NetScaler authentication settings to prevent account lockout attack

I have had a tough turn of the year. During the last two months of 2013 nearly every day was stuffed with NetScaler project work for Citrix Consulting and own NetScaler customers. And the new year just starts like the last ends. So get ready for some new blog posts about my last working awareness for some NetScaler topics.

In the past months I have seen many customer configurations with NetScaler AAA for many different applications. But not all of them had considered one security risk: how to protect against an account lockout attack?

In NetScaler Build 9.x and 10.0 there where only special tricks available to prevent your LDAP directory against account lockout attacks. In those NetScaler Versions you had to invest plenty of time to design proper settings for rate limiting in order to prevent too many logon attempts to your directory. Or do it the other way round with multi-factor authentication and change the first and second authentication factor input box so your OTP / Radius will separate the proper requests from the invalid stuff before hitting your directory services. But that is not feasible for all situations.

Both are more kind of rocket science than user friendly, or simple to upgrade. So how about the 10.1 build.

Intent admins should already have noticed the two new fields in the NetScaler Gateway or rather AAA vServer GUI to set the „Max Login Attempts“ and the „Failed Login Timeout“. From here it should be just a piece of cake to prove the settings by aaad.debug.

One Reply to “NetScaler authentication settings to prevent account lockout attack”

Comments are closed.