Preventing Brute Force Password Guessing Attacks with APM - Part 1

F5er and DevCentral community member ystephie is back with another great solution (check out her first solution here: BIG-IP APM Customized Logon Page), this time tackling brute force attacks utilizing customizations with the BIG-IP Access Policy Manager.  This solution requires BIG-IP 10.2.2 Hotfix 1 or later.

Introduction

Exposing applications or services to the Internet opens inherent security risks. BIG-IP Access Policy Manager (APM) provides edge authentication and access control services for applications, BIG-IP Edge Gateway provides secure SSL VPN services, and BIG-IP Application Security Manager (ASM) provides protection against a variety of attacks. In this series of APM deployment examples, we will cover a couple of techniques for protecting against brute force password-guessing attacks. We’ll start with examples where a CAPTCHA challenge is used to block automated password guessing attacks, followed by an example providing temporary account lockout after a configured number of authentication failures.
 
CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart (quite a mouthful), but basically consists of a challenge that a human can pass but a computer program cannot. It is used to protect against bots, and in the examples here can help protect against an automated password guessing attack.

We can take advantage of Google’s reCAPTCHA web service and APM’s flexible advanced customization to provide basic defense against automated password guessing attacks. In addition, we will play around with the general look of your logon page.  With reCAPTCHA available as a web service, we’ll be incorporating the CAPTCHA challenge within the APM logon page via advanced customization. The JavaScript added to the logon page will request a challenge (image with distorted text) from the reCAPTCHA web service and display it within the page. We’ll then create a custom APM Access Policy where we validate the user’s CAPTCHA challenge answer against the same reCAPTCHA web service (using the APM HTTP Auth agent). The links below describe the Google reCAPTCHA service in greater detail:

• http://code.google.com/apis/recaptcha/intro.html
• http://code.google.com/apis/recaptcha/docs/display.html
• http://code.google.com/apis/recaptcha/docs/verify.html

Initial Setup – Create a Google Account for the reCAPTCHA Project

Sign up for Google’s reCAPTCHA project through http://www.google.com/recaptcha/whyrecaptcha. Fill in a domain name and jot down the private and public keys for we’ll be using them later.

Device Wizard

For the purpose of this example, we’ll be using the Network Access Setup Wizard for Remote Access option under Templates and Wizards -> Device Wizards shown in Figure 1.

Select HTTP Authentication with the following setup. This is required to verify the CAPTCHA challenge answer from the user against the reCAPTCHA web service.

Follow the steps in the wizard (AAA Server, Lease Pool, Network Access, and etc.) to get to the summary page shown below in Figure 2. Before clicking finished, enter the Visual Policy Editor (VPE) to make a few changes.

Click on Logon Page and modify field 3 and 4 under Logon Page Agent with the following configuration and save.

Note: The logon page agent will only parse and store POST parameters it knows about (that are defined here). We’ll be hiding these two new fields on the logon page via advanced customization later.

You should add an Ad Auth after the success leg of HTTP Auth. In my examples, I will be using AD Auth but feel free to use any sort of additional authenticate. That way, you only need to check their credentials once we know for sure that this is a human user (passes the CAPTCHA challenge).

Update the access policy by clicking Apply Access Policy and finish the Device Wizard.

Advanced Customization

Follow steps 1-3 under the section “Customize the Logon Page” in the BIG-IP APM-Customized Logon Page article.  We’ll be replacing the auto-generated logon form with HTML that includes the username and password
fields, along with some JavaScript that calls the reCAPTCHA service and includes the challenge within the page. Edit logon_en.inc file: remove this block of PHP code:

<? 

//------------------------------------------------------------ 

foreach( $fields_settings as $field_settings ) 

{ 

    if( $field_settings["type"] != "none" ) 

    { 

        if( $GLOBALS["label_position"] == "above" ){ 

?> 

    <tr> 

        <td colspan=2 class="credentials_table_unified_cell" ><label for="<? print( $field_settings["type"] ); ?>"><? print( 

$field_settings["caption"] ); ?></label><input type=<? print( $field_settings["type"] ); ?> name=<? print( $field_settings["name"] ); ?> 

class="credentials_input_<? print( $field_settings["type"] ); ?>" <? print( ( $field_settings["rw"] == 0 ? "disabled" : "" ) ); ?> value="<? 

print( $field_settings["value"] ); ?>" autocomplete="off"></td> 

    </tr> 

<? 

        }else{ 

?> 

    <tr> 

        <td class="credentials_table_label_cell" ><? print( $field_settings["caption"] ); ?></td> 

        <td class="credentials_table_field_cell"><input type="<? print( $field_settings["type"] ); ?>" name="<? print( $field_settings["name"] 

); ?>" class="credentials_input_<? print( $field_settings["type"] ); ?>" <? print( ( $field_settings["rw"] == 0 ? "disabled" : "" ) ); ?> 

value="<? print( $field_settings["value"] ); ?>" autocomplete="off"></td> 

    </tr> 

<? 

        } 

    } 

} 

//------------------------------------------------------------ 

?> 

In its place, paste this second block of code. Make sure to replace the red text with your own information.

<tr> 

    <td colspan=2 class="credentials_table_unified_cell" ><label for="text">Username</label><input type=text name=username 

s="credentials_input_text"  value="" autocomplete="off" autocapitalize="off"></td> 

</tr> 

<tr> 

    <td colspan=2 class="credentials_table_unified_cell" ><label for="password">Password</label><input type=password 

=password class="credentials_input_password"  value="" autocomplete="off" autocapitalize="off"></td> 

</tr> 

d colspan=2 class="credentials_table_unified_cell"> 

cript type="text/javascript" 

 src="https://www.google.com/recaptcha/api/challenge?k=replace_with_your_public_key"> 

script> 

oscript> 

 <iframe src="https://www.google.com/recaptcha/api/noscript?k=replace_with_your_public_key" 

     height="300" width="500" frameborder="0"></iframe><br> 

 <textarea name="recaptcha_challenge_field" rows="3" cols="40"> 

 </textarea> 

 <input type="hidden" name="recaptcha_response_field" 

     value="manual_challenge"> 

noscript> 

td> 

>

Apply the customizations to the policy with the following commands:

• b customization group <your policy name>_act_logon_page_ag action update
• b profile access <your policy name> generation action increment

Extra Touches

Currently the page should like like Figure 3.

But we can easily customize this page. First, let us start by adding a helpful message before the CAPTCHA. Open the logon_en.inc file again and add some HTML like below. Place it between the <td...> tag and <script…> tag we added earlier.

<td colspan=2 class="credentials_table_unified_cell"> 

<label for="text">Security Check<p>Enter <b>both words</b> below, <b>separated by a space</b>.</p></label> 

<script type="text/javascript"

Edit this message as fits your organization.  Don’t forget to update the access policy! The page now looks like Figure 4:

The color scheme of the CAPTCHA may not work for every page so Google provides a few more templates shown in Figure 5. If you feel that you would like to do more customization, see the documentation found on this page -http://code.google.com/apis/recaptcha/docs/customization.html.

<script type="text/javascript">  

var RecaptchaOptions = {  

   theme : 'theme_name'  

};  

</script>

To display a standard theme, add the following script into logon_en.inc anywhere before the <form> element where we inserted our code. Replace ‘theme_name’ with one of the above theme names. In Figure 6, I’m using the ‘white’ theme. Remember to update!

More Extra Touches – Changing the Look of Your Page

To customize the look of your page, click on your access profile- Access Policy -> Access Profiles -> <your access policy> -> Customization (third tab from the left on the top) -> general UI -> Find Customization.

Feel free to make whatever changes you like, in Figure 7, I changed the color of the Header background color, and Form background color to #63919E and #94BBC2 respectively.

Advanced Customization (Logon Page) Checklist

• When you copy and paste to a template file, it has the following formatting: logon_<language>.inc
• Set permissions using the following command
  • chmod a+r logon_<language>.inc
• After editing, update with the following two commands
  • b customization group <your policy name>_act_logon_page_ag action update
  • b profile access <your policy name> generation action increment

Final Notes

Exposing applications or services to the Internet opens inherent security risks. APM can help by providing advanced authentication, authorization, and endpoint security checks. With a bit of customization you can integrate with web services such as the Google reCAPTCHA project to provide additional security layers. In our next example, we’ll build on this work to display the CAPTCHA only after the user has failed full authentication, to reduce the inconvenience of typing CATPCHA challenges. We’ll be demonstrating how to do an AD Query and use the bad password count attribute to determine when to show the CAPTCHA challenge.