Fortinet black logo

Administration Guide

Preventing brute force logins

Preventing brute force logins

FortiWeb can prevent brute force login attacks.

Brute force attackers attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight or advance knowledge of application logic or data.

Specifically in brute force attacks on authentication, multiple web clients may rapidly try one user name and password combination after another in an attempt to eventually guess a correct login and gain access to the system. In this way, behavior differs from web crawlers, which typically do not focus on a single URL.

Brute force login attack profiles track the rate at which each source IP address makes requests for specific URLs. If the source IP address exceeds the threshold, the FortiWeb appliance penalizes the source IP address by blocking additional requests for the time period that you indicate in the profile.

This scan is bypassed if the client’s source IP is a known search engine and you have enabled Allow Known Search Engines.
To configure brute force login attack prevention
  1. Before you configure a brute force login attack profile, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected host names group. For details, see Defining your protected/allowed HTTP “Host:” header names. Before you configure the rate limit, enable detection of when source IP addresses are shared by multiple clients. For details, see Advanced settings.
  2. If you do not enable detection of shared IP addresses (Shared IP), the second threshold, Share IP Access Limit, will be ignored.
  3. Go to Web Protection > Access > Brute Force.
  4. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  5. Click Create New.
  6. Configure these settings:
  7. Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is High.

    Trigger Policy Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
  8. Click OK.
  9. Click Create New to add an entry to the set.
  10. Configure these settings:
  11. Host Status Enable to require that the Host: field of the HTTP request match a protected host names entry in order to be included in the brute force login attack profile’s rate calculations. Also configure Host.
    Host

    Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the brute force login attack profile.

    This option is available only if Host Status is enabled.

    Type

    Select how to apply the limit of login attempts in Standalone IP Access Limit or Share IP Access Limit, either:

    • Based on Source IP—Apply the limit to per source IP.
    • Based on TCP Session—Apply the limit to per TCP/IP session.

    Tip: If you need to cover both possibilities, create two members.

    Request File

    Type the URL that the HTTP/HTTPS request must match to be included in the brute force login attack profile’s rate calculations.

    When you have finished typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

    Standalone IP Access Limit

    Type the rate threshold for source IP addresses that are single clients. Request rates exceeding the threshold will cause the FortiWeb appliance to block additional requests for the length of the time in the Block Period field.

    To disable the rate limit, type 0.

    Share IP Access Limit

    Type the rate threshold for source IP addresses that are shared by multiple clients behind a network address translation (NAT) device such as a firewall or router. Request rates exceeding the threshold will cause the FortiWeb appliance to block additional requests for the length of the time in the Block Period field.

    To disable the rate limit, type 0.

    Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client. In addition, the rate is a total rate for all clients that use the same source IP address. For these reasons, you should usually enter a greater value for this field than for Standalone IP Access Limit.

    Note: This option will be ignored if you have not enabled detection of shared IP addresses. For details, see Advanced settings.

    Block Period

    Type the length of time in seconds for which the FortiWeb appliance will block subsequent requests after a source IP address exceeds the rate threshold in either Standalone IP Access Limit or Share IP Access Limit.

    The block period is shared by all clients whose traffic originates from the source IP address. The valid range is from 1 to 10,000 seconds.

  12. Click OK.
  13. Repeat the previous steps for each individual login page that you want to add to the brute force login attack profile.
  14. To apply the brute force login attack profile, select it in an inline protection profile. For details, see Configuring a protection profile for inline topologies.
  15. Attack log messages contain Brute Force Login Violation when this feature detects a brute force login attack.

See also

Preventing brute force logins

FortiWeb can prevent brute force login attacks.

Brute force attackers attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight or advance knowledge of application logic or data.

Specifically in brute force attacks on authentication, multiple web clients may rapidly try one user name and password combination after another in an attempt to eventually guess a correct login and gain access to the system. In this way, behavior differs from web crawlers, which typically do not focus on a single URL.

Brute force login attack profiles track the rate at which each source IP address makes requests for specific URLs. If the source IP address exceeds the threshold, the FortiWeb appliance penalizes the source IP address by blocking additional requests for the time period that you indicate in the profile.

This scan is bypassed if the client’s source IP is a known search engine and you have enabled Allow Known Search Engines.
To configure brute force login attack prevention
  1. Before you configure a brute force login attack profile, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected host names group. For details, see Defining your protected/allowed HTTP “Host:” header names. Before you configure the rate limit, enable detection of when source IP addresses are shared by multiple clients. For details, see Advanced settings.
  2. If you do not enable detection of shared IP addresses (Shared IP), the second threshold, Share IP Access Limit, will be ignored.
  3. Go to Web Protection > Access > Brute Force.
  4. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  5. Click Create New.
  6. Configure these settings:
  7. Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is High.

    Trigger Policy Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
  8. Click OK.
  9. Click Create New to add an entry to the set.
  10. Configure these settings:
  11. Host Status Enable to require that the Host: field of the HTTP request match a protected host names entry in order to be included in the brute force login attack profile’s rate calculations. Also configure Host.
    Host

    Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the brute force login attack profile.

    This option is available only if Host Status is enabled.

    Type

    Select how to apply the limit of login attempts in Standalone IP Access Limit or Share IP Access Limit, either:

    • Based on Source IP—Apply the limit to per source IP.
    • Based on TCP Session—Apply the limit to per TCP/IP session.

    Tip: If you need to cover both possibilities, create two members.

    Request File

    Type the URL that the HTTP/HTTPS request must match to be included in the brute force login attack profile’s rate calculations.

    When you have finished typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

    Standalone IP Access Limit

    Type the rate threshold for source IP addresses that are single clients. Request rates exceeding the threshold will cause the FortiWeb appliance to block additional requests for the length of the time in the Block Period field.

    To disable the rate limit, type 0.

    Share IP Access Limit

    Type the rate threshold for source IP addresses that are shared by multiple clients behind a network address translation (NAT) device such as a firewall or router. Request rates exceeding the threshold will cause the FortiWeb appliance to block additional requests for the length of the time in the Block Period field.

    To disable the rate limit, type 0.

    Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client. In addition, the rate is a total rate for all clients that use the same source IP address. For these reasons, you should usually enter a greater value for this field than for Standalone IP Access Limit.

    Note: This option will be ignored if you have not enabled detection of shared IP addresses. For details, see Advanced settings.

    Block Period

    Type the length of time in seconds for which the FortiWeb appliance will block subsequent requests after a source IP address exceeds the rate threshold in either Standalone IP Access Limit or Share IP Access Limit.

    The block period is shared by all clients whose traffic originates from the source IP address. The valid range is from 1 to 10,000 seconds.

  12. Click OK.
  13. Repeat the previous steps for each individual login page that you want to add to the brute force login attack profile.
  14. To apply the brute force login attack profile, select it in an inline protection profile. For details, see Configuring a protection profile for inline topologies.
  15. Attack log messages contain Brute Force Login Violation when this feature detects a brute force login attack.

See also