From 8954f5e4f8f539b332dabb2efdd28e5cb5dd8b66 Mon Sep 17 00:00:00 2001 From: Ohad Perets Date: Mon, 3 Feb 2025 15:59:40 +0000 Subject: [PATCH 01/19] fix: gofmt --- .../v4/configuration-guide/configuration.md | 139 +++++++++++++++++- 1 file changed, 131 insertions(+), 8 deletions(-) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 8441b62f8..0297b13a3 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -657,10 +657,9 @@ claims['address'] = "{ \"address\": { .... } }" # JSON structs can be accessed u Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, systematic, username/password combinations to discover legitimate authentication credentials. -To prevent brute force attacks, WAF tracks the number of failed attempts to reach login pages +To prevent brute force attacks, Nginx App Protect (NAP) WAF tracks the number of failed attempts to reach login pages with enforced brute force protection. When brute force patterns are detected, -the WAF policy considers it to be an attack if the failed logon rate increased significantly or -if failed logins reached a maximum threshold. +the Nginx App Protect (NAP) WAF policy considers it to be an attack if the failed logins reached a maximum threshold. ### Brute force policy example @@ -676,10 +675,34 @@ if failed logins reached a maximum threshold. "brute-force-attack-preventions" : [ { "bruteForceProtectionForAllLoginPages" : true, - "detectionCriteria" : { + "loginAttemptsFromTheSameIp" : { + "action" : "alarm", + "enabled" : true, + "threshold" : 20 + }, + "loginAttemptsFromTheSameUser" : { "action" : "alarm", - "failedLoginAttemptsRateReached" : 100 + "enabled" : true, + "threshold" : 3 }, + "reEnableLoginAfter" : 3600, + "sourceBasedProtectionDetectionPeriod" : 3600 + } + ] + } +} + +{ + "policy": { + "name": "BruteForcePolicySpec", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "enforcementMode": "blocking", + "brute-force-attack-preventions" : [ + { + "bruteForceProtectionForAllLoginPages" : false, "loginAttemptsFromTheSameIp" : { "action" : "alarm", "enabled" : true, @@ -690,16 +713,116 @@ if failed logins reached a maximum threshold. "enabled" : true, "threshold" : 3 }, - "measurementPeriod" : 900, - "preventionDuration" : "3600", "reEnableLoginAfter" : 3600, - "sourceBasedProtectionDetectionPeriod" : 3600 + "sourceBasedProtectionDetectionPeriod" : 3600, + "url": { + "method": "*", + "name": "/html_login", + "protocol": "http" + } + } + ], + "login-pages": [ + { + "accessValidation" : { + "responseContains": "Success" + }, + "authenticationType": "form", + "url" : { + "method" : "*", + "name" : "/html_login", + "protocol" : "http", + "type" : "explicit" + }, + "usernameParameterName": "username", + "passwordParameterName": "password" } ] } } ``` +policy: + brute-force-attack-preventions: + Defines configuration for Brute Force Protection feature. + There is default configuration (one with bruteForceProtectionForAllLoginPages flag and without url) + that applies to all configured login URLs unless there exists another brute force configuration for a specific login page. + + bruteForceProtectionForAllLoginPages: + When enabled, enables Brute Force Protection for all configured login URLs. + When disabled, the url entry below should contain a url that is defined as a login page. + + url: + Reference to the URL used in login URL configuration (policy/login-pages). + This login URL is protected by Brute Force Protection feature. + + loginAttemptsFromTheSameIp: + Specifies configuration for detecting brute force attacks from IP Address. + + action: + Specifies action that is applied when defined threshold is reached. + - **alarm**: The system will log the login attempt. + - **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page. + + enabled: + When enabled, the system counts failed login attempts from IP Address. + + threshold: + After configured threshold (number of failed login attempts from IP Address) defined action will be applied when a brute force attack will be detected. + + loginAttemptsFromTheSameUser: + Specifies configuration for detecting brute force attacks for a specific username. + + action: + Specifies action that is applied when defined threshold is reached. + - **alarm**: The system will log the login attempt. + + enabled: + When enabled, the system counts failed login attempts for a specific username. + + threshold: + After configured threshold (number of failed login attempts for a specific username) defined action will be applied when a brute force attack will be detected. + + reEnableLoginAfter: + Defines prevention period (measured in seconds) for source-based brute force attacks. + + sourceBasedProtectionDetectionPeriod: + Defines detection period (measured in seconds) for source-based brute force attacks. + + login-pages: + A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. Use login pages, + for example, to prevent forceful browsing of restricted parts of the web application, by defining access permissions for users. + Login pages also allow session tracking of user sessions. + + accessValidation: + Access Validation define validation criteria for the login page response. + If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL. + + authenticationType: + Authentication Type is method the web server uses to authenticate the login URL's credentials with a web user. + + - **none**: The web server does not authenticate users trying to access the web application through the login URL. + This is the default setting. + + - **form**: The web application uses a form to collect and authenticate user credentials. If using this option, + you also need to type the user name and password parameters written in the code of the HTML form. + + - **http-basic**: The user name and password are transmitted in Base64 and stored on the server in plain text. + + - **http-digest**: The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text. + + - **ntlm**: Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, + but requires a continuous TCP connection between the server and client. + + - **ajax-or-json-request**: The web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. + For this option, you also need to type the name of the JSON element containing the user name and password. + + usernameParameterName: + A name of parameter which will contain username string. + passwordParameterName: + A name of parameter which will contain password string. + url: + URL string used for login page. ## Custom Dimensions Log Entries From 63ac4374c863a32e24033eb51216360603e57d7c Mon Sep 17 00:00:00 2001 From: Ohad Perets Date: Mon, 3 Feb 2025 16:07:19 +0000 Subject: [PATCH 02/19] fix: split configuration --- content/nap-waf/v4/configuration-guide/configuration.