One of the most common requests I get is how to prevent brute force login attacks Citrix Access Gateway or NetScaler AAA for traffic management Login pages. Like many other Web applications that have a form of public HTML face used for the connection, this is a risk assumed.
Part 1 This article discusses how you can use the NetScaler HTTP rate limiting function in combination with Module Responder to detect and respond to a potential attack brute force. Part 2 , we'll see how you can take advantage of the CAPTCHA NetScaler to increase this method to provide an extra layer of protection.
A little history on the problem to solve
it is quite simple now-a-days in the age of YouTube how-to videos and myriad other do-it -yourself tools black art (Brutus, THC Hydra, John the Ripper, Cain & Abel, etc ...) to learn how to build and orchestrate a brute force dictionary attack style that attempts to find a set of name user and password securities pairings skills that authenticates a malicious attacker successfully. For sites that use HTTP authentication methods, such as an HTML form that implies, at a very basic level, a specially designed HTTP Post that user / pass form field names with variables that change with every application in loop that iterates N! until the library dictionary of usernames and passwords has been exhausted. In statistics, this is simply called the theory of combination where you have a combination of n things taken k at a time, with or without repetition. This is a very simple calculation for a single computer to make and even easier when you deal with something distributed. Everything might need to do is to buy or build a decent list of URL, user and reference for passwords names. The implementation of protection against brute force attacks is important for any organization to present an application to the Internet and is also one of the Open Web Application Security Project (OWASP) recommended test procedures.
How NetScaler Rate Limiting HTTP can help functionality?
For two AGED NetScaler and use HTTP authentication form, they are also vulnerable to this problem. The NetScaler Rate Limiting HTTP feature can be used in conjunction with the answering machine function as a valid deterrent to help address this vulnerability.
| This is a graphical representation of the flow of a log with the configured Rate limiting method. | |
1 |  |
| end user or malicious application / user is presented with a login form with credentials "POST" to. | |
| q | |
2 |  |
| Invalid credentials result in an error message displayed to the end user and a specific HTTP response | |
| q | |
3 |  |
| what we want to do after a certain number of login attempts are exceeded in a certain time, the user is presented with an alternative response that prevents other jobs and potentially also prevents lockout account if we the threshold below the account security policy | |
implementation of Citrix NetScaler
Follow these 6 steps to limit the number of requests to AGEE or AAATM login page. Steps for both GUI and CLI are provided.
1 | Set a limit switch this tells us what to follow or "select". You want to select IP and URL because we want to follow moves to the same URL from the same IP address | |||||||||||
GUI:  | ||||||||||||
| CLI add ns limitSelector aaa_err_login_selector CLIENT.IP.SRC HTTP.REQ.URL | ||||||||||||
2 | Set the limit of an identifier the identifier indicates the model in the time slot that will trigger a stroke. We choose the selector we defined above, and a way of "REQUEST_RATE" we want to know how often the specific URL will be requested in the Time Slice. As applications can not occur at a specific interval in the time slot, a type of Bursty limit is preferred that a SMOOTH. We are not concerned about the reduction of bandwidth here because we want to block so that can be left to default of 0. | |||||||||||
GUI:  | ||||||||||||
| CLI add ns limitIdentifier aaa_err_login_identifier Nveau 3 -timeSlice 300000 -selectorName aaa_err_login_selector -trapsInTimeSlice 3 | ||||||||||||
3 | Set an action post newspaper This step is optional, but provides a mechanism to inform you with a specific audit message that can be transmitted to a SIEM solution off-box. In the message, you can insert dynamic tokens for IP and URL that you are tracking to identify the application | |||||||||||
GUI :.  | ||||||||||||
