admin, administator, guest and match the 'ACCEPTED' to root?

 

 

Cheers,

 

 

Francois Begin