|
|
|
|
@ -20,6 +20,15 @@ Go in Manager, ``General Parameters`` » ``Advanced Parameters`` » |
|
|
|
|
``Security`` » ``Brute-force attack protection`` » ``Activation``\ and |
|
|
|
|
set to ``On``. |
|
|
|
|
|
|
|
|
|
- **Parameters**: |
|
|
|
|
|
|
|
|
|
- **Activation**: Enable/disable brute force attack protection |
|
|
|
|
- **Lock time**: Waiting time before another login attempt |
|
|
|
|
- **Allowed failed login**: Number of failed login attempts allowed before account is locked |
|
|
|
|
- **Incremental lock**: Enable/disable incremental lock times |
|
|
|
|
- **Incremental lock times**: List of comma separated lock time values in seconds |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Incremental lock time enabled |
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
|
|
|
|
|
|
|
|
@ -35,33 +44,29 @@ in ``lemonldap-ng.ini`` [portal] section: |
|
|
|
|
[portal] |
|
|
|
|
bruteForceProtectionIncrementalTempo = 1 |
|
|
|
|
|
|
|
|
|
Lock time increases between each failed login attempt. To modify lock |
|
|
|
|
time values ('5 15 60 300 600' seconds by default) or max lock time |
|
|
|
|
value (900 seconds by default) edit ``lemonldap-ng.ini`` in [portal] |
|
|
|
|
section: |
|
|
|
|
Lock time increases between each failed login attempt after allowed failed logins. |
|
|
|
|
|
|
|
|
|
.. code-block:: ini |
|
|
|
|
|
|
|
|
|
[portal] |
|
|
|
|
bruteForceProtectionLockTimes = '5 15 60 300 600' |
|
|
|
|
bruteForceProtectionLockTimes = 5, 15, 60, 300, 600 |
|
|
|
|
bruteForceProtectionMaxLockTime = 900 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
.. note:: |
|
|
|
|
|
|
|
|
|
Max lock time value is used by this plugin if a lock time is |
|
|
|
|
missing (number of failed logins higher than listed lock time values). |
|
|
|
|
Max lock time value is used if a lock time is missing |
|
|
|
|
(number of failed logins higher than listed lock time values). |
|
|
|
|
Lock time values can not be higher than max lock time. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Incremental lock time disabled |
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
|
|
|
|
|
|
|
|
After ``bruteForceProtectionMaxFailed`` failed login attempts, user must |
|
|
|
|
wait ``bruteForceProtectionTempo`` seconds before trying to log in |
|
|
|
|
again. To modify waiting time (30 seconds by default), MaxAge between |
|
|
|
|
current and last stored failed login (300 seconds by default) or number |
|
|
|
|
of allowed failed login attempts (3 by default) edit |
|
|
|
|
``lemonldap-ng.ini`` in [portal] section: |
|
|
|
|
After allowed failed login attempts, user must |
|
|
|
|
wait the lock time before trying to log in again. |
|
|
|
|
To modify delta (MaxAge) between current and last stored |
|
|
|
|
failed login (300 seconds by default) edit ``lemonldap-ng.ini`` in [portal] section: |
|
|
|
|
|
|
|
|
|
.. code-block:: ini |
|
|
|
|
|
|
|
|
|
@ -72,7 +77,12 @@ of allowed failed login attempts (3 by default) edit |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
.. attention:: |
|
|
|
|
Number of failed login attempts history might be also higher than |
|
|
|
|
number of incremental lock time value plus allowed failed login attempts. |
|
|
|
|
Incremental lock time values list will be truncated if not. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
.. danger:: |
|
|
|
|
Number of failed login attempts stored in history MUST |
|
|
|
|
be higher than allowed failed logins for this plugin takes effect. |
|
|
|
|
See :doc:`History plugin<loginhistory>` |
Christophe Maudoux
5 years ago