Configure Brute Force Protection Settings
ADOIT has a mechanism to prevent brute force attempts from gaining access to login credentials. After a specified number of failed login attempts, login to the ADOIT web client is blocked and a message is shown to the user. In order to adapt the brute force protection settings:
- Open the Admin Page. Click Authentication > Security Settings. Edit the settings and save the changes afterwards.
The following parameters are available:
max_attempts_per_ip
The maximum number of failed login attempts before an IP address is blocked for a specified amount of time. The default value is 75 times.
max_attempts_per_username
The maximum number of failed login attempts before a user name is blocked for 10 minutes. The default value is 15 times.
max_attempts_overall
The maximum number of overall failed login attempts before all users are blocked for a specified amount of time. The default value is 150 times.
sleeptime_max_attempts_per_ip
The amount of time (in milliseconds) that login attempts are blocked for an IP address after a specified amount of failed login attempts. The default value is 60,000 milliseconds (= 1 minute).
sleeptime_max_attempts_overall
The amount of time (in milliseconds) that login attempts are blocked for all users after a specified amount of overall failed login attempts. The default value is 30,000 milliseconds (= 30 seconds).
clean_up_threshold_user
Time frame (in milliseconds) in which failed attempts for a user name are accounted. The default value is 600,000 milliseconds (= 10 minutes).
clean_up_threshold_ip
Time frame (in milliseconds) in which failed attempts for an IP address are accounted. The default value is 10,800,000 milliseconds (= 3 hours).
clean_up_period
Time frame (in milliseconds) in which failed attempts for all users are accounted. The default value is 60,000 milliseconds (= 1 minute).
Example
If there are 75 failed login attempts from an IP address [max_attempts_per_ip
] during an
interval of 3 hours [clean_up_threshold_ip
], users on that IP address have to wait for one
minute [sleeptime_max_attempts_per_ip
].