11-Nov-2019 06:44
Ver. 14.1
ASM Policy framework: ASM OWA Policy
Trying to provide a soft lockout to user logins to OWA when they failed to auth 2 times and they have to wait 15 minutes and when we create the Brute Force Protection for the start page, we are seeing that UserID only has Alarm, Alarm and Client Side Integrity, and Alarm and CAPTCHA.
Preferably, we would want the option to Alarm and Block when users keep hitting the VIP. NOW, we can provide some softlockout features if we also change the IP address action with Alarm and Blockm but the userID is the option we were hoping to provide the block at.
With UserID set to Alarm and IP address to Alarm and Block, dont feel like we are getting the full soft out function as we want to monitor user login activity. Thoughts?
31-Dec-2019 06:00
From OLH - A brute force attack can be automated but a hacker can outsource CAPTCHA challenges to turks (a.k.a. CAPTCHA farm) to pass the CAPTCHA challenges. CAPTCHA Bypass is detected only after a source-based brute-force attack has been detected and mitigation has been applied. The system counts occurrences of a combination of two simultaneous events: successful CAPTCHA challenge solution by a client and a failed login attempt. There are separate counters for Device ID and Source IP. When a counter is higher than the threshold enforcement action is applied. CAPTCHA Bypass detection is not applicable to username. CAPTCHA is the strictest mitigation available for username, which guarantees login availability for legitimate users even if their account is under a brute force attack.
Alarm+Block will affect a legitimate user logging in.