11-12-2018 09:05 AM - edited 11-12-2018 09:21 AM
We are experiencing a high number of user lockouts with our externally accessible STS.
The traffic is HTTPS so it is making it through our blocking policies.
We are requiring MFA through DUO but the challenge/response for the username/password is happening before the MFA kicks in. After 5 failed attempts the users account is locked for 20 minutes. Most of the attempts are coming from China but we are a public Higher Ed institute so we can't block entire countries.
We have taken steps to scrape the offending IPs and upload them to MineMeld where we have a policy with a dynamic block list. However, that policy only blocks the IP after the fact and that IP list is getting fairly large.
We have the option to SSL decrypt this traffic but have ran into trouble with the elliptical curve ciphers on the NSX load balancer.
In short, has anyone successfully tackled this issue? If so, how? Any suggestions otherwise?
Thanks!
Steve
11-12-2018 01:38 PM
Do you have something like a DoS policy in place to actively attempt to limit connections from a source IP? That could help cut down on the number of events and allow you to do this in a more automated approach, along with automatically feeding the recorded IPs into MineMeld from the logs generated by the firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