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 0297b13a3..837fc2b48 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -691,7 +691,8 @@ the Nginx App Protect (NAP) WAF policy considers it to be an attack if the faile ] } } - +``` +```json { "policy": { "name": "BruteForcePolicySpec", From 477554fe8e7153838572f57f872e262282192943 Mon Sep 17 00:00:00 2001 From: Ohad Perets Date: Mon, 3 Feb 2025 16:10:57 +0000 Subject: [PATCH 03/19] fix: indent --- .../v4/configuration-guide/configuration.md | 28 +++++++++++-------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 837fc2b48..7d62fd939 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -763,13 +763,15 @@ policy: action: Specifies action that is applied when defined threshold is reached. - **alarm**: The system will log the login attempt. - - **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page. + - **alarm-and-blocking-page**: The system will log the login attempt, + block the request and send the Blocking page. enabled: When enabled, the system counts failed login attempts from IP Address. threshold: - After configured threshold (number of failed login attempts from IP Address) defined action will be applied when a brute force attack will be detected. + After configured threshold (number of failed login attempts from IP Address) + defined action will be applied when a brute force attack will be detected. loginAttemptsFromTheSameUser: Specifies configuration for detecting brute force attacks for a specific username. @@ -782,7 +784,8 @@ policy: When enabled, the system counts failed login attempts for a specific username. threshold: - After configured threshold (number of failed login attempts for a specific username) defined action will be applied when a brute force attack will be detected. + After configured threshold (number of failed login attempts for a specific username) + defined action will be applied when a brute force attack will be detected. reEnableLoginAfter: Defines prevention period (measured in seconds) for source-based brute force attacks. @@ -791,13 +794,14 @@ policy: Defines detection period (measured in seconds) for source-based brute force attacks. login-pages: - A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. Use login pages, - for example, to prevent forceful browsing of restricted parts of the web application, by defining access permissions for users. - Login pages also allow session tracking of user sessions. + A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. + Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, + by defining access permissions for users. Login pages also allow session tracking of user sessions. accessValidation: Access Validation define validation criteria for the login page response. - If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL. + If you define more than one validation criteria, + the response must meet all the criteria before the system allows the user to access the application login URL. authenticationType: Authentication Type is method the web server uses to authenticate the login URL's credentials with a web user. @@ -810,12 +814,14 @@ policy: - **http-basic**: The user name and password are transmitted in Base64 and stored on the server in plain text. - - **http-digest**: The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text. + - **http-digest**: The web server performs the authentication; user names and passwords + are not transmitted over the network, nor are they stored in plain text. - - **ntlm**: Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, - but requires a continuous TCP connection between the server and client. + - **ntlm**: Microsoft LAN Manager authentication (also called Integrated Windows Authentication) + does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client. - - **ajax-or-json-request**: The web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. + - **ajax-or-json-request**: The web server uses JSON and AJAX requests to authenticate users + trying to access the web application through the login URL. For this option, you also need to type the name of the JSON element containing the user name and password. usernameParameterName: From 3c65764a45075875749b58d3609a4cf2b83f8f2d Mon Sep 17 00:00:00 2001 From: Ohad Perets Date: Mon, 3 Feb 2025 21:24:19 +0000 Subject: [PATCH 04/19] fix: Beni's comments --- .../v4/configuration-guide/configuration.md | 26 ++++++++++--------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 7d62fd939..2685f8d67 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -655,11 +655,12 @@ claims['address'] = "{ \"address\": { .... } }" # JSON structs can be accessed u ### Overview -Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, +Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, systematic, username/password combinations to discover legitimate authentication credentials. -To prevent brute force attacks, Nginx App Protect (NAP) WAF tracks the number of failed attempts to reach login pages -with enforced brute force protection. When brute force patterns are detected, -the Nginx App Protect (NAP) WAF policy considers it to be an attack if the failed logins reached a maximum threshold. +To prevent brute force attacks, WAF monitors both IP addresses and/or usernames and tracks the number of +failed attempts to reach login pages with enforced brute force protection When brute force +patterns are detected, the WAF policy considers it to be an attack if the failed login attempts +reached a maximum threshold for a specific username or coming from a specific IP. ### Brute force policy example @@ -788,7 +789,7 @@ policy: defined action will be applied when a brute force attack will be detected. reEnableLoginAfter: - Defines prevention period (measured in seconds) for source-based brute force attacks. + Defines prevention period (measured in seconds) for brute force attacks sourceBasedProtectionDetectionPeriod: Defines detection period (measured in seconds) for source-based brute force attacks. @@ -810,19 +811,20 @@ policy: This is the default setting. - **form**: The web application uses a form to collect and authenticate user credentials. If using