waf brute-force-login
Use this command to configure brute force login attack sensors.
Brute force attacks attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight. For example, in brute force attacks on authentication, multiple web clients may rapidly try one user name and password combination after another in an attempt to eventually guess a correct login and gain access to the system. In this way, behavior differs from web crawlers, which typically do not focus on a single URL.
Brute force login attack sensors track the rate at which each source IP address makes requests for specific URLs. If the source IP address exceeds the threshold, the FortiWeb appliance penalizes the source IP address by blocking additional requests for the time period that you indicate in the sensor.
To apply a brute force login attack sensor, select it within an inline protection profile. For details, see waf web-protection-profile inline-protection.
You can use SNMP traps to notify you when a brute force login attack is detected. For details, see system snmp community.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf brute-force-login
edit "<brute-force-login_name>"
config login-page-list
edit <entry_index>
set severity {High | Medium | Low | Info}
set trigger "<trigger-policy_name>"
set access-limit-standalone-ip "<rate_int>"
set access-limit-share-ip "<rate_int>"
set block-period "<seconds_int>"
set host "<allowed-hosts_name>"
set host-status {enable | disable}
set ip-port-enable {enable | disable}
next
end
next
end
Variable | Description | Default |
Enter the name of a new or existing brute force login attack sensor. The maximum length is 63 characters. To display a list of the existing sensor, enter:
|
No default. | |
Select the severity level to use in logs and reports generated when a violation of the rule occurs. |
High
|
|
Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing trigger policies, enter:
|
No default. | |
Enter the rate threshold for source IP addresses that are single clients. Request rates exceeding the threshold will cause the FortiWeb appliance to block additional requests for the length of the time in block-period "<seconds_int>". The valid range is 1–10000. To disable the rate limit, enter |
1
|
|
Enter the rate threshold for source IP addresses that are shared by multiple clients behind a network address translation (NAT) device such as a firewall or router. Request rates exceeding the threshold will cause the FortiWeb appliance to block additional requests for the length of the time in the block-period "<seconds_int>". The valid range is 1–10000. To disable the rate limit, enter Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client. In addition, the rate is a total rate for all clients that use the same source IP address. For these reasons, you should usually enter a greater value for this field than for access-limit-share-ip "<rate_int>". |
1
|
|
Enter the length of time for which the FortiWeb appliance will block additional requests after a source IP address exceeds a rate threshold. The block period is shared by all clients whose traffic originates from the source IP address. The valid range is from 1 to 10,000 seconds. |
60
|
|
Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. | No default. | |
Enter the name of a protected host that the
This setting is applied only if host-status {enable | disable} is |
No default. | |
Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to be included in the brute force login attack sensor’s rate calculations. Also configure host "<allowed-hosts_name>". |
disable
|
|
ip-port-enable {enable | disable} |
Enable to apply the limit of login attempts specified by When the value is disable, the limit is applied per source IP. Tip: If you need to cover both possibilities, create two members. |
disable
|
Enter the literal URL, such as The URL must begin with a slash ( / ). Do not include the name of the web host, such as |
No default. | |
Example
This example limits IP addresses of individual HTTP clients to 3 requests per second, and NAT IP addresses to 20 requests per second, when they request the file login.php on the host www.example.com on TCP port 8080
.
config waf brute-force-login
edit "brute_force_attack_sensor"
config login-page-list
edit 1
set host "www.example.com:8080"
set host-status enable
set request-file "/login.php"
set access-limit-share-ip 20
set access-limit-standalone-ip 3
set block-period 120
next
end
next
end