config : waf brute-force-login
 
waf brute-force-login
Use this command to configure brute force login attack sensors.
Brute force attacks attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight. For example, in brute force attacks on authentication, multiple web clients may rapidly try one user name and password combination after another in an attempt to eventually guess a correct login and gain access to the system. In this way, behavior differs from web crawlers, which typically do not focus on a single URL.
Brute force login attack sensors track the rate at which each source IP address makes requests for specific URLs. If the source IP address exceeds the threshold, the FortiWeb appliance penalizes the source IP address by blocking additional requests for the time period that you indicate in the sensor.
To apply a brute force login attack sensor, select it within an inline protection profile. For details, see “config waf web-protection-profile inline-protection”.
You can use SNMP traps to notify you when a brute force login attack is detected. For details, see “config system snmp community”.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf brute-force-login
edit <brute-force-login_name>
set severity {High | Medium | Low}
set trigger <trigger-policy_name>
config login-page-list
edit <entry_index>
set access-limit-standalone-ip <rate_int>
set access-limit-share-ip <rate_int>
set block-period <seconds_int>
set host <allowed-hosts_name>
set host-status {enable | disable}
set request-file <url_str>
next
end
next
end
Variable
Description
Default
<brute-force-login_name>
Type the name of a new or existing brute force login attack sensor. The maximum length is 35 characters.
To display a list of the existing sensor, type:
edit ?
No default.
severity {High | Medium | Low}
Select the severity level to use in logs and reports generated when a violation of the rule occurs.
High
trigger <trigger-policy_name>
Type the name of the trigger to apply when this policy is violated (see “config log trigger-policy”). The maximum length is 35 characters.
To display the list of existing trigger policies, type:
set trigger ?
No default.
access-limit-standalone-ip <rate_int>
Type the rate threshold for source IP addresses that are single clients. Request rates exceeding the threshold will cause the FortiWeb appliance to block additional requests for the length of the time in block-period <seconds_int>.
The valid range is from 0 to 9,999,999,999,999,999,999. To disable the rate limit, type 0.
1
access-limit-share-ip <rate_int>
Type the rate threshold for source IP addresses that are shared by multiple clients behind a network address translation (NAT) device such as a firewall or router. Request rates exceeding the threshold will cause the FortiWeb appliance to block additional requests for the length of the time in the block-period <seconds_int>.
The valid range is from 0 to 9,999,999,999,999,999,999. To disable the rate limit, type 0.
Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client. In addition, the rate is a total rate for all clients that use the same source IP address. For these reasons, you should usually enter a greater value for this field than for access-limit-share-ip <rate_int>.
1
block-period <seconds_int>
Type the length of time for which the FortiWeb appliance will block additional requests after a source IP address exceeds a rate threshold.
The block period is shared by all clients whose traffic originates from the source IP address. The valid range is from 1 to 10,000 seconds.
1
<entry_index>
Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999.
No default.
host <allowed-hosts_name>
Type the name of a protected host that the Host: field of an HTTP request must be in order to match the sensor. The maximum length is 255 characters.
This setting is applied only if host-status is enable.
No default.
host-status {enable | disable}
Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to be included in the brute force login attack sensor’s rate calculations. Also configure host <allowed-hosts_name>.
disable
ip-port-enable {enable | disable}
Enable to apply the limit of login attempts specified by access-limit-standalone-ip or access-limit-share-ip per TCP/IP session.
When the value is disable, the limit is applied per source IP.
Tip: If you need to cover both possibilities, create two members.
disable
request-file <url_str>
Type the literal URL, such as /login.php, that the HTTP request must match to be included in the brute force login attack sensor’s rate calculations.
The URL must begin with a slash ( / ). Do not include the name of the web host, such as www.example.com, which is configured separately in host <allowed-hosts_name>. The maximum length is 255 characters.
No default.
Example
This example limits IP addresses of individual HTTP clients to 3 requests per second, and NAT IP addresses to 20 requests per second, when they request the file login.php on the host www.example.com on TCP port 8080.
config waf brute-force-login
edit "brute_force_attack_sensor"
set access-limit-share-ip 20
set access-limit-standalone-ip 3
set block-period 120
config login-page-list
edit 1
set host "www.example.com:8080"
set host-status enable
set request-file "/login.php"
next
end
next
end
Related topics
config waf web-protection-profile inline-protection
config system snmp community
config waf application-layer-dos-prevention
config log trigger-policy