this option, - you also need to type the user name and password parameters written in the code of the HTML form. + you also need to type the user name and password parameters names written in the code of the HTML form. - - **http-basic**: The user name and password are transmitted in Base64 and stored on the server in plain text. + - **http-basic**: The authentication is done using the HTTP basic authentication. + The user name and password are transmitted in Base64 and stored on the server in plain text. - - **http-digest**: The web server performs the authentication; user names and passwords - are not transmitted over the network, nor are they stored in plain text. - - **ntlm**: Microsoft LAN Manager authentication (also called Integrated Windows Authentication) - does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client. + - **http-digest**: The authentication is done using the HTTP digest access authentication. + The user names and passwords are not transmitted over the network, nor are they stored in plain text. + + - **ntlm**: The authentication is done using the NTLM authentication. - **ajax-or-json-request**: The web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. - For this option, you also need to type the name of the JSON element containing the user name and password. + For this option, you also need to type the name of the JSON elements containing the user name and password. usernameParameterName: A name of parameter which will contain username string. From 98e356afff45b6347de56ebd985c5f1211c61938 Mon Sep 17 00:00:00 2001 From: Ohad Perets Date: Tue, 4 Feb 2025 08:24:43 +0000 Subject: [PATCH 05/19] fix: more comments --- .../v4/configuration-guide/configuration.md | 133 +++++++++--------- 1 file changed, 70 insertions(+), 63 deletions(-) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 2685f8d67..967e0fcde 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -657,13 +657,73 @@ claims['address'] = "{ \"address\": { .... } }" # JSON structs can be accessed u Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, systematic, username/password combinations to discover legitimate authentication credentials. -To prevent brute force attacks, WAF monitors both IP addresses and/or usernames and tracks the number of -failed attempts to reach login pages with enforced brute force protection When brute force -patterns are detected, the WAF policy considers it to be an attack if the failed login attempts -reached a maximum threshold for a specific username or coming from a specific IP. +To prevent brute force attacks, NGINX App Protect WAF monitors both IP addresses and/or usernames and tracks the number of +failed login attempts reached a maximum threshold. +When brute force patterns are detected, the NGINX App Protect WAF policy either trigger an alarm or block the attack if the failed +login attempts reached a maximum threshold for a specific username or coming from a specific IP address. + +### Login page policy example +```json + "login-pages": [ + { + "accessValidation" : { + "responseContains": "Success" + }, + "authenticationType": "form", + "url" : { + "method" : "*", + "name" : "/html_login", + "protocol" : "http", + "type" : "explicit" + }, + "usernameParameterName": "username", + "passwordParameterName": "password" + } + ] +``` +login-pages: + A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. + Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, + by defining access permissions for users. Login pages also allow session tracking of user sessions. + + accessValidation: + Access Validation define validation criteria for the login page response. + If you define more than one validation criteria, + the response must meet all the criteria before the system allows the user to access the application login URL. + + authenticationType: + Authentication Type is method the web server uses to authenticate the login URL's credentials with a web user. + + - **none**: The web server does not authenticate users trying to access the web application through the login URL. + This is the default setting. + + - **form**: The web application uses a form to collect and authenticate user credentials. If using this option, + you also need to type the user name and password parameters names written in the code of the HTML form. + + - **http-basic**: The authentication is done using the HTTP basic authentication. + The user name and password are transmitted in Base64 and stored on the server in plain text. + + + - **http-digest**: The authentication is done using the HTTP digest access authentication. + The user names and passwords are not transmitted over the network, nor are they stored in plain text. + + - **ntlm**: The authentication is done using the NTLM authentication. + + - **ajax-or-json-request**: The web server uses JSON and AJAX requests to authenticate users + trying to access the web application through the login URL. + For this option, you also need to type the name of the JSON elements containing the user name and password. + + usernameParameterName: + A name of parameter which will contain username string. + passwordParameterName: + A name of parameter which will contain password string. + url: + URL string used for login page. ### Brute force policy example +Example1: A single brute force configuration is applied universally to all login pages. +Use Case ```json { "policy": { @@ -693,6 +753,8 @@ reached a maximum threshold for a specific username or coming from a specific IP } } ``` + +Example2: Different brute force configurations can be defined for individual login page. ```json { "policy": { @@ -718,31 +780,15 @@ reached a maximum threshold for a specific username or coming from a specific IP "reEnableLoginAfter" : 3600, "sourceBasedProtectionDetectionPeriod" : 3600, "url": { - "method": "*", - "name": "/html_login", - "protocol": "http" + "method": "*", + "name": "/html_login", + "protocol": "http" } } ], - "login-pages": [ - { - "accessValidation" : { - "responseContains": "Success" - }, - "authenticationType": "form", - "url" : { - "method" : "*", - "name" : "/html_login", - "protocol" : "http", - "type" : "explicit" - }, - "usernameParameterName": "username", - "passwordParameterName": "password" - } - ] + } } - ``` policy: brute-force-attack-preventions: @@ -794,45 +840,6 @@ policy: sourceBasedProtectionDetectionPeriod: Defines detection period (measured in seconds) for source-based brute force