Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to tune HTTP:EXPLOIT:BRUTE-FORCE parameters

0

0

Article ID: KB28323 KB Last Updated: 05 Mar 2017Version: 2.0
Summary:

When HTTP:EXPLOIT:BRUTE-FORCE attacks are detected too often, the administrator can tune the relevant parameter to increase the threshold. This article provides two methods for doing this.

Symptoms:

HTTP:EXPLOIT:BRUTE-FORCE attacks are seen a lot of times. Administrator may need to increase the threshold.

Cause:

Solution:

The relevant parameter can be tuned either through CLI or through NSM, which can bring down the alerts/triggers for HTTP:EXPLOIT:BRUTE-FORCE attack. The value is set to 5 by default and can be increased to a higher number appropriately.

NOTE: When the parameter threshold is increased, it allows for that many number of login attempts. There is a security risk associated with increased number of login attempts, and potential success. Users should weigh the pros and cons before increasing this value.

NOTE 2:  In SA-IDP and ISG-IDP, this config is not persistent after reboot.

To tune through NSM:

SA-IDP: Double click on the device, go to sensor settings --> click on tab “protocol thresholds and Configuration”, expand HTTP and increase the value of parameter “Maximum number of login failures per-minute”.

ISG-IDP: Double click on the device in NSM client, under Security --> IDP SM settings --> Protocol Thresholds and Configuration tab

SRX-IDP: Double click on the SRX device in NSM client, go to Configuration --> Security --> IDP --> Sensor configuration --> Detector --> Protocol Name, now add a protocol for HTTP and then inside HTTP window add a “tunable-name” for sc_http_failed_logins tunable-value and set it to 10. Then push the config onto the SRX.


To tune through CLI:

SA-IDP (example sets the parameter to 10):

[root@IDP-75-151 ~]# scio const -p http set sc_http_failed_logins 10
scio: setting sc_http_failed_logins to 0xa

ISG-IDP:

exec sm # ksh "scio const -p http set sc_http_failed_logins 10"

SRX-IDP:

set security idp sensor-configuration detector protocol-name HTTP tunable-name sc_http_failed_logins tunable-value 10
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search