| CLI add audit messageaction aaa_login_err_alert ALERT "" login attempts Max detected from of "+ CLIENT.IP.SRC + " to "+ HTTP.REQ.URL + " within 5 seconds. Possible connection brute force attack "" -logtoNewnslog -bypassSafetyCheck YES YES | ||||||||||||
4 | Define Responder action what is a malicious end-user or "bot" would see if they met the threshold in identifier limit. notes - Responder this action could be simpler, but it is designed to integrate with the theme NetScaler Symphony. If you use a different type of HTTP Auth, or you do not want to engage the attackers with any response at all, you can also set up an answering strategy simply DROP or reset the connection. | |||||||||||
GUI:  | ||||||||||||
| CLI: add responder action aaa_err_login_blockip_5min_act RespondWith ""
 | ||||||||||||
5 | Define responder policy for AAATM or ELDERLY the voice mail policy references the frequency limit selector and is the AAATM or VPN URLs, and also detects the presence of invalid login session cookie and log triggers the answering machine and the actions defined above. notes - If you want to trap or AAATM AGED VPN you can delete the relevant condition in the defined term. This method also works for other Web applications specifying a different URL byt | |||||||||||
GUI :.  | ||||||||||||
| CLI add responder aaa_err_login_blockip_5min_policy policy "(HTTP.REQ.URL.EQ ( "/ vpn / tmindex.html ") || HTTP.REQ .URL.EQ ( "/ vpn / index.html ")) && HTTP.REQ.COOKIE.VALUE ( "NSC_VPNERR "). EQ ( "4001 ") && SYS.CHECK_LIMIT ( "aaa_err_login_identifier ") "aaa_err_login_blockip_5min_act -logAction aaa_login_err_alert | ||||||||||||
6 | generally bind the responder policy We must generally bind to address both VPN and AAATM but it would be equally easy to link answering a specific policy or VPN AAATM VServer. | |||||||||||
GUI:  | ||||||||||||
| CLI: bind global answering aaa_err_login_blockip_5min_policy 110 END -type REQ_DEFAULT |
What can we do?
- Using 2-factor authentication such as RSA SecurID, PhoneFactor, CryptoCard, etc ...
When a second factor auth is provided, which greatly improves posture overall security authentication. The most common is a One-Time-Password solution (OTP) which requires the user to use something they know and a form of challenge that can go from a random code from a chip to a phone call, email, or SMS message. NetScaler supports many of the 2-factor solutions as they are standard RADIUS-based. Many suppliers have also achieved Citrix Ready certification means that they have checked their solution works properly with Citrix NetScaler and Access Gateway. - Using an authentication method to 2 factors as the primary authentication
The NetScaler and Access Gateway allows configuration of primary and secondary authentication methods In addition, this second factor method can be specified as the primary authentication method. The significance of this is that the second factor auth would first be tempted by the devil NetScaler AAA and will fail if the attempt if before the auth directory is attempted - Implement Captcha image verification -. (See Part 2)
Captcha stands for automated public Turing test to tell Computers Completely and Humans Apart. This method involves presenting a challenge problem that humans can solve, but it would be very difficult for a computer. Captcha has been specially designed to prevent automated software to fill out a HTML form such as those used for logon. A common type of CAPTCHA requires the user to type letters or numbers from a distorted image that appears on the screen.
What HTTP Rate Limitation not to answer?
- account Directory Lockout
HTTP Rate limiting is not fully help you with the problem account lockouts unless you set the thresholds for the selector to be lower than the account security policy. This phenomenon is common with brute force attacks because they often use the same name iterative user with different combinations of passwords. This problem can fight using a factor auth method 2nd or Captcha as described above. - False Positive Forward Blocking proxies
The users coming to the same direct proxy access could be blocked if multiple users attempt a connection in the time slot window. This is due to all customers who present themselves with the same IP address that the CBC limit identifier is followed.
Download batch configuration script
More information
- OWASP Testing Project
- Citrix NetScaler Application Delivery Controller
- Citrix NetScaler Access Gateway
- Part 2 - implementation Captcha Citrix (soon!) NetScaler / Access Gateway
0 Komentar