attacks. - login-pages: - A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. - Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, - by defining access permissions for users. Login pages also allow session tracking of user sessions. - - accessValidation: - Access Validation define validation criteria for the login page response. - If you define more than one validation criteria, - the response must meet all the criteria before the system allows the user to access the application login URL. - - authenticationType: - Authentication Type is method the web server uses to authenticate the login URL's credentials with a web user. - - - **none**: The web server does not authenticate users trying to access the web application through the login URL. - This is the default setting. - - - **form**: The web application uses a form to collect and authenticate user credentials. If using this option, - you also need to type the user name and password parameters names written in the code of the HTML form. - - - **http-basic**: The authentication is done using the HTTP basic authentication. - The user name and password are transmitted in Base64 and stored on the server in plain text. - - - - **http-digest**: The authentication is done using the HTTP digest access authentication. - The user names and passwords are not transmitted over the network, nor are they stored in plain text. - - - **ntlm**: The authentication is done using the NTLM authentication. - - - **ajax-or-json-request**: The web server uses JSON and AJAX requests to authenticate users - trying to access the web application through the login URL. - For this option, you also need to type the name of the JSON elements containing the user name and password. - - usernameParameterName: - A name of parameter which will contain username string. - passwordParameterName: - A name of parameter which will contain password string. - url: - URL string used for login page. - ## Custom Dimensions Log Entries ### Overview From b18d995ce323e32b329e5259b761158cd04fe39f Mon Sep 17 00:00:00 2001 From: Ohad Perets Date: Tue, 4 Feb 2025 08:32:16 +0000 Subject: [PATCH 06/19] fix: more comments --- content/nap-waf/v4/configuration-guide/configuration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 967e0fcde..167fb560e 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -661,7 +661,8 @@ To prevent brute force attacks, NGINX App Protect WAF monitors both IP addresse failed login attempts reached a maximum threshold. When brute force patterns are detected, the NGINX App Protect WAF policy either trigger an alarm or block the attack if the failed login attempts reached a maximum threshold for a specific username or coming from a specific IP address. - +To enable brute force protection, at least one login page must be created. + ### Login page policy example ```json "login-pages": [ @@ -723,7 +724,6 @@ login-pages: ### Brute force policy example Example1: A single brute force configuration is applied universally to all login pages. -Use Case ```json { "policy": { From 5d90cb5a5c771e93b1cfba68819faed08d5f61a6 Mon Sep 17 00:00:00 2001 From: Ohad Perets Date: Tue, 4 Feb 2025 10:11:55 +0000 Subject: [PATCH 07/19] fix: remove doc and add links to declar --- content/includes/nap-waf/policy.html | 84 +--------------- .../v4/configuration-guide/configuration.md | 97 ++----------------- 2 files changed, 12 insertions(+), 169 deletions(-) diff --git a/content/includes/nap-waf/policy.html b/content/includes/nap-waf/policy.html index 446d4fc44..6ad09bb82 100644 --- a/content/includes/nap-waf/policy.html +++ b/content/includes/nap-waf/policy.html @@ -803,54 +803,30 @@

brute-force-attack-preventions -detectionCriteria -object -Specifies configuration for detecting distributed brute force attacks. - - - loginAttemptsFromTheSameIp object Specifies configuration for detecting brute force attacks from IP Address. - + loginAttemptsFromTheSameUser object Specifies configuration for detecting brute force attacks for Username. - -measurementPeriod -integer minimum: 60 maximum: 90000 -Defines detection period (measured in seconds) for distributed brute force attacks. - - -preventionDuration -
    -
  • integer minimum: 60 maximum: 90000
    • -
  • string
    • -
-Defines prevention period (measured in seconds) for distributed brute force attacks. -
    -
  • Integer values
    • -
  • "unlimited"
    • -
- - reEnableLoginAfter integer minimum: 60 maximum: 90000 Defines prevention period (measured in seconds) for source-based brute force attacks. - + sourceBasedProtectionDetectionPeriod integer minimum: 60 maximum: 90000 Defines detection period (measured in seconds) for source-based brute force attacks. - + url object Reference to the URL used in login URL configuration (policy/login-pages). This login URL is protected by Brute Force Protection feature. @@ -858,52 +834,6 @@

brute-force-attack-preventions -

detectionCriteria

- ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Field NameTypeDescriptionAllowed Values

action

string

Specifies action that is applied when one of the defined thresholds (credentialsStuffingMatchesReached, failedLoginAttemptsRateReached) is reached.

-
-
    -
  • alarm: The system will log the login attempt.
    • -
  • alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
    • -
-
    -
  • alarm
    • -
  • alarm-and-client-side-integrity
    • -
credentialsStuffingMatchesReachedinteger minimum: 1 maximum: 10000After configured threshold (number of detected login attempts that match known leaked credentials library) defined action will be applied for the next login attempt.
failedLoginAttemptsRateReachedinteger minimum: 1 maximum: 10000After configured threshold (number of failed login attempts within measurementPeriod) defined action will be applied for the next login attempt.

loginAttemptsFromTheSameIp

@@ -929,17 +859,11 @@

loginA
  • alarm: The system will log the login attempt.
  • alarm-and-blocking-page: The system will log the login attempt, block the request and send the Blocking page.
    • -
  • alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
    • -
  • alarm-and-drop: The system will log the login attempt and reset the TCP connection.
    • -
  • alarm-and-honeypot-page: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.

@@ -980,12 +904,10 @@

logi
  • alarm: The system will log the login attempt.
    • -
  • alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.

diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 167fb560e..52641605f 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -664,6 +664,11 @@ login attempts reached a maximum threshold for a specific username or coming fro To enable brute force protection, at least one login page must be created. ### Login page policy example +login-pages: + Login page is a URL in a web application that requests must pass through to get to the authenticated URLs. + Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, + by defining access permissions for users. Login pages also allow session tracking of user sessions. + ```json "login-pages": [ { @@ -681,46 +686,8 @@ To enable brute force protection, at least one login page must be created. "passwordParameterName": "password" } ] -``` -login-pages: - A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. - Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, - by defining access permissions for users. Login pages also allow session tracking of user sessions. - - accessValidation: - Access Validation define validation criteria for the login page response. - If you define more than one validation criteria, - the response must meet all the criteria before the system allows the user to access the application login URL. - - authenticationType: - Authentication Type is method the web server uses to authenticate the login URL's credentials with a web user. - - - **none**: The web server does not authenticate users trying to access the web application through the login URL. - This is the default setting. - - - **form**: The web application uses a form to collect and authenticate user credentials. If using this option, - you also need to type the user name and password parameters names written in the code of the HTML form. - - - **http-basic**: The authentication is done using the HTTP basic authentication. - The user name and password are transmitted in Base64 and stored on the server in plain text. - - - - **http-digest**: The authentication is done using the HTTP digest access authentication. - The user names and passwords are not transmitted over the network, nor are they stored in plain text. - - - **ntlm**: The authentication is done using the NTLM authentication. - - - **ajax-or-json-request**: The web server uses JSON and AJAX requests to authenticate users - trying to access the web application through the login URL. - For this option, you also need to type the name of the JSON elements containing the user name and password. - - usernameParameterName: - A name of parameter which will contain username string. - passwordParameterName: - A name of parameter which will contain password string. - url: - URL string used for login page. - +``` +{{< note >}} For access profile default values and their related field names, see NGINX App Protect WAF [Declarative Policy guide]({{< relref "/nap-waf/v4/declarative-policy/policy/#policy/login-pages" >}}). {{< /note >}} ### Brute force policy example Example1: A single brute force configuration is applied universally to all login pages. @@ -790,55 +757,9 @@ Example2: Different brute force configurations can be defined for individual log } } ``` -policy: - brute-force-attack-preventions: - Defines configuration for Brute Force Protection feature. - There is default configuration (one with bruteForceProtectionForAllLoginPages flag and without url) - that applies to all configured login URLs unless there exists another brute force configuration for a specific login page. - - bruteForceProtectionForAllLoginPages: - When enabled, enables Brute Force Protection for all configured login URLs. - When disabled, the url entry below should contain a url that is defined as a login page. - - url: - Reference to the URL used in login URL configuration (policy/login-pages). - This login URL is protected by Brute Force Protection feature. - - loginAttemptsFromTheSameIp: - Specifies configuration for detecting brute force attacks from IP Address. - - action: - Specifies action that is applied when defined threshold is reached. - - **alarm**: The system will log the login attempt. - - **alarm-and-blocking-page**: The system will log the login attempt, - block the request and send the Blocking page. - - enabled: - When enabled, the system counts failed login attempts from IP Address. - - threshold: - After configured threshold (number of failed login attempts from IP Address) - defined action will be applied when a brute force attack will be detected. - - loginAttemptsFromTheSameUser: - Specifies configuration for detecting brute force attacks for a specific username. - - action: - Specifies action that is applied when defined threshold is reached. - - **alarm**: The system will log the login attempt. - - enabled: - When enabled, the system counts failed login attempts for a specific username. - - threshold: - After configured threshold (number of failed login attempts for a specific username) - defined action will be applied when a brute force attack will be detected. - - reEnableLoginAfter: - Defines prevention period (measured in seconds) for brute force attacks +{{< note >}} For access profile default values and their related field names, see NGINX App Protect WAF [Declarative Policy guide] +({{< relref "/nap-waf/v4/declarative-policy/policy/#policy/brute-force-attack-preventions" >}}). {{< /note >}} - sourceBasedProtectionDetectionPeriod: - Defines detection period (measured in seconds) for source-based brute force attacks. ## Custom Dimensions Log Entries From 554e5a1120b15c692149d2e86109d6a84b3bfa5f Mon Sep 17 00:00:00 2001 From: Ohad Perets Date: Tue, 4 Feb 2025 10:19:35 +0000 Subject: [PATCH 08/19] fix: remove doc and add links to declar --- content/nap-waf/v4/configuration-guide/configuration.