FortiWeb can prevent brute force login attacks.
Brute force attackers attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight or advance knowledge of application logic or data.
Specifically in brute force attacks on authentication, multiple web clients may rapidly try one user name and password combination after another in an attempt to eventually guess a correct login and gain access to the system. In this way, behavior differs from web crawlers, which typically do not focus on a single URL.
Brute force login attack profiles track the rate at which each source IP address makes requests for specific URLs. If the source IP address exceeds the threshold, the FortiWeb appliance penalizes the source IP address by blocking additional requests for the time period that you indicate in the profile.
|This scan is bypassed if the client’s source IP is a known search engine and you have enabled Allow Known Search Engines.|
1. Before you configure a brute force login attack profile, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected host names group. For details, see Defining your protected/allowed HTTP “Host:” header names. Before you configure the rate limit, enable detection of when source IP addresses are shared by multiple clients. For details, see Advanced settings.
|If you do not enable detection of shared IP addresses (Shared IP), the second threshold, Share IP Access Limit, will be ignored.|
2. Go to Web Protection > Access > Brute Force.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
3. Click Create New.
4. Configure these settings:
|Name||Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.|
When rule violations are recorded in the attack log, each log message contains a Severity Level (
The default value is High.
|Trigger Policy||Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. See Viewing log messages.|
5. Click OK.
6. Click Create New to add an entry to the set.
A dialog appears.
7. Configure these settings:
|Host Status||Enable to require that the
Select which protected host names entry (either a web host name or IP address) that the
This option is available only if Host Status is enabled.
Tip: If you need to cover both possibilities, create two members.
Type the URL that the HTTP/HTTPS request must match to be included in the brute force login attack profile’s rate calculations.
When you have finished typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression (see Regular expression syntax).
|Standalone IP Access Limit||
Type the rate threshold for source IP addresses that are single clients. Request rates exceeding the threshold will cause the FortiWeb appliance to block additional requests for the length of the time in the Block Period field.
To disable the rate limit, type
|Share IP Access Limit||
Type the rate threshold for source IP addresses that are shared by multiple clients behind a network address translation (NAT) device such as a firewall or router. Request rates exceeding the threshold will cause the FortiWeb appliance to block additional requests for the length of the time in the Block Period field.
To disable the rate limit, type
Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client. In addition, the rate is a total rate for all clients that use the same source IP address. For these reasons, you should usually enter a greater value for this field than for Standalone IP Access Limit.
Note: This option will be ignored if you have not enabled detection of shared IP addresses. See Advanced settings.
Type the length of time in seconds for which the FortiWeb appliance will block subsequent requests after a source IP address exceeds the rate threshold in either Standalone IP Access Limit or Share IP Access Limit.
The block period is shared by all clients whose traffic originates from the source IP address. The valid range is from 1 to 10,000 seconds.
8. Click OK.
9. Repeat the previous steps for each individual login page that you want to add to the brute force login attack profile.
10. To apply the brute force login attack profile, select it in an inline protection profile (see Configuring a protection profile for inline topologies).
Attack log messages contain
Brute Force Login Violation when this feature detects a brute force login attack.
Open topic with navigation