Accéder au contenu principal
Version: 15.0

Configure Brute Force Protection Settings

ADOIT has a mechanism to prevent brute force attempts from gaining access to login credentials. After a specified number of failed login attempts, login to the ADOIT web client is blocked and a message is shown to the user. In order to adapt the brute force protection settings:

  • Open the Admin Page. Click Authentication > Security Settings. Edit the settings and save the changes afterwards.

The following parameters are available:

  • max_attempts_per_ip

    The maximum number of failed login attempts before an IP address is blocked for a specified amount of time. The default value is 75 times.

  • max_attempts_per_username

    The maximum number of failed login attempts before a user name is blocked for 10 minutes. The default value is 15 times.

  • max_attempts_overall

    The maximum number of overall failed login attempts before all users are blocked for a specified amount of time. The default value is 150 times.

  • sleeptime_max_attempts_per_ip

    The amount of time (in milliseconds) that login attempts are blocked for an IP address after a specified amount of failed login attempts. The default value is 60,000 milliseconds (= 1 minute).

  • sleeptime_max_attempts_overall

    The amount of time (in milliseconds) that login attempts are blocked for all users after a specified amount of overall failed login attempts. The default value is 30,000 milliseconds (= 30 seconds).

  • clean_up_threshold_user

    Time frame (in milliseconds) in which failed attempts for a user name are accounted. The default value is 600,000 milliseconds (= 10 minutes).

  • clean_up_threshold_ip

    Time frame (in milliseconds) in which failed attempts for an IP address are accounted. The default value is 10,800,000 milliseconds (= 3 hours).

  • clean_up_period

    Time frame (in milliseconds) in which failed attempts for all users are accounted. The default value is 60,000 milliseconds (= 1 minute).

Example

If there are 75 failed login attempts from an IP address [max_attempts_per_ip] during an interval of 3 hours [clean_up_threshold_ip], users on that IP address have to wait for one minute [sleeptime_max_attempts_per_ip].