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 52641605f..37ef3e6bd 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -687,7 +687,8 @@ login-pages: } ] ``` -{{< note >}} For access profile default values and their related field names, see NGINX App Protect WAF [Declarative Policy guide]({{< relref "/nap-waf/v4/declarative-policy/policy/#policy/login-pages" >}}). {{< /note >}} + +{{< note >}} For further configuration details, see NGINX App Protect WAF Declarative Policy Guide [Declarative Policy guide]({{< relref "/nap-waf/v4/declarative-policy/policy/#policy/login-pages" >}}). {{< /note >}} ### Brute force policy example Example1: A single brute force configuration is applied universally to all login pages. @@ -757,7 +758,7 @@ Example2: Different brute force configurations can be defined for individual log } } ``` -{{< note >}} For access profile default values and their related field names, see NGINX App Protect WAF [Declarative Policy guide] +{{< note >}} For further configuration details, see NGINX App Protect WAF Declarative Policy Guide [Declarative Policy guide] ({{< relref "/nap-waf/v4/declarative-policy/policy/#policy/brute-force-attack-preventions" >}}). {{< /note >}} From c0397493c2e3d108fe9a876b091ea806600dfe05 Mon Sep 17 00:00:00 2001 From: Ohad Perets Date: Tue, 4 Feb 2025 10:25:56 +0000 Subject: [PATCH 09/19] fix: brokenlink --- content/nap-waf/v4/configuration-guide/configuration.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 37ef3e6bd..31b61ba00 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -758,9 +758,7 @@ Example2: Different brute force configurations can be defined for individual log } } ``` -{{< note >}} For further configuration details, see NGINX App Protect WAF Declarative Policy Guide [Declarative Policy guide] -({{< relref "/nap-waf/v4/declarative-policy/policy/#policy/brute-force-attack-preventions" >}}). {{< /note >}} - +{{< note >}} For further configuration details, see NGINX App Protect WAF Declarative Policy Guide [Declarative Policy guide]({{< relref "/nap-waf/v4/declarative-policy/policy/#policy/brute-force-attack-preventions" >}}). {{< /note >}} ## Custom Dimensions Log Entries From 2e5c9e4f3ecd55128dc42f5f16f648fa2b6d34e6 Mon Sep 17 00:00:00 2001 From: Ohad Perets Date: Tue, 4 Feb 2025 10:28:20 +0000 Subject: [PATCH 10/19] fix: remove loginpage expla --- content/nap-waf/v4/configuration-guide/configuration.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 31b61ba00..29f1a65a7 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -664,11 +664,6 @@ login attempts reached a maximum threshold for a specific username or coming fro To enable brute force protection, at least one login page must be created. ### Login page policy example -login-pages: - Login page is a URL in a web application that requests must pass through to get to the authenticated URLs. - Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, - by defining access permissions for users. Login pages also allow session tracking of user sessions. - ```json "login-pages": [ { From f3fec4e7257417692f66b47268dbf209b324f41c Mon Sep 17 00:00:00 2001 From: Ohad Perets Date: Tue, 4 Feb 2025 12:22:19 +0000 Subject: [PATCH 11/19] fix: also for v5 --- .../v5/configuration-guide/configuration.md | 79 ++++++++++++++++--- 1 file changed, 67 insertions(+), 12 deletions(-) diff --git a/content/nap-waf/v5/configuration-guide/configuration.md b/content/nap-waf/v5/configuration-guide/configuration.md index 09463695b..31a022ead 100644 --- a/content/nap-waf/v5/configuration-guide/configuration.md +++ b/content/nap-waf/v5/configuration-guide/configuration.md @@ -791,15 +791,40 @@ To enable mTLS in NGINX, you need to perform the following steps: ## Brute Force Attack Preventions -Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, +### Overview + +Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, systematic, username/password combinations to discover legitimate authentication credentials. -To prevent brute force attacks, WAF tracks the number of failed attempts to reach login pages -with enforced brute force protection. When brute force patterns are detected, -the WAF policy considers it to be an attack if the failed logon rate increased significantly or -if failed logins reached a maximum threshold. +To prevent brute force attacks, NGINX App Protect WAF monitors both IP addresses and/or usernames and tracks the number of +failed login attempts reached a maximum threshold. +When brute force patterns are detected, the NGINX App Protect WAF policy either trigger an alarm or block the attack if the failed +login attempts reached a maximum threshold for a specific username or coming from a specific IP address. +To enable brute force protection, at least one login page must be created. +### Login page policy example +```json + "login-pages": [ + { + "accessValidation" : { + "responseContains": "Success" + }, + "authenticationType": "form", + "url" : { + "method" : "*", + "name" : "/html_login", + "protocol" : "http", + "type" : "explicit" + }, + "usernameParameterName": "username", + "passwordParameterName": "password" + } + ] +``` + +{{< note >}} For further configuration details, see NGINX App Protect WAF Declarative Policy Guide [Declarative Policy guide]({{< relref "/nap-waf/v5/declarative-policy/policy/#policy/login-pages" >}}). {{< /note >}} ### Brute force policy example +Example1: A single brute force configuration is applied universally to all login pages. ```json { "policy": { @@ -812,11 +837,6 @@ if failed logins reached a maximum threshold. "brute-force-attack-preventions" : [ { "bruteForceProtectionForAllLoginPages" : true, - "detectionCriteria" : { - "action" : "alarm", - "detectDistributedBruteForceAttack" : true, - "failedLoginAttemptsRateReached" : 100 - }, "loginAttemptsFromTheSameIp" : { "action" : "alarm", "enabled" : true, @@ -827,16 +847,51 @@ if failed