Prevent a DOS via user lockouts at NetScaler Gateway
Before we begin let me first say…
All NetScaler Gateway landing page customizations are unsupported. Changing the NetScaler Gateway landing page will cause you to have an unsupported environment. I do not condone malicious attempts to lockout user accounts. The purpose of this article is to highlight a current risk and mitigation steps.
Now that the disclaimer is out of the way. Let’s start with the customizations :-).
The current recommended configuration for two-factor authentication at NetScaler is available here.
http://support.citrix.com/article/CTX125364
With the configuration highlighted in the article above. Web based users that authenticate are hitting AD first. Ideally, we would want to follow the authentication workflow that is configured for the Native Receiver. The Native Receiver evaluates RADIUS first, and if this is successful, then the LDAP policy is invoked.
What is the risk of leaving the configuration exactly how the article has outlined the configuration?
If Bob, a malicious user, knows Alice’s username, then Bob could enter a bogus password 3 times and lock Alice’s account. Bob could do this as often as he liked until some measure went into place to stop Bob. If Bob knew a lot of usernames and had some knowledge of scripting tools such as JMeter, then he could lockout a large number of user accounts effectively acting as a DOS. This would be bad, and I again, I would not condone such an attack. So what can we do to mitigate such a risk?
The quick and easy way to do it is to reverse the web authentication policies so that they match up with the Native Receiver (RADIUS as primary, LDAP as secondary). However, this will force users to enter their RADIUS passcode before entering their AD username. Most organizations want to have the dynamic pin as the 2nd password for users to enter.
So how can we mitigate the risk AND have the dynamic token as the second password users need to enter?
Like in the quick and easy method, we would need to make the RADIUS authentication primary and the LDAP authentication secondary. Now we need to customize some JavaScript on the NetScaler. The file /vpn/login.js is what we need to customize. This file can be found under“/netscaler/ns_gui/vpn/login.js”. What we will do is change the ordering of the POST values.
The JavaScript below has the original values in red that we will change.
function ns_showpwd_default()
{
var pwc = ns_getcookie(“pwcount”);
document.write(‘
’);
}
UnsetCookie(“pwcount”);
}
The JavaScript below contains the revised fields so that when a user POSTs their credentials, NetScaler will can evaluate RADIUS before attempting to contact AD. The values passwd1 andpasswd are swapped.
function ns_showpwd_default()
{
var pwc = ns_getcookie(“pwcount”);
document.write(‘
나누미 검증 추천 | 바둑이사이트 현금바둑이 딱 2곳만 추천 가장 안전하고 정직하며 신속한 바둑이사이트를 메이저 중에서도 메이저로 만나실 수 있습니다 한국을 대표하는 바둑이게임 더 이상의 바둑이사이튼 절대 없습니다 먹튀검증사이트 나누미 추천은 정확합니다 자세한 내용은 웹 사이트를 방문하십시오 현금바둑이.
The above article is good. please share more to know more about technology.
ReplyDeleteJMeter Training in Chennai
JMeter Certification
Appium Training in Chennai
Appium Training
javascript training in chennai
core java training in chennai
C C++ Training in Chennai
JMeter Training in Chennai
I would definitely thank the admin of this blog for sharing this information with us. Waiting for more updates from this blog admin.
ReplyDeletegst training in chennai
Angularjs Training in Chennai
CCNA Training in Chennai
salesforce training institute in chennai
ui design course in chennai
나누미 검증 추천 | 바둑이사이트 현금바둑이 딱 2곳만 추천 가장 안전하고 정직하며 신속한 바둑이사이트를 메이저 중에서도 메이저로 만나실 수 있습니다 한국을 대표하는 바둑이게임 더 이상의 바둑이사이튼 절대 없습니다 먹튀검증사이트 나누미 추천은 정확합니다 자세한 내용은 웹 사이트를 방문하십시오 현금바둑이.
ReplyDeleteI have been reading for the past two days about your blogs and topics, still on fetching! Wondering about your words on each line was massively effective. Techno-based information has been fetched in each of your topics. Sure it will enhance and fill the queries of the public needs. Feeling so glad about your article. Thanks…!
ReplyDeleteselenium training in chennai
selenium online courses best selenium online training
selenium testing training
selenium classes
This is the first & best article to make me satisfied by presenting good content. I feel so happy and delighted. Thank you so much for this article.
ReplyDeleteLearn Best Digital Marketing Course in Chennai
Digital Marketing Course Training with Placement in Chennai
Best Big Data Course Training with Placement in Chennai
Big Data Analytics and Hadoop Course Training in Chennai
Best Data Science Course Training with Placement in Chennai
Data Science Online Certification Course Training in Chennai
Learn Best Android Development Course Training Institute in Chennai
Android Application Development Programming Course Training in Chennai
Learn Best AngularJS 4 Course Online Training and Placement Institute in Chennai
Learn Digital Marketing Course Training in Chennai
Digital Marketing Training with Placement Institute in Chennai
Learn Seo Course Training Institute in Chennai
Learn Social Media Marketing Training with Placement Institute in Chennai
Thanks for sharing an informative blog keep rocking bring more details.I like the helpful info you provide in your articles. I’ll bookmark your weblog and check again here regularly. I am quite sure I will learn much new stuff right here! Good luck for the next!
ReplyDeleteWeb Designing Training Institute in Chennai | web design training class in chennai | web designing course in chennai with placement
Mobile Application Development Courses in chennai
Data Science Training in Chennai | Data Science courses in Chennai
Professional packers and movers in chennai | PDY Packers | Household Goods Shifting
Web Designing Training Institute in Chennai | Web Designing courses in Chennai
Google ads services | Google Ads Management agency
Web Designing Course in Chennai | Web Designing Training in Chennai
I have been reading for the past two days about your blogs and topics, still on fetching! Wondering about your words on each line was massively effective.
ReplyDeletephp online training in chennai
php programming center in chennai
php class in chennnai
php certification course
php developer training institution chennai
php training in chennnai
php mysql course in chennai
php institute in chennnai
php course in chennnai
php training with placement in chennnai
php developer course
Nice post. Thanks for sharing! I want people to know just how good this information is in your article. It’s interesting content and Great work.
ReplyDeleteappium online training
appium training centres in chennai
best appium training institute in chennnai
apppium course
mobile appium in chennnai
mobile training in chennnai
appium training institute in chennnai
I feel satisfied to read your blog, you have been delivering a useful & unique information to our vision.keep blogging.
ReplyDeleteDigital Marketing Course In Kolkata
Web Design Course In Kolkata
got the error corrected by using out = cv2.VideoWriter('output.avi', -1, 20.0, (640,480)) after capturing the video ...thankyou anyway :) good work
ReplyDeleteAi & Artificial Intelligence Course in Chennai
PHP Training in Chennai
Ethical Hacking Course in Chennai Blue Prism Training in Chennai
UiPath Training in Chennai
http://www.happierit.com
ReplyDeletehttp://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
ReplyDeletehttp://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://www.happierit.com
http://yaando.com/
Continue