Brute force WAF NGAF

favianbayu Lv1Posted 2024-Mar-05 18:05

Hi there,

So we are implementing WAF on our NGAF
The issue is Bruteforce is not enforced on our Sangfor.

We set for brute force on Web-based Login password setting on the WAF policy template
Basically, we make a custom database for brute force.

It used to work because we use cookies from web apps we protect. But now it seems like it doesn't work anymore
Not after we change the cookie.
Does anyone have a solution for us on this brute-force policy?
Or maybe best practice for brute force?

Thank you

This topic contains more resources

You must log in to download or view the file. Not registered yet? Register

x

pmateus has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Hi,
DDOS is not supported, but you can apply some configuration that will help you, like:
•  Limit Failed Login Attempts
•  Complex Password Policies
•  Two-Factor Authentication (2FA)
•  Monitor and Alert
•  VPN Path Configuration
•  Endpoint Protection

Hope this helps,
Is this answer helpful?
jerome_itable Lv3Posted 2024-Mar-12 12:59
  
Here are some solutions and best practices to address this challenge:

Addressing the current issue:

    IP-based blocking:
        Implement IP-based blocking within the WAF policy. This approach tracks failed login attempts originating from a specific IP address and blocks them after exceeding a predefined threshold.
        Consider limitations: While IP blocking can be effective, it might cause inconvenience to legitimate users sharing the same IP address.

    Advanced Bot Detection:
        Utilize Sangfor's advanced bot detection capabilities within the WAF. These features can analyze various factors beyond cookies, including:
            User behavior patterns (e.g., rapid login attempts, unusual access times)
            Request headers and origin characteristics
        This multi-layered approach can help identify and block automated bots attempting brute-force attacks.

    Multi-factor Authentication (MFA):
        Enforce MFA as an additional security layer for web-based logins. This requires users to provide a secondary verification code beyond the username and password, significantly increasing the difficulty of unauthorized access through brute-force attempts.

Best practices for brute-force protection:

    Limit login attempts: Set a reasonable limit on the number of consecutive failed login attempts allowed within a specific timeframe.
    Increase lockout duration: Gradually increase the lockout duration for subsequent failed attempts to discourage persistent attacks.
    Captcha implementation: Consider implementing CAPTCHA challenges after a certain number of failed attempts. This adds an extra layer of validation to distinguish between legitimate users and automated scripts.
    Regular security audits: Conduct periodic security audits to identify and address any potential vulnerabilities in your web applications that might be susceptible to brute-force attacks.
mdamores Posted 2024-Mar-12 14:15
  
Hi,

Have you the below configuration?

1. Identify your login page URI and user identification method (username or IP).
2. Create a WAF policy for the login page URI.
3. Within the policy, configure a brute-force rule with a threshold (e.g., 5 attempts within 1 hour) and a 4. blocking action (e.g., temporary IP block).
5. Consider enabling IP reputation filtering on your NGAF to block malicious IPs.
6. Try to configure rate limiting rules on the WAF policy to further restrict login attempts as an option
7. Set session timeouts on your web application.


If all else fail, you may consider consulting Sangfor WAF documentation or Sangfor support for specific configuration instructions and available brute-force protection features.
Mar Estonido Lv1Posted 2024-Mar-12 16:04
  
DDOS is not supported by Sanfor WAF. The only supported is DOS
Christian Ni Lv1Posted 2024-Mar-12 16:05
  
Can you please give more information about the problem. The DDOS of WAF is not like the full blown DDOS solutions.
Enrico Vanzetto Lv4Posted 2024-Mar-12 16:25
  
Hi, try to follow this steps:

Identify the Login Page URI and User Identification Method:
Determine the specific Uniform Resource Identifier (URI) for your login page.
Choose whether user identification will be based on usernames or IP addresses.

Create a Web Application Firewall (WAF) Policy:
Set up a WAF policy specifically for your login page URI.
Define the rules and actions that will govern traffic to this page.

Configure a Brute-Force Rule:
Within the WAF policy, create a rule to detect and handle brute-force attacks.
Set a threshold (e.g., 5 login attempts within 1 hour) for triggering this rule.
Specify a blocking action (e.g., temporary IP block) to prevent further malicious attempts.

Consider Enabling IP Reputation Filtering:
If you have a Next-Generation Firewall (NGAF), explore enabling IP reputation filtering.
This feature helps block traffic from known malicious IP addresses.

Rate Limiting Rules (Optional):
Extend your WAF policy by configuring rate limiting rules.
These rules can further restrict login attempts based on specific criteria.

Set Session Timeouts:
Implement session timeouts within your web application.
Define how long a user session remains active before automatic logout.
Prosi Lv3Posted 2024-Mar-12 16:32
  
Use Strong Passwords.
Limit Login Attempts.   
Monitor IP addresses.   
Use Two-Factor Authentication (2FA).   
Use CAPTCHAs.   
Disable Root SSH Logins
Use Web Application Firewalls (WAFs)
Newbie517762 Lv5Posted 2024-Mar-12 17:41
  
This is facing an issue with brute force detection not working effectively after changing the cookie structure on their Sangfor WAF. They are solutions and best practices to mitigate brute force attacks.


Solutions:
  • Update cookie validation logic to consider the updated cookie structure.
  • Check cookie expiration time to ensure effectiveness in detecting ongoing attacks.
  • Implement IP address-based blocking as an additional security measure.
  • Enable two-factor authentication (2FA) for user accounts.
  • Use rate limiting to restrict login attempts from a single source.
  • Incorporate CAPTCHAs to distinguish legitimate users from automated bots.


Best Practices:
  • Use strong passwords and enforce regular password changes.
  • Implement account lockout policies after failed login attempts.
  • Monitor logs for suspicious activities and investigate anomalies.
  • Keep software and security patches up to date.
  • Educate users about security best practices.

Zonger Lv5Posted 2024-Mar-12 18:46
  
More information is required, however, to be precise DDOS is not supported by Sangfor NGAF
pmateus Lv2Posted 2024-Mar-12 19:34
  
Hi,
DDOS is not supported, but you can apply some configuration that will help you, like:
•  Limit Failed Login Attempts
•  Complex Password Policies
•  Two-Factor Authentication (2FA)
•  Monitor and Alert
•  VPN Path Configuration
•  Endpoint Protection

Hope this helps,

I Can Help:

Change

Moderator on This Board

11
8
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
138
3

Started Topics

Followers

Follow

Board Leaders