I'm managing a Microsoft Active Directory environment with several Linux containers behind an F5 load balancer. Our users often run pods or mounts using their office accounts, and they forget about them. When they change their passwords after a few weeks, we're hitting about 55,000 bad password attempts per hour from just a few office accounts. This issue is compounded across multiple sites, causing my Primary Domain Controller (PDC) to struggle. Even if the accounts lock due to too many failed attempts, it still impacts the PDC. When the PDC goes down for updates, the worst-affected sites start experiencing LSASS backups because it can't handle the wave of bad login attempts while offline. One complicating factor is that, since these containers are behind the F5, the source workstation's information is blank, making tracking down the issue difficult.
I'm looking for solutions: is there a way to restrict logins from specific IPs or workstations? I know I can allow logins from certain IPs, but how about blocking them? Also, can the F5, Linux, or Kubernetes help identify the source workstation's name so I can narrow down the tracking?
I'm hoping for practical suggestions to help with this dilemma!
3 Answers
You could consider a policy-based approach to mitigate this issue. Instead of allowing users to log in with their regular accounts, enforce the use of non-human IDs for containers. This would involve setting up a credential management system to handle these IDs. Although it might be a hassle to implement, it could save you from these repetitive bad login attempts.
It sounds like the F5 is obscuring the original source IPs, which makes tracking them down harder. It might be worth reviewing its configuration to see if you can retain the source IP information. That would be crucial for better visibility during login attempts.
Thanks for the insight! I'll look into the F5 settings to see how we can get the original IPs.
Have you considered using Group Managed Service Accounts (gMSAs)? They are designed to manage credentials securely, and I believe there is support for them within Linux containers as well. It might be a viable solution to your problem.
We do use gMSAs in several situations already, but the application owners keep insisting that their apps can't support them. It's frustrating!
That sounds interesting! But how would I actually block the normal user accounts beyond just asking people? I'm looking for a way to prevent AD from even attempting to authenticate from certain IPs.