Manual Chapter :
Configuring Leaked Credential Check
Applies To:
Show Versions
BIG-IP ASM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Configuring Leaked Credential Check
Leaked Credential Check with Brute Force Protection
The Leaked Credential Check feature is configured as part of the Advanced WAF
Brute Force Protection. A Brute Force Protection login page must be specified for Leaked
Credential Check to work. The information required to manually identify the required login
URL can be found by reviewing the HTML source code and snooping the HTML traffic generated
as a user logs into the site (e.g. keyboard F12). There is also the option to create login
pages automatically. For more information on configuring Brute Force Protection, see the F5
BIG-IP Application Security Manager Implementation Guide.
Configuring Leaked Credential Check
If you have not added the Leaked Credential Check
application to Cloud Services, configurations to Leaked Credentials Detection will not
be operational.
- On the Main tab, click .
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The New Brute Force Protection Configuration page opens.
- In theLeaked Credentials Detectionsection, enableDetectionand select the detectionAction
- Alarm
- Alarm and Blocking Page (default)
- Alarm and Honeypot Page
- Alarm and Leaked Credentials Page
- ClickApply.
Distributed Brute Force Protection functionality
If you have not added the Leaked Credential Check
application to Cloud Services, configuration of the Distributed Brute Force Protection's
Detect Leaked Credential Stuffing Attack will not be operational.
When the Leaked Credential Check Cloud Service is
configured, the Detect Credential Stuffing option uses the Leaked Credential Check API
to detect a credential stuffing attack.
- On the Main tab, click and select a Login URL.
- In theDistributed Brute Force Protectionsection, forDetect Leaked Credential Stuffing Attack, select:
- Never: There is no credential stuffing detection
- After X login attempts that match known leaked credentials dictionary: A credential stuffing attack is reported when the configured condition is met.
Configuring Response and Blocking Pages for Leaked
Credentials
BIG-IP ASM with Leaked Credentials Check supports one of the following configuration
options when leaked credentials are detected.
- Alarm and Blocking Page: Report the Leaked Credentials Detection violation in event log and send the Blocking Response Page.
- Alarm and Honeypot Page: Report the Leaked Credentials Detection violation in event log and send the Honeypot Response Page.
- Alarm and Leaked Credentials Page: Report the Leaked Credentials Detection violation in event log and send the Leaked Credentials Page.
You must evaluate the most likely scenarios for your organization. If Leaked
Credentials Check is to detect an attack, you may want to select Alarm and Honeypot
Page. The Failed Login Honeypot page is used for attacker deception. The page should
look like an application failed login response from a mitigation. As a result, the
attacker will not change identity (Source IP or Device ID) and the brute force
attack will be rendered ineffective. The Honeypot page is recommended when
mitigation is request blocking.
If Leaked Credentials Check is primarily to detect legitimate users who are trying to
log in with a leaked password, you may want to select Alarm and Leaked Credentials
Page instead. The Leaked Credentials page is the system response used when presented
with credentials matching those in the leaked credentials dictionary. You can
redirect the user to a new page where they are notified that their password has been
compromised and ask them to reset their password or use MFA to log in
For more information on configuring Response Pages, see the F5
BIG-IP Application Security Manager Implementation Guide and the Response and
Blocking Pages online help.
- On the Main tab, click and select the desired policy from the list.
- Select theResponse and Blocking Pagestab.
- Select theFailed Login Honeypotresponse.
- Select theLeaked Credentialsresponse.
- ClickSave.
