Configuring restriction to IP address based on authentication

Configure the restriction to client IP address based on authentication failure in webMethods API Gateway to prevent malicious attack.

About this task

You must have the Manage Security Configuration functional privilege to configure this restriction.

The malicious attack occurs when a client floods a server with many requests in an attempt to interfere with server processing. The IP address restriction prevents the malicious attack by blocking or denying the unauthenticated client from accessing the APIs, when webMethods API Gateway fails to authenticate the client. Using webMethods API Gateway, you can limit the number of times a client fails to authenticate the API in a specified time interval.

Authentication failure can be due to one of the following reasons.

  • webMethods API Gateway fails to authenticate the client (or)
  • webMethods API Gateway fails to identify the client and its respective application.
  • webMethods API Gateway detects that the failed authentication limit has been exceeded and blocks or denies access to that client IP address. webMethods API Gateway then sends a 403 Forbidden error to the client.

When authentication failure occurs, webMethods API Gateway sends the 401 or 403 error message to the client.

Note:
  • If an API uses the Identify and Access Application policy and the invocation fails due to non-preemptive authentication, webMethods API Gateway does not count this failure toward the failed authentication limit.
  • When you use Load Balancer for configuring high availability between the webMethods API Gateway instances, webMethods API Gateway honors the X-Forwarded-For (XFF) header from the client. As the XFF header has the actual client IP address, webMethods API Gateway can block or deny the problematic client from accessing the protected API based on your configuration.
account locking

Procedure

  1. Open the menu options and select Administration.
  2. Select Security > Global IP Access Settings. A list of keystones, truststores and corresponding details are displayed.
  3. Click Authentication-based restrictions-Block or Deny by IP address section and provide the information such as:
    Field Description
    Enable Specifies whether restriction to IP address based on authentication is enabled. Click to enable IP address restriction. By default this option is disabled.
    Maximum failed authentication Specifies the maximum number of failed authentications that an webMethods API Gateway can accept from a specific IP address in a time interval.
    In (seconds) Specifies the time interval, in seconds, in which maximum authentication failure can be permitted.
    Action when limit exceeds Specifies the action to do when the number of failed authentication from an IP address exceeds the specified limits. Select one sue as:
    • Add IP address to deny list-Permanently denies the IP address from accessing any APIs.
    • Block the IP address - Temporarily block the IP address from accessing any APIs for specified time interval.
    • In (seconds). Specify the time interval for which you want to block the IP address.
    Denied IP list Specifies the list of IP addresses that are denied from access. Click the delete icon in the Action column to remove an IP address from the denied list.
  4. Click Save. The configuration is saved.