Forum Discussion
NimbostratusIssues with irule to prevent password guessing (active sync)
Hi all,
I have an iRule (see below) that collects username when client connects using active sync, and after repeated retries locks the user out for a specified amount of time. The problem is that at first it seems to work great, but then I started to get loads of entries in ltm log:
Rule /Common/user_lockout : blacklist for 1 timeout remaining: 62
When I start to see this message, all requests are dropped, and all users get "username failed too many times".
As you can see in iRule I set user to 1 if the username is not empty and the uri is /Microsoft-Server-ActiveSync.
Hope you have some ideas 🙂 Thanks.
when RULE_INIT { set static::debug 9 set static::maxquery 3 set static::holdtime 60 set static::blacklist_time 90 }
when CLIENT_ACCEPTED { set srcip [IP::remote_addr] }
when HTTP_REQUEST { if { ([HTTP::username] != "") and ([string tolower [HTTP::uri]] starts_with "/Microsoft-Server-ActiveSync" ) } { set user [HTTP::username] } else { set user 1 } if { $static::debug > 1 } { log local0.alert "[virtual] [IP::remote_addr]:[TCP::remote_port] -> [IP::local_addr]:[TCP::local_port] [HTTP::host]/[HTTP::uri]" log local0.alert "Authorization header [HTTP::header Authorization] ([HTTP::username])" log local0.alert "blacklist for $user timeout remaining: [table timeout -subtable "blacklist" -remaining $user]" } if { [table lookup -notouch -subtable "blacklist" $user] != "" } { log local0.alert "blacklist for $user timeout remaining: [table timeout -subtable "blacklist" -remaining $user]" HTTP::respond 200 content "username failed to many times" TCP::close return } }
when HTTP_RESPONSE { log local0.alert "Status: [HTTP::status]" if { [HTTP::status] == 401 } { log local0.alert "Auth failed, User: $user" set count [table incr $user] table lifetime $user $static::holdtime if { $static::debug > 1 } { log local0.alert "count is: $count" log local0.alert "table timeout [table timeout -remaining $user]" log local0.alert "table lifetime [table lifetime -remaining $user]" } if { $count >= $static::maxquery } { log local0.alert "Adding $user to blacklist and dropping connection" table add -subtable "blacklist" $user "blocked" $static::blacklist_time $static::blacklist_time table delete $user drop return }
}
3 Replies
- nitass
Employee
shouldn't uri (/Microsoft-Server-ActiveSync) in lower case because you use string tolower?
if { ([HTTP::username] != "") and ([string tolower [HTTP::uri]] starts_with "/Microsoft-Server-ActiveSync" ) } { 
JimTHi nitass. I changed that to lowercase, but the same result is still there.
The strange thing is when I activate this rule on the iApp (for exchange 2013) made VIP, users are not able to go the owa directory either...The script just blocks everything.
If I comment out "if { [table lookup -notouch -subtable "blacklist" $user] != "" }" the owa page shows up again.
I don't see the logic in that since it shouldn't activate on other uri's except for microsoft-server-activesync.
- nitass
I changed that to lowercase, but the same result is still there.
so, you may need to do some debugging.
iRules 101 - 09 - Debugging by Joe Pruitt
https://devcentral.f5.com/articles/irules-101-09-debugging
