Fortinet black logo

Administration Guide

Preventing brute force logins

Preventing brute force logins

FortiWeb can prevent brute force login attacks.

Brute force attackers attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight or advance knowledge of application logic or data.

Specifically in brute force attacks on authentication, multiple web clients may rapidly try one user name and password combination after another in an attempt to eventually guess a correct login and gain access to the system. In this way, behavior differs from web crawlers, which typically do not focus on a single URL.

The brute force login rule tracks the rate at which each source IP address makes requests for specific URLs in certain time. If the source IP address exceeds the threshold, the FortiWeb appliance penalizes the source IP address by blocking additional requests for the time period that you indicate in the profile.

This scan is bypassed if the client’s source IP is a known search engine and you have enabled Allow Known Search Engines.
To configure brute force login attack prevention
  1. Go to Web Protection > Advanced Protection > Custom Policy, and select the Custom Rule tab.
  2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  3. Select the predefined Brute-Force-Login rule to use, and then click Clone.
  4. Enter a name for your new rule, and then click OK.
  5. Refer to Combination access control & rate limiting for detailed rule settings.
  6. To apply the brute force login attack rule, select it in an inline protection profile. For details, see Configuring a protection profile for inline topologies.
  7. Attack log messages contain Brute Force Login Violation when this feature detects a brute force login attack.

See also

Preventing brute force logins

FortiWeb can prevent brute force login attacks.

Brute force attackers attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight or advance knowledge of application logic or data.

Specifically in brute force attacks on authentication, multiple web clients may rapidly try one user name and password combination after another in an attempt to eventually guess a correct login and gain access to the system. In this way, behavior differs from web crawlers, which typically do not focus on a single URL.

The brute force login rule tracks the rate at which each source IP address makes requests for specific URLs in certain time. If the source IP address exceeds the threshold, the FortiWeb appliance penalizes the source IP address by blocking additional requests for the time period that you indicate in the profile.

This scan is bypassed if the client’s source IP is a known search engine and you have enabled Allow Known Search Engines.
To configure brute force login attack prevention
  1. Go to Web Protection > Advanced Protection > Custom Policy, and select the Custom Rule tab.
  2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  3. Select the predefined Brute-Force-Login rule to use, and then click Clone.
  4. Enter a name for your new rule, and then click OK.
  5. Refer to Combination access control & rate limiting for detailed rule settings.
  6. To apply the brute force login attack rule, select it in an inline protection profile. For details, see Configuring a protection profile for inline topologies.
  7. Attack log messages contain Brute Force Login Violation when this feature detects a brute force login attack.

See also