I was asked if i could find a way to temporary blacklist clients after x failed logins. The reason was to avoid lockout in AD when users changed their passwords, but forgot to change the password in their phones connected through ActiveSync.
If a phone connects to ActiveSync with the wrong password, resulting in a error 401, i should be able to catch that and save the IP in a table. If it re-occurs 4 times or more in less then 10 minutes than the A10 should remember this and drop the traffic, resulting in request not being sent to the mail server and the AD account not being locked out.
Thats the theory. Below is my current solution, very much in POC state but my initial testing looks promising š But i’m sure there are many aFlex/TCL gurus out there to correct me. I’m certainly not one of them!
A few notes:
- Because i write failed attempt to temp-table, the blacklist is 10 minutes after the last failed logins. This is probably longer than needed.
- maxfadiledrequests is set to 5, because it always start at 2 for me.. and i’m not sure why. I did expect it to start at 1 since the initial status from server is 401, but not 2.
- holdtime is the the in seconds the address is blocked
- You should probably not write to log in a production environment
when RULE_INIT {
set ::maxfailedrequests 5
set ::holdtime 600
}
when HTTP_REQUEST {
set key [IP::client_addr]
if { [table lookup "blacklist" $key] != "" } {
reject
log "$first_key is blocked"
return
}
if { [table lookup tmp_table $key] == "" } {
table set tmp_table $key 1 indef $::holdtime
log "$key's session table created."
return
}
}
when HTTP_RESPONSE {
if { ([HTTP::status] == 401) } {
set count [table incr tmp_table $key]
log "failed request count: $count"
if { $count > $::maxfailedrequests } {
table add "blacklist" $key "blocked" indef $::holdtime
log "$key blacklisted for $::holdtime seconds "
table delete tmp_table $key
reject
return
}
}
}
Follow jonlin76