Highlighted
Absent Member.
Absent Member.
1081 views

Brute-force attack Webaccess

Hello

In recent times I have a lot of webaccess login attempts on different
user accounts, after a few attempts to lock a user account.

Can anyone have an idea how to defend yourself against this? Does
webacces have something like a CAPTCHA?

Regards
Daniel Mikrut

--
support-forums.novell.com
Labels (1)
0 Likes
9 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Brute-force attack Webaccess

In article <M%F7B.1669$y_.806@novprvlin0913.provo.novell.com>,
Nntp.novell.com wrote:
> Can anyone have an idea how to defend yourself against this? Does
> webacces have something like a CAPTCHA?


Not that I am aware of, but that does have me digging into the Ideas
portal where I found a close bit of
https://ideas.microfocus.com/MFI/novell-gw/Idea/Detail/30
and then created
https://ideas.microfocus.com/MFI/novell-gw/Idea/Detail/12951
to more directly deal with this particular issue, so you probably want
to vote on that one.

I tried to follow the WebAccess web code and quickly see so many ways
to mess it up AND still have it overwritten with every update. I think
it could be done manually with the right web coding skillz if you
really wanted it now. If someone does so successfully, it would make a
great CoolSolution.


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

___
“i’ve sworn an oath of solitude til the blight is purged from these lands”
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Brute-force attack Webaccess

Hi

Andy thank you for your answer. Over the weekend I've been thinking
about this problem and I'm probably going to test Webaccess on something
simple, and basically "basic authentication tomcat".

I am entering a password for the web site itself, it is not a perfect
solution but it can be effective.

Regards
Daniel Mikrut



W dniu 2017-07-07 o 18:29, Andy Konecny pisze:
> In article <M%F7B.1669$y_.806@novprvlin0913.provo.novell.com>,
> Nntp.novell.com wrote:
>> Can anyone have an idea how to defend yourself against this? Does
>> webacces have something like a CAPTCHA?

>
> Not that I am aware of, but that does have me digging into the Ideas
> portal where I found a close bit of
> https://ideas.microfocus.com/MFI/novell-gw/Idea/Detail/30
> and then created
> https://ideas.microfocus.com/MFI/novell-gw/Idea/Detail/12951
> to more directly deal with this particular issue, so you probably want
> to vote on that one.
>
> I tried to follow the WebAccess web code and quickly see so many ways
> to mess it up AND still have it overwritten with every update. I think
> it could be done manually with the right web coding skillz if you
> really wanted it now. If someone does so successfully, it would make a
> great CoolSolution.
>
>
> Andy of
> http://KonecnyConsulting.ca in Toronto
> Knowledge Partner
> http://forums.novell.com/member.php/75037-konecnya
> If you find a post helpful and are logged in the Web interface, please
> show your appreciation by clicking on the star below. Thanks!
>



--
support-forums.novell.com
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Brute-force attack Webaccess

Your other option is an access management product that does the protecting/step up for you....

Visit my Website for links to Cool Solution articles.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Brute-force attack Webaccess

What exactly do you mean?




W dniu 2017-07-10 o 09:24, ScorpionSting pisze:
>
> Your other option is an access management product that does the
> protecting/step up for you....
>
>



--
support-forums.novell.com
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Brute-force attack Webaccess

nntp.novell.com;2461087 wrote:
Can anyone have an idea how to defend yourself against this?

I see this as a DoS vulnerability and have brought it to the attention of the appropriate Micro Focus support staff.
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Brute-force attack Webaccess

I have no current support and I have no way to report it. But actually,
it's probably the highest time for GroupWise software to feature
something like "Two Factor Authentication"


W dniu 2017-07-10 o 17:04, KBOYLE pisze:
>
> nntp.novell.com;2461087 Wrote:
>> Can anyone have an idea how to defend yourself against this?

> I see this as a DoS vulnerability and have brought it to the attention
> of the appropriate Micro Focus support staff.
>
>



--
support-forums.novell.com
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Brute-force attack Webaccess

In article <xlN8B.1713$y_.727@novprvlin0913.provo.novell.com>,
Nntp.novell.com wrote:
> I have no current support and I have no way to report it. But actually,
> it's probably the highest time for GroupWise software to feature
> something like "Two Factor Authentication"


yes it is high time, so the more votes for those Ideas, the more likely it
will get some real attention by development. This issue has been there
since the beginning of the Web that is has been easy enough for developers
ignore until smacked hard enough. So I'm all for 'smacking' via lots of
votes, so please help and vote.
https://ideas.microfocus.com/MFI/novell-gw/Idea/Detail/12951


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

___
“i’ve sworn an oath of solitude til the blight is purged from these lands”
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Brute-force attack Webaccess

OK


W dniu 2017-07-10 o 23:17, Andy Konecny pisze:
> In article <xlN8B.1713$y_.727@novprvlin0913.provo.novell.com>,
> Nntp.novell.com wrote:
>> I have no current support and I have no way to report it. But actually,
>> it's probably the highest time for GroupWise software to feature
>> something like "Two Factor Authentication"

>
> yes it is high time, so the more votes for those Ideas, the more likely it
> will get some real attention by development. This issue has been there
> since the beginning of the Web that is has been easy enough for developers
> ignore until smacked hard enough. So I'm all for 'smacking' via lots of
> votes, so please help and vote.
> https://ideas.microfocus.com/MFI/novell-gw/Idea/Detail/12951
>
>
> Andy of
> http://KonecnyConsulting.ca in Toronto
> Knowledge Partner
> http://forums.novell.com/member.php/75037-konecnya
> If you find a post helpful and are logged in the Web interface, please
> show your appreciation by clicking on the star below. Thanks!
>



--
support-forums.novell.com
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Brute-force attack Webaccess

If you front Web Access with something like NetIQ Access Manager (NAM), then NAM can take care of the login before webacc is event hit.... With it's risk engine, it can perform the step-up authentication when suspicious activity is detected...or it can default to MFA for users.

Visit my Website for links to Cool Solution articles.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.