RBA: Block IP Addresses from a URL



In the previous article, I have explained the Botnets and free sites which offer a list of infected sites. Repeated here for readability

"There are number of publicly available lists of known IP Addresses that are currently compromised. Various sites offer these lists for free. These hosts are running crimeware with Botnets. The attacker can use these machines to launch any attack on your applications hosted at your site. The file format is very simple, so you can also handcraft this list.

You can update the list to Access Manager Configuration through Administration Console.  Access Manager blocks the addresses configured in the list. This capability is already available in 4.1 release"

This solution provides a custom risk based authentication rule to block all IP addresses from a URL hosted on another site or machine.

The previous solution depends on a text file download on the same host as Identity Server. You can directly edit that host file for adding any new IP address or delete them.

This new solution offers a way to directly configure a HTTP Url with contents of same format. This solution periodically refreshes the set of IP addresses download from that URL.

Configuration Steps

    1. copy the attached jar file to /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib. This jar contains both the previous solution as well as new.
      $ cp net-sk-nam-rules-4.1-0.1.jar /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib


    1. restart IDP
      $ /etc/init.d/novell-idp restart


    1. Add the custom rule to the Rule list (Refer documentation for more details: Access Manager Risk Based Authentication)

        1. Go to NetIQ Access Manager -> Administration Console

        1. Browse Menu Policies -> Risk Configuration -> Rules -> New

        1. Enter following details

            1. Rule Name: IP Tracker Rule

            1. Rule Type: Custom Rule

            1. Custom Class Name: net.sk.nam.rules.IPTrackerRuleHttp

        1. Click Add Property and enter following properties

            1. Property Name: net.sk.nam.rules.iplistURL

            1. Value: https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist

            1. Property Name: net.sk.nam.rules.refreshDelayInSeconds

            1. Value: 7200. This refreshes the URL every 2 hours.iplist2

        1. Click Next

        1. Select appropriate “Rule Group” or create a new Group. Provide a Risk Score according to your need. For example, 80.

        1. Create Risk Levels if you have not created already. For example

            1. Less Than 30 -> Low

            1. Between 30 and 79 -> Medium

            1. Greater than or Equal to 80 -> High

        1. Repeat again from step 3.2 if you want to listen to more URLs to watch for. The additional URLs can be

        1. Click Finish

        1. Browse to Devices -> Identity Servers -> [Cluster Name] -> Edit -> Local -> Classes

        1. Create a Role Based Authentication class if you have not created already

            1. Click New and enter following details

                1. Display Name: RBA

                1. Java class : Risk Based Auth Class

            1. Select Rule Group: Provide the rule group that you have given in above step 6

            1. Select appropriate Risk Handler

                1. Low: Allow

                1. Medium: Additional Authentication

                1. High: Deny

            1. Click OK

        1. Create a Role Based Method if you have not created already

            1. Browse to Devices -> Identity Servers -> [Cluster Name] -> Edit -> Local -> Methods -> New

                1. Display Name: RBA

                1. Class: RBA

                1. Uncheck Identifies User

                1. Select User Store. If in doubt, select “Default User Store”

            1. Click OK

        1. Create a new Contract or Edit the existing contract

            1. Browse to Devices -> Identity Servers -> [Cluster Name] -> Edit -> Local -> Contracts -> Click on the “Name/Password -Form” contract

            1. Move the RBA method from “Available Methods” to “Methods”

            1. Click OK

        1. Go back to Devices -> Identity Servers

        1. Click “Update All”

Now, all the users who are trying to login into NetIQ Access Manager system will go through this new Risk Based Authentication class after regular authentication. If the client’s IP address falls in this blocked list, then the authentication will be denied.

You can test/debug the result of Risk Based authentication by enabling logging in Identity Server and watching catalina.out output as described in section “https://www.netiq.com/documentation/access-manager-41/admin/data/b1dg0omz.html#b1f4rruj“.

You can use the Risk Based Authentication Test Servlet to check what is the result of the rule evaluation by following the steps at “https://www.netiq.com/documentation/access-manager-41/admin/data/b1dg0omz.html#b1f4fiip


How To-Best Practice
Comment List