Fortinet black logo

CLI Reference

waf brute-force-login

waf brute-force-login

Use this command to configure brute force login attack sensors.

Brute force attacks attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight. For example, in brute force attacks on authentication, multiple web clients may rapidly try one user name and password combination after another in an attempt to eventually guess a correct login and gain access to the system. In this way, behavior differs from web crawlers, which typically do not focus on a single URL.

Brute force login attack sensors track the rate at which each source IP address makes requests for specific URLs. If the source IP address exceeds the threshold, the FortiWeb appliance penalizes the source IP address by blocking additional requests for the time period that you indicate in the sensor.

To apply a brute force login attack sensor, select it within an inline protection profile. For details, see waf web-protection-profile inline-protection.

You can use SNMP traps to notify you when a brute force login attack is detected. For details, see system snmp community.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf brute-force-login

edit "<brute-force-login_name>"

config login-page-list

edit <entry_index>

set severity {High | Medium | Low | Info}

set trigger "<trigger-policy_name>"

set access-limit-standalone-ip "<rate_int>"

set access-limit-share-ip "<rate_int>"

set block-period "<seconds_int>"

set host "<allowed-hosts_name>"

set host-status {enable | disable}

set request-file "<url_str>"

set ip-port-enable {enable | disable}

next

end

next

end

Variable Description Default

"<brute-force-login_name>"

Enter the name of a new or existing brute force login attack sensor. The maximum length is 63 characters.

To display a list of the existing sensor, enter:

edit ?

No default.

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. High

trigger "<trigger-policy_name>"

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

access-limit-standalone-ip "<rate_int>"

Enter the rate threshold for source IP addresses that are single clients. Request rates exceeding the threshold will cause the FortiWeb appliance to block additional requests for the length of the time in block-period "<seconds_int>".

The valid range is 1–10000. To disable the rate limit, enter 0.

1

access-limit-share-ip "<rate_int>"

Enter the rate threshold for source IP addresses that are shared by multiple clients behind a network address translation (NAT) device such as a firewall or router. Request rates exceeding the threshold will cause the FortiWeb appliance to block additional requests for the length of the time in the block-period "<seconds_int>".

The valid range is 1–10000. To disable the rate limit, enter 0.

Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client. In addition, the rate is a total rate for all clients that use the same source IP address. For these reasons, you should usually enter a greater value for this field than for access-limit-share-ip "<rate_int>".

1

block-period "<seconds_int>"

Enter the length of time for which the FortiWeb appliance will block additional requests after a source IP address exceeds a rate threshold.

The block period is shared by all clients whose traffic originates from the source IP address. The valid range is from 1 to 10,000 seconds.

60

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

host "<allowed-hosts_name>"

Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the sensor. The maximum length is 256 characters.

This setting is applied only if host-status {enable | disable} is enable.

No default.

host-status {enable | disable}

Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to be included in the brute force login attack sensor’s rate calculations. Also configure host "<allowed-hosts_name>". disable

ip-port-enable {enable | disable}

Enable to apply the limit of login attempts specified by access-limit-standalone-ip or access-limit-share-ip per TCP/IP session.

When the value is disable, the limit is applied per source IP.

Tip: If you need to cover both possibilities, create two members.

disable

request-file "<url_str>"

Enter the literal URL, such as /login.php, that the HTTP request must match to be included in the brute force login attack sensor’s rate calculations.

The URL must begin with a slash ( / ). Do not include the name of the web host, such as www.example.com, which is configured separately in host "<allowed-hosts_name>". The maximum length is 256 characters.

No default.

ip-port-enable {enable | disable}

Example

This example limits IP addresses of individual HTTP clients to 3 requests per second, and NAT IP addresses to 20 requests per second, when they request the file login.php on the host www.example.com on TCP port 8080.

config waf brute-force-login

edit "brute_force_attack_sensor"

config login-page-list

edit 1

set host "www.example.com:8080"

set host-status enable

set request-file "/login.php"

set access-limit-share-ip 20

set access-limit-standalone-ip 3

set block-period 120

next

end

next

end

Related topics

waf brute-force-login

Use this command to configure brute force login attack sensors.

