# Tihs batch configuration snippett will add brute force login protection using the rate limiting traffice management feature of Citrix NetScaler # To use this script simply upload the batch file to /var on your NetScaler via SFTP/FTP/SCP # At a command prompt, cd to /var # Execute the batch by typing > batch -fileName add_aaa_vpn_brute_force_rate_limit.conf add ns limitSelector aaa_err_login_selector CLIENT.IP.SRC HTTP.REQ.URL add ns limitIdentifier aaa_err_login_identifier -threshold 3 -timeSlice 300000 -selectorName aaa_err_login_selector -trapsInTimeSlice 3 add audit messageaction aaa_login_err_alert ALERT "\"Max login attempts detected from \" + CLIENT.IP.SRC + \" to \" + HTTP.REQ.URL + \" within a 5 sec period. Possible brute force login attack\"" -logtoNewnslog YES -bypassSafetyCheck YES add responder action aaa_err_login_blockip_5min_act respondwith "\"Citrix NetScaler\" + \"\" + \"
\" + \"
\" + \"\" + \"
NetScaler Access GatewayTM
\" + \"You have reached the maximum allowed login attempts from your device at: \" + CLIENT.IP.SRC + \".

You will not be permitted to logon again for 5 minutes. Please contact your system administrator\" + \".

\" + \"\"" add responder policy aaa_err_login_blockip_5min_policy "(HTTP.REQ.URL.EQ(\"/vpn/tmindex.html\") || HTTP.REQ.URL.EQ(\"/vpn/index.html\")) && HTTP.REQ.COOKIE.VALUE(\"NSC_VPNERR\").EQ(\"4001\") && SYS.CHECK_LIMIT(\"aaa_err_login_identifier\")" aaa_err_login_blockip_5min_act -logAction aaa_login_err_alert bind responder global aaa_err_login_blockip_5min_policy 110 END -type REQ_DEFAULT