Tag Archives: load balancing

A10 aFlex: Temporary blacklist clients based on failed logins

I was asked if i could find a way to temporary blacklist clients after x failed logins. The reason was to avoid lockout in AD when users changed their passwords, but forgot to change the password in their phones connected through ActiveSync.

If a phone connects to ActiveSync with the wrong password, resulting in a error 401, i should be able to catch that and save the IP in a table. If it re-occurs 4 times or more in less then 10 minutes than the A10 should remember this and drop the traffic, resulting in request not being sent to the mail server and the AD account not being locked out.

Thats the theory. Below is my current solution, very much in POC state but my initial testing looks promising 🙂 But i’m sure there are many aFlex/TCL gurus out there to correct me. I’m certainly not one of them!

A few notes:

  • Because i write failed attempt to temp-table, the blacklist is 10 minutes after the last failed logins. This is probably longer than needed.
  • maxfadiledrequests is set to 5, because it always start at 2 for me.. and i’m not sure why. I did expect it to start at 1 since the initial status from server is 401, but not 2.
  • holdtime is the the in seconds the address is blocked
  • You should probably not write to log in a production environment
when RULE_INIT {
    set ::maxfailedrequests 5
    set ::holdtime 600

    set key [IP::client_addr]
    if { [table lookup "blacklist" $key] != "" } {
        log "$first_key is blocked"

    if { [table lookup tmp_table $key] == "" } {
        table set tmp_table $key 1 indef $::holdtime
        log "$key's session table created."

    if { ([HTTP::status] == 401) } {
        set count [table incr tmp_table $key]
        log "failed request count: $count"
        if { $count > $::maxfailedrequests } {
            table add "blacklist" $key "blocked" indef $::holdtime
            log "$key blacklisted for $::holdtime seconds "
            table delete tmp_table $key