Brute force attacks attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight. For example, in brute force attacks on authentication, multiple web clients may rapidly try one user name and password combination after another in an attempt to eventually guess a correct login and gain access to the system. In this way, behavior differs from web crawlers, which typically do not focus on a single URL.

Brute force login attack sensors track the rate at which each source IP address makes requests for specific URLs. If the source IP address exceeds the threshold, the FortiWeb appliance penalizes the source IP address by blocking additional requests for the time period that you indicate in the sensor.

To apply a brute force login attack sensor, select it within an inline protection profile. For details, see waf web-protection-profile inline-protection.

You can use SNMP traps to notify you when a brute force login attack is detected. For details, see system snmp community.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf brute-force-login

edit "<brute-force-login_name>"

config login-page-list

edit <entry_index>

set severity {High | Medium | Low | Info}

set trigger "<trigger-policy_name>"

set access-limit-standalone-ip "<rate_int>"

set access-limit-share-ip "<rate_int>"

set block-period "<seconds_int>"

set host "<allowed-hosts_name>"

set host-status {enable | disable}

set request-file "<url_str>"

set ip-port-enable {enable | disable}

next

end

next

end

Variable Description Default

"<brute-force-login_name>"

Enter the name of a new or existing brute force login attack sensor. The maximum length is 63 characters.

To display a list of the existing sensor, enter:

edit ?

No default.

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. High

trigger "<trigger-policy_name>"

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

access-limit-standalone-ip "<rate_int>"

Enter the rate threshold for source IP addresses that are single clients. Request rates exceeding the threshold will cause the FortiWeb appliance to block additional requests for the length of the time in block-period "<seconds_int>".

The valid range is 1–10000. To disable the rate limit, enter 0.

1

access-limit-share-ip "<rate_int>"

Enter the rate threshold for source IP addresses that are shared by multiple clients behind a network address translation (NAT) device such as a firewall or router. Request rates exceeding the threshold will cause the FortiWeb appliance to block additional requests for the length of the time in the block-period "<seconds_int>".

The valid range is 1–10000. To disable the rate limit, enter 0.

Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client. In addition, the rate is a total rate for all clients that use the same source IP address. For these reasons, you should usually enter a greater value for this field than for access-limit-share-ip "<rate_int>".

1

block-period "<seconds_int>"

Enter the length of time for which the FortiWeb appliance will block additional requests after a source IP address exceeds a rate threshold.

The block period is shared by all clients whose traffic originates from the source IP address. The valid range is from 1 to 10,000 seconds.

60

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

host "<allowed-hosts_name>"

Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the sensor. The maximum length is 256 characters.

This setting is applied only if host-status {enable | disable} is enable.

No default.

host-status {enable | disable}

Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to be included in the brute force login attack sensor’s rate calculations. Also configure host "<allowed-hosts_name>". disable

ip-port-enable {enable | disable}

Enable to apply the limit of login attempts specified by access-limit-standalone-ip or access-limit-share-ip per TCP/IP session.

When the value is disable, the limit is applied per source IP.

Tip: If you need to cover both possibilities, create two members.

disable

request-file "<url_str>"

Enter the literal URL, such as /login.php, that the HTTP request must match to be included in the brute force login attack sensor’s rate calculations.

The URL must begin with a slash ( / ). Do not include the name of the web host, such as www.example.com, which is configured separately in host "<allowed-hosts_name>". The maximum length is 256 characters.

No default.

ip-port-enable {enable | disable}

Example

This example limits IP addresses of individual HTTP clients to 3 requests per second, and NAT IP addresses to 20 requests per second, when they request the file login.php on the host www.example.com on TCP port 8080.

config waf brute-force-login

edit "brute_force_attack_sensor"

config login-page-list

edit 1

set host "www.example.com:8080"

set host-status enable

set request-file "/login.php"

set access-limit-share-ip 20

set access-limit-standalone-ip 3

set block-period 120

next

end

next

end

Related topics