aFleX: Bruce Force Attack Protection
Hi A10 vADC Community,
I would like to share to the A10 vADC community a custom aFleX script created by an A10 SE(Jose S.). This aFleX script mitigates and protects the A10 ADC from BruteForce attacks. This is a very useful script and customizable based on parameter preference. I strongly suggest to implement this script in any of your deployments.
Genard
------------ Copy from here-------------
when RULE_INIT {
set ::intentosmax 3
set ::holdtime 120
}
when HTTP_REQUEST {
set srcip [IP::remote_addr]
if { [table lookup "failedlogins" -notouch $srcip] equals "$::intentosmax" } {
HTTP::respond 200 content "Stop hacking!!!! [table timeout "failedlogins" -remaining $srcip] seconds"
log "Loging blocked for ip:$srcip > remaining: [table timeout "failedlogins" -remaining $srcip]s"
}
}
when HTTP_RESPONSE {
if {[HTTP::header exists "Location"]} {
if {([HTTP::header "Location"] ends_with "/welcome.cgi?p=failed")} {
if { [table lookup "failedlogins" $srcip] != "" } {
table incr failedlogins $srcip
table timeout "failedlogins" $srcip $::holdtime
} else {
table add failedlogins $srcip 1 $::holdtime
}
log "Login detected from ip:$srcip Accumulated:[table lookup failedlogins $srcip]>remaining: [table timeout "failedlogins" -remaining $srcip]s"
}
}
}
------------ Copy to here-------------
You Can adapt it to work with any failure condition, in this case we look for a redirect to "/welcome.cgi?p=failed" ...in your case it can be a 403 or any other value within the response.
Just change this "if" condition:
if {([HTTP::header "Location"] ends_with "/welcome.cgi?p=failed")}
I would like to share to the A10 vADC community a custom aFleX script created by an A10 SE(Jose S.). This aFleX script mitigates and protects the A10 ADC from BruteForce attacks. This is a very useful script and customizable based on parameter preference. I strongly suggest to implement this script in any of your deployments.
Genard
------------ Copy from here-------------
when RULE_INIT {
set ::intentosmax 3
set ::holdtime 120
}
when HTTP_REQUEST {
set srcip [IP::remote_addr]
if { [table lookup "failedlogins" -notouch $srcip] equals "$::intentosmax" } {
HTTP::respond 200 content "Stop hacking!!!! [table timeout "failedlogins" -remaining $srcip] seconds"
log "Loging blocked for ip:$srcip > remaining: [table timeout "failedlogins" -remaining $srcip]s"
}
}
when HTTP_RESPONSE {
if {[HTTP::header exists "Location"]} {
if {([HTTP::header "Location"] ends_with "/welcome.cgi?p=failed")} {
if { [table lookup "failedlogins" $srcip] != "" } {
table incr failedlogins $srcip
table timeout "failedlogins" $srcip $::holdtime
} else {
table add failedlogins $srcip 1 $::holdtime
}
log "Login detected from ip:$srcip Accumulated:[table lookup failedlogins $srcip]>remaining: [table timeout "failedlogins" -remaining $srcip]s"
}
}
}
------------ Copy to here-------------
You Can adapt it to work with any failure condition, in this case we look for a redirect to "/welcome.cgi?p=failed" ...in your case it can be a 403 or any other value within the response.
Just change this "if" condition:
if {([HTTP::header "Location"] ends_with "/welcome.cgi?p=failed")}
Tagged:
0