If we have login page with only field for example "SSN Number" and we need to protect this login page from brute force , Is it possible?
we need to verify if the user typed SSN number for example 3 times , after that F5 should block the user but I said using only one Field in the login page such as SSN number , No password will be inserted in this login page.
We tried to use "None" for Authentication method but didn't achieve the goal.
I'm not sure you can with the Login Page configuration by default, and I haven't got up to date versions available to check if things have changed. However, I have seen this work in older versions using Data Guard. I wish I had the details to share more fully but here's an overview, which may be enough, or something which other DCers can help with and chip in on.
Firstly, create a Data Guard configuration with a custom pattern of whatever is returned after a failed login i.e. when a user enters in an incorrect SSN Number. Enforce this on a URL, i.e. the logon page, again in the DG config. Enable the block for Data Guard in the violations list (or Alarm to test). This should block on each failed attempt.
To allow for 3 attempts we would need to do session tracking, set the Associated Violation to Data Guard, set a blocking period and then add an IP Address Threshold for 3. Also enable block (or alarm) for the violation around disallowed IP address.
See if this helps with your requirement, and please feedback. I must admit this was v10 or v11 about 5 years ago so forgive me for faded memory and out of date configuration advice on this one.
Thank you for your feedback.
I am agree with you for that and we was thinking for the same but actually we want to protect the login page from brute force attack as more attackers always trying to login with fake SSN number which will lead to service outage on the application.
I think the best way will be to use some hidden parameter for password, and then use standard HTML Form login page for Brute Force protection
You can add such parameter via iRule (when HTTP_REQUEST) or add it into application as hidden.