irule Brute Force attack control on SFTP Virtual servers

Question

How do you guys normally deal with Brute Force attack on non HTTP traffic?
I can perhaps set up an irule to limit the number of connection by the same IP address, but is there a way to detect how many connections are coming from the same IP address in x seconds, and if it exceeds that amount of connection, block the IP for 10 minutes?&nbsp;

boneyard · Answer

i would expect an irule to do that already exists but i can't find anything.&nbsp;
you will probably need to combine some existing irules. &nbsp;
the one you suggest + something like this: https://devcentral.f5.com/articles/preventing-brute-force-password-guessing-attacks-with-apm%E2%80%93part-4 and ignore the APM parts.&nbsp;
you would create a table with all client IPs and a connection counter, do a counter+1 when an IP makes a connection. then when it reaches some limit block it for an hour and clear the counter.&nbsp;

Forum Discussion

irule Brute Force attack control on SFTP Virtual servers

1 Reply

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Illegal Metacharacter in Parameter Name in Json Data

Cisco TACACS+ Config on ISE LTM Pair

AS3 declaration to set cookie to preferred

SSL Bridging and FQDN rewrite Policy

Checking for X-Forwarded-For against an Address Data-Group

Related Content

iControl REST Cookbook - Virtual Server (ltm virtual)

virtual server config

Syslog virtual server

JWT authorization with NGINX Ingress Controller

Check a Virtual Server's SSL Status

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS