Defending against authentication attacks using IP Blocking

system

Anyone who administers a publicly accessible server will know that it almost immediately will start getting attacked by brute force logon attempts.

One way of defending against this can be to block the IP address that is attacking your system.

In this article, we will set up triggers to automatically block IP addresses that are trying to brute force this logon.

To do this, we will first set up an authentication alert, which will then be chained to a Block IP trigger.

 

Create an Authentication alert

We will first set up an authentication alert as this trigger's threshold settings will be very useful here.

1. Navigate to Triggers and click the Create button.

2. Give the trigger a name, such as Authentication alert. In the Event, start typing Authentication and select it from the list that appears. Set Triggers On to Failure. For Triggers Task, enter Generate Alert.

 

3. Click on the Threshold tab. We need to pick a reasonable threshold and timeout here. Attacks tend to come in quite quickly, so let's set the Alert Threshold slider to 2 and the Threshold Timeout to 1 minute. We'll set the Reset Delay here to 120 seconds, which can limit the number of alerts that may be generated at any time. 

 

4. Click the Key tab. Here we choose which keys all need to match to increase the alert threshold count. We'll be looking for attempts with the same username from the same IP against the same authentication scheme. So, select Current User, Authentication Scheme and IP Address.

 

5. Click the Warning tab. We can type in the text that will appear in the alert. The attributes we used for the key can be useful here to give the administrator useful information, which can be selected with the ${} button.

6. We shall set the Warning Text to: Too many authentications from IP ${attr.ipAddress} for user ${attr.principalName} on scheme ${attr.scheme}

 

7. Click Create to finish creating the Trigger.

 


Creating a Block IP trigger

1. Expand the newly created Authentication alert resource, a visual representation of the trigger flow will appear below it.

2. Click the plus icon in the red Authentication alert box to chain a new trigger from this one.

 

3. Give the trigger a name (Block IP address). The Event will already be filled out because we have chained this trigger.

4. Set the Triggers On to Success. For Triggers Task, set it to Block IP Address.

 

 

5. Click the Block tab and select the ${event0:attr.ipAddress} attribute for IP Address and click the + to add it to the list. Set the Length to 30 to block the offending IP for 30 minutes.

6. Click Create to finish creating the resource.

 

7. Click the Authentication alert trigger again, the trigger flow will update as above.

 

Testing


On the web UI attempt to log in as a user with an incorrect password 2 times in succession. Then navigate to Audit Log in the browser UI.

You will see the Failed authentication attempts, followed by the Alert, followed by a Successful Block IP event.