2020-05-14 23:29:41 +02:00
|
|
|
Brute Force Protection plugin
|
|
|
|
=============================
|
|
|
|
|
|
|
|
This plugin prevents brute force attack. Plugin DISABLED by default.
|
|
|
|
|
|
|
|
After some failed login attempts, user must wait before trying to log in
|
|
|
|
again.
|
|
|
|
|
|
|
|
The aim of a brute force attack is to gain access to user accounts by
|
|
|
|
repeatedly trying to guess the password of an user. If disabled,
|
|
|
|
automated tools may submit thousands of password attempts in a matter of
|
|
|
|
seconds.
|
|
|
|
|
2021-06-14 15:08:36 +02:00
|
|
|
.. attention::
|
|
|
|
This plugin relies on the Login History, stored in users' persistent sessions.
|
2021-06-14 15:15:18 +02:00
|
|
|
This means that the authentication and persistent session backends will be
|
|
|
|
accessed for every login attempt, even fraudulent ones. This plugin is not
|
|
|
|
meant to protect against denial of service attacks.
|
2021-06-14 15:08:36 +02:00
|
|
|
|
|
|
|
|
2020-05-14 23:29:41 +02:00
|
|
|
Configuration
|
|
|
|
-------------
|
|
|
|
|
2020-05-20 23:41:40 +02:00
|
|
|
To enable Brute Force Attack protection:
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
Go in Manager, ``General Parameters`` » ``Advanced Parameters`` »
|
|
|
|
``Security`` » ``Brute-force attack protection`` » ``Activation``\ and
|
|
|
|
set to ``On``.
|
|
|
|
|
2020-08-28 11:54:04 +02:00
|
|
|
- **Parameters**:
|
|
|
|
|
|
|
|
- **Activation**: Enable/disable brute force attack protection
|
|
|
|
- **Lock time**: Waiting time before another login attempt
|
|
|
|
- **Allowed failed login**: Number of failed login attempts allowed before account is locked
|
|
|
|
- **Incremental lock**: Enable/disable incremental lock times
|
|
|
|
- **Incremental lock times**: List of comma separated lock time values in seconds
|
2021-10-23 22:14:49 +02:00
|
|
|
- **Maximum lock time**: Lock time values can not be higher than max lock time
|
|
|
|
- **Maximum age**: Delta between current and last stored failed login
|
2020-08-28 11:54:04 +02:00
|
|
|
|
|
|
|
|
2020-05-14 23:29:41 +02:00
|
|
|
Incremental lock time enabled
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
You just have to activate it in the Manager :
|
|
|
|
|
|
|
|
Go in Manager, ``General Parameters`` » ``Advanced Parameters`` »
|
|
|
|
``Security`` » ``Brute-force attack protection`` »
|
|
|
|
``Incremental lock times`` and set to ``On``. (DISABLED by default) or
|
|
|
|
in ``lemonldap-ng.ini`` [portal] section:
|
|
|
|
|
2020-05-21 15:13:24 +02:00
|
|
|
.. code-block:: ini
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
[portal]
|
|
|
|
bruteForceProtectionIncrementalTempo = 1
|
|
|
|
|
2020-08-28 11:54:04 +02:00
|
|
|
Lock time increases between each failed login attempt after allowed failed logins.
|
2020-05-14 23:29:41 +02:00
|
|
|
|
2020-05-21 15:13:24 +02:00
|
|
|
.. code-block:: ini
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
[portal]
|
2020-08-28 11:54:04 +02:00
|
|
|
bruteForceProtectionLockTimes = 5, 15, 60, 300, 600
|
2020-05-14 23:29:41 +02:00
|
|
|
bruteForceProtectionMaxLockTime = 900
|
|
|
|
|
|
|
|
|
2020-05-18 09:56:39 +02:00
|
|
|
.. note::
|
2020-05-14 23:29:41 +02:00
|
|
|
|
2020-08-28 11:54:04 +02:00
|
|
|
Max lock time value is used if a lock time is missing
|
|
|
|
(number of failed logins higher than listed lock time values).
|
2020-05-18 09:56:39 +02:00
|
|
|
Lock time values can not be higher than max lock time.
|
2020-05-14 23:29:41 +02:00
|
|
|
|
2020-08-28 11:54:04 +02:00
|
|
|
|
2020-05-14 23:29:41 +02:00
|
|
|
Incremental lock time disabled
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
2021-10-23 22:14:49 +02:00
|
|
|
After allowed failed login attempts, user must wait
|
|
|
|
the lock time before trying to log in again.
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
|
2020-05-21 15:13:24 +02:00
|
|
|
.. attention::
|
2020-08-28 11:54:04 +02:00
|
|
|
Number of failed login attempts history might be also higher than
|
|
|
|
number of incremental lock time value plus allowed failed login attempts.
|
|
|
|
Incremental lock time values list will be truncated if not.
|
|
|
|
|
2020-05-14 23:29:41 +02:00
|
|
|
|
2020-08-28 11:54:04 +02:00
|
|
|
.. danger::
|
2020-05-14 23:29:41 +02:00
|
|
|
Number of failed login attempts stored in history MUST
|
|
|
|
be higher than allowed failed logins for this plugin takes effect.
|
2020-05-20 23:41:40 +02:00
|
|
|
See :doc:`History plugin<loginhistory>`
|