Brute force attacks occur when an attacker tries to guess a user’s credentials by trying different usernames and passwords. The attacker either deploys bots or uses a dictionary attack, trying common phrases or words such as admin, welcome, or password. An actual user could type their password incorrectly once or twice. But five or 10 times? That might indicate someone is trying a brute force attack.
You can add account lockout configuration in Citrix ADC to protect against an attacker gaining access. Citrix ADC also gives you, as an IT admin, the ability to prevent an individual user from logging into an ADC appliance, then to unlock the user before the lockout period expires.
In this blog post, I’ll show you how to configure account lockout for ADC system users so you can restrict the number of invalid login attempts before the account is disabled. I’ll also look at how to lock and unlock individual ADC system users.
This config is supported in release 12.1 and later and is available for ADC local system users and external users. Please note, local system users are the users created in the ADC appliance. External users are the users created on the authentication server. In this post, I’ll use the term user to refer to both user types.
Configuring the User Lockout Functionality
To configure the user lockout functionality with invalid login attempts, you first need to configure aaa parameter with maxloginAttempts and failedLoginTimeout parameters.
If the user enters invalid login credentials for the number of times specified in maxloginAttempts, within the time specified in failedLoginTimeout, the user is locked for the duration specified in failedLoginTimeout.
For example, if maxloginAttempts is set to three and failedLoginTimeout is set to 10 in aaa parameter, a user who attempts to login with an incorrect password three times within 10 minutes is locked out after the third failed login attempt. The user account is locked for the specified time period, and the user cannot log in, even with valid credentials.
CLI Configuration
At the command prompt, type the following:
set aaa parameter -maxloginAttempts <value> -failedLoginTimeout <value>
If the maxloginAttempts is set to three and failedLoginTimeout is set to 10 in aaa parameter, the CLI will look like this:
GUI Configuration:
- Navigate to Configuration → Security → AAA-Application Traffic → Authentication Settings → Change authentication AAA Settings
- In Configure AAA Parameter, type the values for Max Login Attempts and Failed Login Timeout
- Click OK.
With this configuration, a user will be locked for 10 minutes if three invalid login attempts are made in 10 minutes. The user will not be able to log in, even with valid credentials, for 10 minutes.
Please note, if a locked user tries to log in, the following log will be observed in audit messages:
Persistent Login Attempt
For persistent storage of unsuccessful user login attempts across reboots, along with the maxloginattempts and failedLoginTimeout parameters, enable the persistentLoginAttempts in aaa parameter.
CLI Configuration
To enable persistentLoginAttempts in aaa parameter:
GUI Configuration
- Log in to the Citrix ADC GUI as a superuser.
- Navigate to: Configuration → Security → AAA-Application Traffic → Authentication Settings → Change authentication AAA Settings
- In Configure AAA Parameter, in the Persistent Login Attempts list, select ENABLED.
Lock a User with the Lock aaa Command
To lock individual Citrix ADC users, the admin can run the lock aaa user <username> command. Here, the user is locked for 24 hours and cannot log in to the ADC appliance, even with valid credentials.
This setting is supported for both local system user and external user.
The lock system user functionality is supported only when persistentLoginAttempts is disabled in aaa parameter.
CLI Configuration
Enter the following command to disable the persistentloginAttempts in aaa parameter:
Enter the lock aaa user command to a lock local system and external user:
GUI Configuration
- Navigate to Configuration → Security → AAA-Application Traffic → Authentication Settings → Change authentication AAA Settings
- In Configure AAA Parameter, in the Persistent Login Attempts list, select DISABLED.
- Navigate to System → User Administration → Users.
- Select the user. Only local system users are listed.
- In the Select Action list, click Lock.
Now, to lock the local system user, Go to System → User Administration → Users. Click on the username (local system users will be listed) and select Action -> Lock.
Please note, the Citrix ADC GUI only lists local system users, which are created in the ADC, so there is no option in the GUI to lock external users. To lock an external user, the ADC superuser must use the CLI.
Also, when a locked system user (locked with lock aaa user command) attempts to log in to Citrix ADC, the following message is captured in the log.
Unlock Locked Users
Local system users and external users can be locked for 24 hours using the lock aaa user <username> command. The ADC appliance allows admins to unlock the locked user, and the feature is available regardless of the setting in persistentloginAttempts.
CLI Configuration
Run the unlock aaa user <username> command to unlock the ADC local system users and external user:
GUI Configuration
- Navigate to System → User Administration → Users.
- Select the user. Only local system users are listed.
- In the Select Action list, click Unlock.
The Citrix ADC GUI only lists local system users, which are created in the ADC, so there is no option in the GUI to unlock external users. To unlock an external user, the ADC superuser must use the CLI.
Summary
The following table summarizes the user lockout functionality available by enabling or disabling persistentLoginAttempts as ENABLED/DISABLED in aaa parameter:
Functionality | persistentLoginAttempts ENABLED | persistentLoginAttempts DISABLED |
User lockout with invalid login attempts | Supported | Supported |
Lock user | Not Supported | Supported |
Unlock user | Supported | Supported |
In this blog post, I’ve shown you how to add user lockout configuration for invalid login attempts and how we can lock an individual system user in Citrix ADC. We have also looked at how we can unlock a system user before a lockout period expires. Check out our Secure Deployment Guide for more information on secure deployment of your appliances.