Manual Chapter : Configuring Leaked Credential Check

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Manual Chapter

Configuring Leaked Credential Check

Leaked Credential Check with Brute Force Protection

The Leaked Credential Check feature is configured as part of the Advanced WAF Brute Force Protection. A Brute Force Protection login page must be specified for Leaked Credential Check to work. The information required to manually identify the required login URL can be found by reviewing the HTML source code and snooping the HTML traffic generated as a user logs into the site (e.g. keyboard F12). There is also the option to create login pages automatically. For more information on configuring Brute Force Protection, see the F5 BIG-IP Application Security Manager Implementation Guide.

Configuring Leaked Credential Check

If you have not added the Leaked Credential Check application to Cloud Services, configurations to Leaked Credentials Detection will not be operational.
  1. On the Main tab, click
    Security
    Application Security
    Brute Force Attack Prevention
    .
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. Click
    Create
    .
    The New Brute Force Protection Configuration page opens.
  4. In the
    Leaked Credentials Detection
    section, enable
    Detection
    and select the detection
    Action
    1. Alarm
    2. Alarm and Blocking Page (default)
    3. Alarm and Honeypot Page
    4. Alarm and Leaked Credentials Page
  5. Click
    Apply
    .

Distributed Brute Force Protection functionality

If you have not added the Leaked Credential Check application to Cloud Services, configuration of the Distributed Brute Force Protection's Detect Leaked Credential Stuffing Attack will not be operational.
When the Leaked Credential Check Cloud Service is configured, the Detect Credential Stuffing option uses the Leaked Credential Check API to detect a credential stuffing attack.
  1. On the Main tab, click
    Security
    Application Security
    Brute Force Attack Prevention
    and select a Login URL.
  2. In the
    Distributed Brute Force Protection
    section, for
    Detect Leaked Credential Stuffing Attack
    , select:
    • Never
      : There is no credential stuffing detection
    • After X login attempts that match known leaked credentials dictionary
      : A credential stuffing attack is reported when the configured condition is met.

Configuring Response and Blocking Pages for Leaked Credentials

BIG-IP ASM with Leaked Credentials Check supports one of the following configuration options when leaked credentials are detected.
  1. Alarm and Blocking Page: Report the Leaked Credentials Detection violation in event log and send the Blocking Response Page.
  2. Alarm and Honeypot Page: Report the Leaked Credentials Detection violation in event log and send the Honeypot Response Page.
  3. Alarm and Leaked Credentials Page: Report the Leaked Credentials Detection violation in event log and send the Leaked Credentials Page.
You must evaluate the most likely scenarios for your organization. If Leaked Credentials Check is to detect an attack, you may want to select Alarm and Honeypot Page. The Failed Login Honeypot page is used for attacker deception. The page should look like an application failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.
If Leaked Credentials Check is primarily to detect legitimate users who are trying to log in with a leaked password, you may want to select Alarm and Leaked Credentials Page instead. The Leaked Credentials page is the system response used when presented with credentials matching those in the leaked credentials dictionary. You can redirect the user to a new page where they are notified that their password has been compromised and ask them to reset their password or use MFA to log in
For more information on configuring Response Pages, see the F5 BIG-IP Application Security Manager Implementation Guide and the Response and Blocking Pages online help.
  1. On the Main tab, click
    Security
    Application Security
    Security Policies
    Policies List
    and select the desired policy from the list.
  2. Select the
    Response and Blocking Pages
    tab.
  3. Select the
    Failed Login Honeypot
    response.
  4. Select the
    Leaked Credentials
    response.
  5. Click
    Save
    .