Related Tips & Info

RBA: Text Based IP Address Block List file for NetIQ Access Manager

MigrationDeletedUser
0 Likes

Use Case:


There are number of publicly available lists of known IP Addresses that are currently compromised. Various sites offer these lists for free. These hosts are running crimeware with Botnets. The attacker can use these machines to launch any attack on your applications hosted at your site. The file format is very simple, so you can also handcraft this list.

You can update the list to Access Manager Configuration through Administration Console.  Access Manager blocks the addresses configured in the list. This capability is already available in 4.1 release.

This tool provides another way by implementing a custom risk rule by reading the list from a text file on the disk. You can use this solution when you want to directly utilize the file downloaded off the sites which offer the blocked list service containing IP Addresses running Botnets. The Url Services are given below. Or you can handcraft a file manually.

Solution:


The attached Java Jar file implements a custom Rule Evaluation logic, that checks for known list of IP addresses in a text file configured in User Interface. The file format is a simple list of IP addresses listed one per line. Comments can be added in the text file starting with character #. For example, a text file can be saved in the following format in location /opt/novell/nam/idp/data/zeus.iplist

##############################################################################
# abuse.ch ZeuS IP blocklist #
 # #
 # For questions please refer to https://zeustracker.abuse.ch/blocklist.php #
 ##############################################################################
 103.230.84.239
 103.241.0.100
 103.26.128.84
 103.4.52.150


The custom Rule checks for any modification to this file and re-creates the list in memory so that newly added IP addresses are checked immediately without a restart or Apply from Administration Console.

You can either download vulnerable list off the Internet to local machine or create your own from your intrusion detection system and your historical database. A list of known sites which offer these botnet infected sites are

 

 



Configuration Steps


 


      1. Download the ip block list from the below URLs or create your own in the format as given in the links
        https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
        https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist
        https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist

 

      1. Create one file for each of the URL at location /opt/novell/nam/idp/data/.
        $ mkdir -p /opt/novell/nam/idp/data/
        $ curl -s https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist > zeus.iplist

 

      1. copy the attached jar file to /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib
        $ cp net-sk-nam-rules-4.1-0.jar /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib

 

      1. restart IDP
        $ /etc/init.d/novell-idp restart

 

      1. Add the custom rule to the Rule list (Refer documentation for more details: Access Manager Risk Based Authentication)

          1. Go to NetIQ Access Manager -> Administration Console

          1. Browse Menu Policies -> Risk Configuration -> Rules -> New

          1. Enter following details

              1. Rule Name: IP Tracker Rule

              1. Rule Type: Custom Rule

              1. Custom Class Name: net.sk.nam.rules.IPTrackerRuleFile



          1. Click Add Property and enter following properties

              1. Property Name: net.sk.nam.rules.iplistfile

              1. Value: /var/opt/novell/nam/idp/data/zeus/zeus.iplist
                iplist



          1. Click Next

          1. Select appropriate "Rule Group" or create a new Group. Provide a Risk Score according to your need. For example, 80.

          1. Create Risk Levels if you have not created already. For example

              1. Less Than 30 -> Low

              1. Between 30 and 79 -> Medium

              1. Greater than or Equal to 80 -> High



          1. Repeat 5.2 if you want to add more files.

          1. Click Finish

          1. Browse to Devices -> Identity Servers -> [Cluster Name] -> Edit -> Local -> Classes

          1. Create a Role Based Authentication class if you have not created already

              1. Click New and enter following details

                  1. Display Name: RBA

                  1. Java class : Risk Based Auth Class



              1. Select Rule Group: Provide the rule group that you have given in above step 6

              1. Select appropriate Risk Handler

                  1. Low: Allow

                  1. Medium: Additional Authentication

                  1. High: Deny



              1. Click OK



          1. Create a Role Based Method if you have not created already

              1. Browse to Devices -> Identity Servers -> [Cluster Name] -> Edit -> Local -> Methods -> New

                  1. Display Name: RBA

                  1. Class: RBA

                  1. Uncheck Identifies User

                  1. Select User Store. If in doubt, select "Default User Store"



              1. Click OK



          1. Create a new Contract or Edit the existing contract

              1. Browse to Devices -> Identity Servers -> [Cluster Name] -> Edit -> Local -> Contracts -> Click on the "Name/Password -Form" contract

              1. Move the RBA method from "Available Methods" to "Methods"

              1. Click OK



          1. Go back to Devices -> Identity Servers

          1. Click "Update All"





Now, all the users who are trying to login into NetIQ Access Manager system will go through this new Risk Based Authentication class after regular authentication. If the client's IP address falls in this blocked list, then the authentication will be denied.

You can test/debug the result of Risk Based authentication by enabling logging in Identity Server and watching catalina.out output as described in section "https://www.netiq.com/documentation/access-manager-41/admin/data/b1dg0omz.html#b1f4rruj".

You can use the Risk Based Authentication Test Servlet to check what is the result of the rule evaluation by following the steps at "https://www.netiq.com/documentation/access-manager-41/admin/data/b1dg0omz.html#b1f4fiip"

 

Labels:

Collateral
How To-Best Practice
Comment List
  • in reply to elfstone2
    Stefan, blocking authentication requests by assessing the IP Address of the User against a black list is already available in 4.1. This solution is built on top of that which checks for blacklist off the downloaded databases/textfiles directly from a local text file. In a later solution I wrote, this tool also directly checks for black list from an URL periodically. If you prefer to manage the blacklist this way, this solution addresses that. Is this the usecase you want to use?
  • As a large customer of Access Manager, this makes an excellent addition to the capabilities in NAM 4.1 -- however, we cannot use it until/unless it becomes a part of the officially supported product. Are there any intentions add "net-sk-nam-rules-4.1-0.jar/net.sk.nam.rules.iplistfile" or something like it?
Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.