logins reached a maximum threshold. "enabled" : true, "threshold" : 3 }, - "measurementPeriod" : 900, - "preventionDuration" : "3600", "reEnableLoginAfter" : 3600, "sourceBasedProtectionDetectionPeriod" : 3600 } ] } } +``` +Example2: Different brute force configurations can be defined for individual login page. +```json +{ + "policy": { + "name": "BruteForcePolicySpec", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "enforcementMode": "blocking", + "brute-force-attack-preventions" : [ + { + "bruteForceProtectionForAllLoginPages" : false, + "loginAttemptsFromTheSameIp" : { + "action" : "alarm", + "enabled" : true, + "threshold" : 20 + }, + "loginAttemptsFromTheSameUser" : { + "action" : "alarm", + "enabled" : true, + "threshold" : 3 + }, + "reEnableLoginAfter" : 3600, + "sourceBasedProtectionDetectionPeriod" : 3600, + "url": { + "method": "*", + "name": "/html_login", + "protocol": "http" + } + } + ], + + } +} ``` +{{< note >}} For further configuration details, see NGINX App Protect WAF Declarative Policy Guide [Declarative Policy guide]({{< relref "/nap-waf/v5/declarative-policy/policy/#policy/brute-force-attack-preventions" >}}). {{< /note >}} ## Custom Dimensions Log Entries From 24c6eafa4273f05b74d89cd020f8b8ffdba55da9 Mon Sep 17 00:00:00 2001 From: Ohad Perets Date: Tue, 4 Feb 2025 12:31:34 +0000 Subject: [PATCH 12/19] fix: add login expl --- content/nap-waf/v4/configuration-guide/configuration.md | 2 ++ content/nap-waf/v5/configuration-guide/configuration.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 29f1a65a7..a70ae9ebc 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -664,6 +664,8 @@ login attempts reached a maximum threshold for a specific username or coming fro To enable brute force protection, at least one login page must be created. ### Login page policy example + +A login page specifies the login URL that users must pass through to get authenticated. The configuration of a login URL includes the URL itself, the username and passwords parameters and the validation criteria (how we know that a login was successful or failed) ```json "login-pages": [ { diff --git a/content/nap-waf/v5/configuration-guide/configuration.md b/content/nap-waf/v5/configuration-guide/configuration.md index 31a022ead..de1540b72 100644 --- a/content/nap-waf/v5/configuration-guide/configuration.md +++ b/content/nap-waf/v5/configuration-guide/configuration.md @@ -802,6 +802,8 @@ login attempts reached a maximum threshold for a specific username or coming fro To enable brute force protection, at least one login page must be created. ### Login page policy example + +A login page specifies the login URL that users must pass through to get authenticated. The configuration of a login URL includes the URL itself, the username and passwords parameters and the validation criteria (how we know that a login was successful or failed) ```json "login-pages": [ { From 141c13d4964ef7db17fdc978856489841b3602ea Mon Sep 17 00:00:00 2001 From: Ohad Perets Date: Tue, 4 Feb 2025 15:56:41 +0000 Subject: [PATCH 13/19] fix: typo --- content/nap-waf/v4/configuration-guide/configuration.md | 2 +- content/nap-waf/v5/configuration-guide/configuration.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index a70ae9ebc..0cb610eff 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -719,7 +719,7 @@ Example1: A single brute force configuration is applied universally to all login } ``` -Example2: Different brute force configurations can be defined for individual login page. +Example2: Different brute force configurations can be defined for individual login pages. ```json { "policy": { diff --git a/content/nap-waf/v5/configuration-guide/configuration.md b/content/nap-waf/v5/configuration-guide/configuration.md index de1540b72..590ddc9f2 100644 --- a/content/nap-waf/v5/configuration-guide/configuration.md +++ b/content/nap-waf/v5/configuration-guide/configuration.md @@ -857,7 +857,7 @@ Example1: A single brute force configuration is applied universally to all login } ``` -Example2: Different brute force configurations can be defined for individual login page. +Example2: Different brute force configurations can be defined for individual login pages. ```json { "policy": { From 133ee64d7383494fe9ba21fdf3620f0d6d9fda7c Mon Sep 17 00:00:00 2001 From: ohad-perets <126083286+ohad-perets@users.noreply.github.com> Date: Tue, 4 Feb 2025 18:57:09 +0200 Subject: [PATCH 14/19] Update content/nap-waf/v4/configuration-guide/configuration.md Co-authored-by: Alan Dooley --- content/nap-waf/v4/configuration-guide/configuration.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 0cb610eff..69d315668 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -657,8 +657,7 @@ claims['address'] = "{ \"address\": { .... } }" # JSON structs can be accessed u Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, systematic, username/password combinations to discover legitimate authentication credentials. -To prevent brute force attacks, NGINX App Protect WAF monitors both IP addresses and/or usernames and tracks the number of -failed login attempts reached a maximum threshold. +To prevent brute force attacks, NGINX App Protect WAF monitors IP addresses, usernames, and the number of failed login attempts beyond a maximum threshold. When brute force patterns are detected, the NGINX App Protect WAF policy either trigger an alarm or block the attack if the failed login attempts reached a maximum threshold for a specific username or coming from a specific IP address. To enable brute force protection, at least one login page must be created. From f45c865b769da1c8c834281a2bc785e4daff8856 Mon Sep 17 00:00:00 2001 From: ohad-perets <126083286+ohad-perets@users.noreply.github.com> Date: Tue, 4 Feb 2025 18:57:24 +0200 Subject: [PATCH 15/19] Update content/nap-waf/v4/configuration-guide/configuration.md Co-authored-by: Alan Dooley --- content/nap-waf/v4/configuration-guide/configuration.