Skip to main content
Version: 15.1

Configure Brute Force Protection Settings

ADOIT has a mechanism to prevent brute force attempts from gaining access to login credentials. After a specified number of failed login attempts, login to the ADOIT web client is blocked and a message is shown to the user. In order to adapt the brute force protection settings:

  • Open the Admin Page. On the toolbar at the top of the screen, click More   , and then click Authentication.

  • Click the Security settings button. Edit the settings and save the changes afterwards.

caution

To configure brute force protection settings, you need experience with JSON. If you need help, contact your ADOIT consultant.

You can adapt parameters of the following JSON objects:

  • "brute-force": {...}: Settings for regular login attempts to the web client by ADOIT users.

  • "reauthentication": { "brute-force": {...} }: Settings for reauthentication attempts. Reauthentication behaviour can be customised to protect certain critical business actions in ADOIT.

  • "rest": { "brute-force": {...} }: Settings for login attempts via the REST API that allows authenticated access to exposed functionality in ADOIT.

The following parameters are available:

  • clean_up_period

    Time frame (in milliseconds) in which failed attempts for all users are accounted. The default value is 60,000 milliseconds (= 1 minute).

  • clean_up_threshold_ip

    Time frame (in milliseconds) in which failed attempts for an IP address are accounted. The default value is 10,800,000 milliseconds (= 3 hours).

  • clean_up_threshold_user

    Time frame (in milliseconds) in which failed attempts for a user name are accounted. The default value is 600,000 milliseconds (= 10 minutes).

  • max_attempts_overall

    The maximum number of overall failed login attempts before all users are blocked for a specified amount of time. The default value is 150 times.

  • max_attempts_per_ip

    The maximum number of failed login attempts before an IP address is blocked for a specified amount of time. The default value is 75 times.

  • max_attempts_per_username

    The maximum number of failed login attempts before a user name is blocked for 10 minutes. The default value is 15 times.

  • sleeptime_max_attempts_overall

    The amount of time (in milliseconds) that login attempts are blocked for all users after a specified amount of overall failed login attempts. The default value is 30,000 milliseconds (= 30 seconds).

  • sleeptime_max_attempts_per_ip

    The amount of time (in milliseconds) that login attempts are blocked for an IP address after a specified amount of failed login attempts. The default value is 60,000 milliseconds (= 1 minute).

Example

If there are 75 failed login attempts from an IP address [max_attempts_per_ip] during an interval of 3 hours [clean_up_threshold_ip], users on that IP address have to wait for one minute [sleeptime_max_attempts_per_ip].