Response Processors: Login Processor

The login processor is designed to add additional protection to the login dialogs throughout the protected site. By default, it will not provide any additional protection, and must be configured to protect specific login forms. Once a login form has been configured, the processor will begin to monitor the login attempts and start checking for abusive patterns.

This processor is capable of detecting a wide variety of abuse patterns on a login dialog, as well as stopping these abusive activities. One key protection mechanism is to require a captcha if a user attempts to login to an account which has experienced more than 3 failed login attempts since the last successful login attempt. This ensures that a malicious user cannot brute force a specific username, because after 3 failed attempts, the brute force tool will be stopped by a captcha. This does not represent a counter response, but instead is built in functionality that applies to all users on the system. So if user "A" submits 3 bad passwords, and then user "B" submits a password for the same username, user "B" will get a captcha, as well as user "A" for any additional login attempts they try. As soon as a user successfully logs into the account, it will take another 3 failed login attempts before the next captcha is required.

In addition to protecting against a single username being attacked with a brute force script, the processor also detects "User sharing", "User pooling", "Username scans", "Multi-User brute force scans". See the incident descriptions for more information on what these incidents represent and what counter responses will be activated as a result. In order to configure the Login Processor to protect a login form, edit the "Protected Login Pages" configuration parameter. Add a new row and provide the following information. It will be useful to look at the HTML source code of the login form as it will have critical information you will need to configure protection:

Keep in mind that some website implementations allow login information to be posted to many different URLs. If that is the case, make sure the URL pattern is defined generically enough to match any URL the user might submit a login request to. Only submissions that match the URL pattern will be protected.

Once a login form has been configured, it can be tested by attempting to login to the same username 4 or more times. You should be presented with a captcha. Next, solve the captcha and log in with the correct password. Then logout and attempt to login to the same username again. If you do not get a captcha, then the login form is configured correctly.

Table 41: Login Processor Configuration Parameters

Parameter

Type

Default Value

Description

Basic

Processor Enabled

Boolean

True

Whether traffic should be passed through this processor. Note that just because this processor is enabled, does not mean that any login forms are being protected. Login forms will not be protected until they are configured in the "Protected Login Pages" parameter.

Protected Login Pages

Collection

None

The list of pages that should be protected from login and account abuse. These pages should reflect the URL's that accept username's and passwords and allow login, not necessarily the pages that contain login forms. For example, if every page on the site had a login form, but they all submitted to login.php, then only login.php needs to be configured in this processor.

Advanced

Bad Request Block Response

HTTP Response

400 Error

The response to return if the user issues a request that either is too large, or uses multipart and multi-part is disabled.

Blocked Replay Response

HTTP Response

400 Error

The response to return if the user attempts to submit the validated request multiple times using the same captcha answer, and that behavior is not allowed.

Cancel URL

String

(empty)

The URL to redirect the user to if they cancel the captcha. This should not be to the same domain, because the domain is being blocked using a captcha, and therefore, canceling would only redirect to a new captcha. An empty value will hide the cancel button,

Captcha Binary Directory

String

Random

The name of the directory where captcha images and audio files will be served from. This should not conflict with any actual directories on the site.

Captcha Characters

String

abcdefhkmnprwxyz ABCEFGHJKLMNPQRTWXYZ 234678

The characters to use when generating a random captcha value. Avoid using characters that can be easily mixed up. This set of characters is case sensitive.

Captcha Expiration

Integer

120

The maximum number of seconds the user has to solve the captcha before the request is no longer possible.

Captcha State Cookie

String

Random

The name of the cookie to use to track the active captchas that have not yet been solved. The cookie is only served to the captcha binary directory.

Captcha Template

File

Default Template

The HTML template used to ask the user to complete a captcha. This template must contain specific key words in order to integrate properly. Please refer to the manual for more information.

Captcha Validation Input Name

String

Random

The name of the form input used to transmit the captcha validation key. This should be obscure so that users who have not been required to enter a captcha cannot supply bad values to this input to profile the system.

Expired Captcha Response

HTTP Response

400 Error

The response to return if the user submits a validated request after the captcha has expired. This can happen if the user refreshes the results of the captcha long after they have solved it.

Maximum Active Captchas

Integer

7

The maximum number of captchas any given user can be solving at any given time. This limit can be overcome, but the majority of users will not be able to. This is primarily for performance, as the more active captchas that are allowed, the larger the state cookie becomes.

Maximum Request Size

Integer

524288 (512KB)

The maximum number of bytes in a request before it is considered not acceptable for captcha validation, and will be blocked.

Support Audio Version

Boolean

True

Whether an audio version of the captcha is provided to the user. This can be a requirement for accessibility, as vision impaired users would otherwise be unable to solve the captcha.

Watermark

String

%DOMAIN

The text to watermark the captcha with. This can be used to prevent the captcha from being used in a phishing attack. For example, an abuser would not be able to simply display the captcha on a different site and ask a user to solve it. The watermark would tip the user off that the captcha was not intended for the site they are visiting. Use %DOMAIN to use the domain name as the watermark.

Incident: Site Invalid Login

Boolean

True

The user has submitted an invalid username or password. This is just an informational incident and is used to identify more complex attacks. It is highly recommended that this incident not be disabled, as it can cause other incidents to no longer register.

Incident: Site Login Multiple IP

Boolean

True

The user has submitted a valid username and password or an invalid username and password for an account that has recently been used by a different IP. This is just an informational incident and is used to identify more complex attacks. It is highly recommended that this incident not be disabled, as it can cause other incidents to no longer register.

Incident: Site Login Multiple Usernames

Boolean

True

The user has submitted a valid username and password for more than one account recently. This is just an informational incident and is used to identify more complex attacks. It is highly recommended that this incident not be disabled, as it can cause other incidents to no longer register.