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 69d315668..c4dff9b91 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -662,6 +662,8 @@ When brute force patterns are detected, the NGINX App Protect WAF policy either login attempts reached a maximum threshold for a specific username or coming from a specific IP address. To enable brute force protection, at least one login page must be created. +--- + ### Login page policy example A login page specifies the login URL that users must pass through to get authenticated. The configuration of a login URL includes the URL itself, the username and passwords parameters and the validation criteria (how we know that a login was successful or failed) From fb6262109669b7e5c81aa0b8c7e9719d6eee417a Mon Sep 17 00:00:00 2001 From: ohad-perets <126083286+ohad-perets@users.noreply.github.com> Date: Tue, 4 Feb 2025 18:57:53 +0200 Subject: [PATCH 16/19] Update content/nap-waf/v4/configuration-guide/configuration.md Co-authored-by: Alan Dooley --- content/nap-waf/v4/configuration-guide/configuration.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index c4dff9b91..e96be795c 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -687,6 +687,8 @@ A login page specifies the login URL that users must pass through to get authent ``` {{< note >}} For further configuration details, see NGINX App Protect WAF Declarative Policy Guide [Declarative Policy guide]({{< relref "/nap-waf/v4/declarative-policy/policy/#policy/login-pages" >}}). {{< /note >}} + +--- ### Brute force policy example Example1: A single brute force configuration is applied universally to all login pages. From eb303cffe4ce0a38b4c63f270d6de23d142d1107 Mon Sep 17 00:00:00 2001 From: ohad-perets <126083286+ohad-perets@users.noreply.github.com> Date: Tue, 4 Feb 2025 18:58:14 +0200 Subject: [PATCH 17/19] Update content/nap-waf/v5/configuration-guide/configuration.md Co-authored-by: Alan Dooley --- content/nap-waf/v5/configuration-guide/configuration.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/nap-waf/v5/configuration-guide/configuration.md b/content/nap-waf/v5/configuration-guide/configuration.md index 590ddc9f2..c27a7ccd9 100644 --- a/content/nap-waf/v5/configuration-guide/configuration.md +++ b/content/nap-waf/v5/configuration-guide/configuration.md @@ -795,8 +795,7 @@ To enable mTLS in NGINX, you need to perform the following steps: Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, systematic, username/password combinations to discover legitimate authentication credentials. -To prevent brute force attacks, NGINX App Protect WAF monitors both IP addresses and/or usernames and tracks the number of -failed login attempts reached a maximum threshold. +To prevent brute force attacks, NGINX App Protect WAF monitors IP addresses, usernames, and the number of failed login attempts beyond a maximum threshold. When brute force patterns are detected, the NGINX App Protect WAF policy either trigger an alarm or block the attack if the failed login attempts reached a maximum threshold for a specific username or coming from a specific IP address. To enable brute force protection, at least one login page must be created. From 817f672e20491e3657a706af84e03bf33c8b9c1a Mon Sep 17 00:00:00 2001 From: ohad-perets <126083286+ohad-perets@users.noreply.github.com> Date: Tue, 4 Feb 2025 18:58:24 +0200 Subject: [PATCH 18/19] Update content/nap-waf/v5/configuration-guide/configuration.md Co-authored-by: Alan Dooley --- content/nap-waf/v5/configuration-guide/configuration.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/nap-waf/v5/configuration-guide/configuration.md b/content/nap-waf/v5/configuration-guide/configuration.md index c27a7ccd9..7f89ab036 100644 --- a/content/nap-waf/v5/configuration-guide/configuration.md +++ b/content/nap-waf/v5/configuration-guide/configuration.md @@ -800,6 +800,8 @@ When brute force patterns are detected, the NGINX App Protect WAF policy either login attempts reached a maximum threshold for a specific username or coming from a specific IP address. To enable brute force protection, at least one login page must be created. +--- + ### Login page policy example A login page specifies the login URL that users must pass through to get authenticated. The configuration of a login URL includes the URL itself, the username and passwords parameters and the validation criteria (how we know that a login was successful or failed) From 45b74997f9dcf35e7f086e8e1c76785a0e23e4ad Mon Sep 17 00:00:00 2001 From: ohad-perets <126083286+ohad-perets@users.noreply.github.com> Date: Tue, 4 Feb 2025 18:58:32 +0200 Subject: [PATCH 19/19] Update content/nap-waf/v5/configuration-guide/configuration.md Co-authored-by: Alan Dooley --- content/nap-waf/v5/configuration-guide/configuration.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/nap-waf/v5/configuration-guide/configuration.md b/content/nap-waf/v5/configuration-guide/configuration.md index 7f89ab036..1121f7688 100644 --- a/content/nap-waf/v5/configuration-guide/configuration.md +++ b/content/nap-waf/v5/configuration-guide/configuration.md @@ -825,6 +825,9 @@ A login page specifies the login URL that users must pass through to get authent ``` {{< note >}} For further configuration details, see NGINX App Protect WAF Declarative Policy Guide [Declarative Policy guide]({{< relref "/nap-waf/v5/declarative-policy/policy/#policy/login-pages" >}}). {{< /note >}} + +--- + ### Brute force policy example Example1: A single brute force configuration is applied universally to all login pages.
  • alarm
  • alarm-and-blocking-page
    • -
  • alarm-and-client-side-integrity
    • -
  • alarm-and-drop
    • -
  • alarm-and-honeypot-page
  • alarm
    • -
  • alarm-and-client-side-integrity