I was asked if i could find a way to temporary blacklist clients after x failed logins. The reason was to avoid lockout in AD when users changed their passwords, but forgot to change the password in their phones connected through ActiveSync.<\/p>\n
If a phone connects to ActiveSync with the wrong password, resulting in a error 401, i should be able to catch that and save the IP in a table. If it re-occurs 4 times or more in less then 10 minutes than the A10 should remember this and drop the traffic, resulting in request not being sent to the mail server and the AD account not being locked out.<\/p>\n
Thats the theory. Below is my current solution, very much in POC state but my initial testing looks promising \ud83d\ude42 But i’m sure there are many aFlex\/TCL gurus out there to correct me. I’m certainly not one of them!<\/p>\n
A few notes:<\/p>\n
when RULE_INIT {\r\n set ::maxfailedrequests 5\r\n set ::holdtime 600\r\n}\r\n\r\nwhen HTTP_REQUEST {\r\n set key [IP::client_addr]\r\n if { [table lookup \"blacklist\" $key] != \"\" } {\r\n reject\r\n log \"$first_key is blocked\"\r\n return\r\n }\r\n\r\n if { [table lookup tmp_table $key] == \"\" } {\r\n table set tmp_table $key 1 indef $::holdtime\r\n log \"$key's session table created.\"\r\n return\r\n }\r\n}\r\n\r\nwhen HTTP_RESPONSE {\r\n if { ([HTTP::status] == 401) } {\r\n set count [table incr tmp_table $key]\r\n log \"failed request count: $count\"\r\n if { $count > $::maxfailedrequests } {\r\n table add \"blacklist\" $key \"blocked\" indef $::holdtime\r\n log \"$key blacklisted for $::holdtime seconds \"\r\n table delete tmp_table $key\r\n reject\r\n return\r\n }\r\n }\r\n}<\/pre>\n <\/p>\nFollow jonlin76<\/a>\n