User lockouts in STS (external authentication service)

stevebelcher — Mon, 12 Nov 2018 17:21:52 GMT

We are experiencing a high number of user lockouts with our externally accessible STS.

The traffic is HTTPS so it is making it through our blocking policies.

We are requiring MFA through DUO but the challenge/response for the username/password is happening before the MFA kicks in. After 5 failed attempts the users account is locked for 20 minutes. Most of the attempts are coming from China but we are a public Higher Ed institute so we can't block entire countries.

We have taken steps to scrape the offending IPs and upload them to MineMeld where we have a policy with a dynamic block list. However, that policy only blocks the IP after the fact and that IP list is getting fairly large.

We have the option to SSL decrypt this traffic but have ran into trouble with the elliptical curve ciphers on the NSX load balancer.

In short, has anyone successfully tackled this issue? If so, how? Any suggestions otherwise?

Thanks!

Steve

Re: User lockouts in STS (external authentication service)

BPry — Mon, 12 Nov 2018 21:38:17 GMT

@stevebelcher,

Do you have something like a DoS policy in place to actively attempt to limit connections from a source IP? That could help cut down on the number of events and allow you to do this in a more automated approach, along with automatically feeding the recorded IPs into MineMeld from the logs generated by the firewall.

topic Re: User lockouts in STS (external authentication service) in General Topics

User lockouts in STS (external authentication service)

Re: User lockouts in STS (external authentication service)