Forum Discussion
NimbostratusLockout Policy APM
Hi,
I am new with F5, i think I starting with APM around just 1 month, so may I ask for your help. So the setup usign access policy right now is:
- group 1 - resources - allow
- success - AD QUERY - fallback - deny
START > LOGIN > AD AUTH - fallback - deny
So what we want is to add lockout policy, wherein if the user tried to login but failed to login 3 times, it will be lockout for 5 minutes.
I've tried the things I found in internet I can't seem to work it out. Due to I think inexperienced also with IRule or in F5.
Please give suggestions or if youi can, give me a solution. Thank you.
6 Replies
amolariCirrostratus
This might help you configure what you want: Manual Chapter: Local User Database, section "Overview: Using a local user database to control authentication"
Henrik_GyllkranThe quick and easy way would be to use the table command, adding an entry for the source IP once the client fails to log in. The drawback to this method is that if multiple clients come from the same IP this will mess with the lot of them. So, to begin with, add two iRule events to your Policy. You will find them under the General section in the Policy Editor.
The first should be between "Start" and "Login", in the ID field type something appropriate like "check_logon" (You'll get the context of this soon).
The second one should be between "AD Auth" and "Deny" on the Fallback branch. In my example I used "failed_logon" as the ID for this.
Then you create the following iRule and associate that with the Virtual Server:
when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "failed_logon" }{ table set [IP::client_addr] 100 300 } elseif { [ACCESS::policy agent_id] eq "check_logon" }{ if { !([table lookup -notouch [IP::client_addr]] eq "")}{ discard } } }The "agent_id" in above iRule corresponds to the ID:s in the Policy. This means that if the client fails to log in, the iRule creates an entry for that IP address in the session table with a timeout of 300 seconds. The value (100) in the table set command is just so that the value isn't empty.
Then when the client tries again, the iRule checks if there is an entry and if such is the case the iRule drops the traffic until the entry times out from the table after 300 seconds. There is of course the possibility to provide the users with a more helpful response if a discard is to harsh, but then again if you suspect that someone is brute-forcing your application there is no such thing as being too harsh is there.
- Henrik_Gyllkran
On second consideration I realised that my example wasn't working as expected, I changed the iRule to this instead:
when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "failed_logon" }{ table set [IP::client_addr] 100 300 } } when HTTP_REQUEST { if { !([table lookup -notouch [IP::client_addr]] eq "")}{ reject } }Now it works as I expected, and this also means you can remove the first iRule Event from the Policy. Or ignore create it as it were.
Allanwynn_16283Hi, the agent_id is the name of the irule? or is the name of the Irule_event box on APE?
- Allanwynn_16283
How can I test if this is working sir?
- boneyard
MVP
agent_id is the name of the Irule_event box on VPE.
but it is checked you don't have to change it. as mentioned you add to two iRule events with those names to your policy.
as for testing, that is quite easy, try to login, fail three times and see if you can login again then.
