rate limit - too many bad logins

Question

Is there a way to setup an iRule to limit ip address if they try to login to a particular URL too many times but getting denied becuase of wrong password or username, and then deny them access for a certain period of time?&nbsp;
&nbsp;I am very new to F5, and still trying to understand it.&nbsp;
&nbsp;Thanks in advance&nbsp;

chris_miller · Answer

The ability definitely exists...someone more versed than I would have to write the rule. You'd basically have to increment a counter based on a certain response string from the server.

hoolio · Answer

As Chris suggests, you could use an iRule implement the checks you've described.  This wouldn't be a simple iRule, but it could be done.  It would be a lot simpler and efficient if you're running (or able to upgrade to) 10.1 or higher as you'll be able to use the table command to track the client IP addresses.  Keep in mind that if you have a lot of clients connecting from behind the same proxy address, you could potentially block legitimate users who share the same proxy. 
&nbsp;  
&nbsp; You'd first check for requests to login pages and then the response headers or content to determine if the login attempt failed.  If you can determine this from the response headers it would be a lot more efficient than checking the response payload.  You could keep track keep a blacklist of client IP addresses which you use to ban users who fail the login process too many times.   
&nbsp;  
&nbsp; To check the requested URI, you can use HTTP::path or HTTP::uri in the HTTP_REQUEST event.  To check response headers you can use HTTP::header in the HTTP_RESPONSE event.  To collect the response payload, you can use HTTP::collect in the HTTP_RESPONSE event.  Once the data has been collected, you can retrieve it using HTTP::payload in the HTTP_RESPONSE_DATA event.   
&nbsp;  
&nbsp; See the HTTP wiki page for details on these commands and events: 
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/http 
&nbsp;  
&nbsp; You can check the table command wiki page for details on this command: 
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/table 
&nbsp;  
&nbsp; Table article series 
&nbsp; http://devcentral.f5.com/Default.aspx?tabid=63&amp;articleType=ArticleView&amp;articleId=2375 
&nbsp;  
&nbsp; Also, the Application Security Manager (ASM) provides protection against brute force attacks via simple GUI configuration.  It might be worth looking into this as an option. 
&nbsp; http://www.f5.com/products/big-ip/product-modules/application-security-manager.html 
&nbsp;  
&nbsp; Aaron

Forum Discussion

rate limit - too many bad logins

Recent Discussions

BIG-IP Oauth Client and AS

F5 BOT DEFENSE AWAF blocked some legitimate browsers

Advice to partial rename uri path

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Submenus missing in ASM Security Tab

Related Content

Introduction to F5 Distributed Cloud Console Rate Limiting Feature

Rate Limiting SSL VPN User Traffic

Rate Limit HTTP Requests

Rate limiting GraphQL API query using iRule and Advanced WAF Violation

Where you Rate-Limit APIs Matters

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS